David, It's probably not working because micronetsolution.com does not appear to own the 129.174.1.0 address space. A lookup at samspade.org reveals that George Mason University is the owner of the 129.174.0.0/16 address space:
http://www.samspade.org/t/ipwhois?a=129.174.1.0 A few quick traceroutes indicate that all paths to the 129.174.1.0 network lead to George Mason and die at 129.174.247.116 (ThompsonPassport1.gmu.edu). A lookup on micronetsolution.com reveals that you only own address 66.61.46.237 which you have received through Road Runner: http://www.samspade.org/t/ipwhois?a=66.61.46.0 Unless you have worked out some sort of deal with George Mason university (you both appear to be in Fairfax, VA) , you cannot use their address space. You cannot just simply pick a registered address space such as 129.174.1.0 and try using it. You must own the address space and advertise it to get packets routed back to you. Obviously, if someone else owns the 129.174.0.0 address space and is advertising it, you won't be able to use the 129.174.1.0 addresses. It appears that you have only a single registered IP address. It also appears that that IP address is assigned to something other than the outside interface of your PIX. I'm not sure of your exact setup, but if you've only got a single registered address it would be best to have that address assigned to the outside interface of the PIX. Your server(s) should be located on the DMZ interface of the PIX and not on the outside interface of the PIX. You'll need to use PAT and overload the outside interface of the PIX, there are examples of how to do this in the Cisco command docs for the 'global' command. You'll also need to look at the '3 interface with nat' configuration examples at the Cisco site. Personally, I would not use nor recommend using IP addresses that you do not own. Best practice is to use unregistered RFC 1918 address space if you don't own your own addresses. If you don't have a address space of your own, you must NAT anyway, regardless of whether you use registered addresses or not. The addresses must be registered _to your organization_ to be useful. -Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Tran Sent: Wednesday, December 19, 2001 8:08 AM To: [EMAIL PROTECTED] Subject: Re: how to disable NAT in PIX firewall (both insid [7:29408] Why it is not working is a mystery to me. I have a workstation on the same network as the outside interface, the workstation has an IP address of 66.61.46.150 with the default gateway points to 66.61.46.254. Guess what, the workstation can get to the Internet just fine but workstation on the "inside" interface can not. Strange thing is that the pix can ping the Internet (4.2.2.2) as well. Any more ideas. Thanks. David ----- Original Message ----- From: "Jon Tucker" To: Sent: Tuesday, December 18, 2001 9:03 PM Subject: RE: how to disable NAT in PIX firewall (both insid [7:29408] > using the NAT 0 command will allow the inside systems to go through the PIX > unaltered. > > - Jon > > -----Original Message----- > From: Michael J. Doherty [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 18, 2001 11:56 AM > To: [EMAIL PROTECTED] > Subject: Re: how to disable NAT in PIX firewall (both insid [7:29408] > > > Since the PIX is a native NAT device, built around it, subsistent on it, you > cannot turn it off and allow the PIX to function in its correct manner. > > The example that you mention (VPNs) is a special scenario. Once VPN clients > are authenticated by the PIX, they are treated as if they exist on the > inside of the PIX, therefore we have to disable NAT to allow the VPN tunnel > to work properly. > > If NAT is setup according to the Best Practices, your inside hosts will be > able to see ALL external hosts while shielding them from being seen by the > outside hosts (the fact that they are using the NAT translation is what > accomplishes this). The fact that you are using Publ;ished IP addresses for > your hosts is a moot point (it is also not a recommendation in Best > Practices). Therefore, you still need to correctly setup the NAT > statements, in the manner illustrated by Cisco's website, in order to make > the PIX function appropriately. > > > ----- Original Message ----- > From: "David Tran" > To: > Sent: Monday, December 17, 2001 16:13 > Subject: how to disable NAT in PIX firewall (both inside an [7:29303] > > > > Hi Everyone, > > > > I am having problem setting up a network in this scenario > > > > with my PIX515-UR firewall running version 6.1(1) with pdm > > > > version 1.1(2). > > > > I have a network with REGISTERED IP addresses. The > > > > "inside" interface of the PIX is on the 129.174.1.0/24 > > > > network with IP address of 129.174.1.254. The "outside" > > > > interface of the PIX is on the 66.61.46.0/24 network with > > > > IP address of 66.61.46.120. The "inside" interface has > > > > a security level of 100 and the "outside" interface has > > > > security level of 0. On the "inside" internal network, I > > > > have 10 workstations range from 129.174.1.1-10. These > > > > workstations have the default gateway point to the > > > > "inside" interface of the PIX. > > > > I understand that for machines from the "inside" > > > > network to access the Internet, the command "nat" > > > > and global must be used. However, since I all of my > > > > machines have valid (aka registered IP addresses), I > > > > want to disabe NAT completely. For, example, > > > > I want machine 129.174.1.1 to be able to browse and > > > > ping any machines on the Internet. At the same time, > > > > I don't want users from the Internet to be able to access > > > > any of the workstations on the "inside" interface. I have > > > > been searching for documentation on Cisco website > > > > but it seems likemost of the example have to do with NAT > > > > enable. There are a few examples that will disable NAT > > > > but it is relatedto VPN which is something I don't want. > > > > Furthermore, most of the examples fill with errors and > > > > pretty worthless (for PIX anyway). If anyone has done > > > > this before, let me know. I also include a copy of the config. > > > > Thanks. > > > > David > > > > PIX Version 6.1(1) > > > > nameif ethernet0 outside security0 > > > > nameif ethernet1 inside security100 > > > > nameif ethernet2 dmz security50 > > > > enable password sdfkjfdjjdfjksdf encrypted > > > > passwd sdfjksdfkjsdfjksjf encrypted > > > > hostname ciscopix > > > > fixup protocol ftp 21 > > > > fixup protocol http 80 > > > > fixup protocol h323 1720 > > > > fixup protocol rsh 514 > > > > fixup protocol rtsp 554 > > > > fixup protocol smtp 25 > > > > fixup protocol sqlnet 1521 > > > > fixup protocol sip 5060 > > > > fixup protocol skinny 2000 > > > > names > > > > access-list no-nat-list permit ip any any > > > > access-list no-nat-list permit icmp any any > > > > pager lines 24 > > > > interface ethernet0 auto > > > > interface ethernet1 auto > > > > interface ethernet2 auto > > > > mtu outside 1500 > > > > mtu inside 1500 > > > > mtu dmz 1500 > > > > ip address outside 66.61.46.120 255.255.255.0 > > > > ip address inside 129.174.1.254 255.255.255.0 > > > > ip address dmz 127.0.0.1 255.255.255.255 > > > > ip audit info action alarm > > > > ip audit attack action alarm > > > > no failover > > > > failover timeout 0:00:00 > > > > failover poll 15 > > > > failover ip address outside 0.0.0.0 > > > > failover ip address inside 0.0.0.0 > > > > failover ip address dmz 0.0.0.0 > > > > pdm history enable > > > > arp timeout 14400 > > > > nat (inside) 0 129.174.1.0 255.255.255.0 > > > > static (inside, outside) 129.174.1.0 129.174.1.0 > > > > conduit permit ip any any > > > > conduit permit icmp any any > > > > route outside 0.0.0.0 0.0.0.0 66.61.46.254 1 > > > > timeout xlate 3:00:00 > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 > > sip > > > > 0:30:00 sip_media 0:02:00 > > > > timeout uauth 0:05:00 absolute > > > > aaa-server TACACS+ protocol tacacs+ > > > > aaa-server RADIUS protocol radius > > > > no snmp-server location > > > > no snmp-server contact > > > > snmp-server community public > > > > no snmp-server enable traps > > > > floodguard enable > > > > no sysopt route dnat > > > > telnet timeout 5 > > > > ssh timeout 5 > > > > terminal width 80 > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29685&t=29408 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
