hi all,
I've been researching this problem for several days now, and have come
up totally short in terms of finding a solution. Here's the scenario: I
have a PIX 515 with an internal network range of 192.168.0.0/24 behind
it and a single external IP I obtain via DHCP [cable]. I have the PIX
configured as 192.168.0.1 and I have it using DHCP to obtain an IP for
the external address. Here is the routing table:
outside 0.0.0.0 0.0.0.0 204.210.27.1 1 OTHER static
inside 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static
outside 204.210.27.0 255.255.255.0 204.210.27.13 1 CONNECT static
Now here's the problem: I can ping the other 192.168.0.0/24 machines
from the PIX, and I can ping outside IPs from the PIX. However, I cannot
get the traffic to route from the internal network through the PIX using
PAT. Yes, I know the PIX is not designed to be a router, but I only
require it to perform a simple routing task with regard to PAT.
Here's a part of the configuration I don't totally understand: When
setting up a global rule, if the single external IP I have is configured
as the outside interface, it will return:
Start and end addresses overlap with outside interface address
[command: global (outside) 1 outside.ip]
my NAT table reads:
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
Yes, I have tried changing this to allow NAT from everywhere [0 in field
where 192.168.0.0 is]
so I figured a way around this, although it doesn't work: bring the
external interface down, then issue the global command, then bring it
back up. This doesn't present a problem to the PIX in terms of an error
msg when I'm configuring it, but the traffic still fails to route. My
question is: What is the proper way to do this? All I need is a PAT
setup "many to one" type translation for this internal network. I will
attach a 'show config' for diagnostic purposes. Any insight would be
greatly appreciated - And I have been through the documentation
available on Cisco's site quite a few times, and while it's rather
informative I was unable to solve this problem with it. If anyone would
like more information from the device I would be glad to e-mail it to
you off-list or whatever. Thanks.
--BEGIN 'show config'--
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password blahblbahblah encrypted
passwd blahblah encrypted
hostname pix
domain-name mydomain.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
ip address outside dhcp
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 204.210.27.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
telnet timeout 5
ssh timeout 5
terminal width 80
--END 'show config'--
--BEGIN 'show version'--
Compiled on Thu 17-May-01 20:05 by morlee
Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0050.54ff.2403, irq 10
1: ethernet1: address is 0050.54ff.2404, irq 7
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Throughput: Unlimited
ISAKMP peers: Unlimited
--END 'show version'--
Thanking you in advance,
Sean Lewis
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
