From: Kenny Sallee (KSallee@xxxxxxxxxx)
Date: Fri Jul 14 2000 - 11:49:23 GMT-3
Actually that's not needed cuz the subnet is directly connected. I would be
more worried about a route on the outside pointing back to the NAT'd ip
range. Because that range is outside the range on the outside interface,
you need something routing the NAT'd pool back to the PIX. So on the
outside router you would need:
ip route 208.129.73.96 255.255.255.224 208.129.73.34
and for a host directly connected on the outside either default route to the
PIX or use the "route add" or "netstat" commands to add the route.
You can test that that is the problem by doing:
no global (outside) 1 208.129.73.99-208.129.73.126 netmask 255.255.255.224
no global (outside) 1 208.129.73.97 netmask 255.255.255.224
global (outside) 1 208.129.73.36 netmask 255.255.255.255
Now the inside range will be PAT'd to the above address. I'm assuming that
4.4 works the same as 5.x in regards to NAT/PAT.
Also, because you have "conduit permit icmp any any" you don't need the
other 5 ICMP conduits.
My 2 cents.
Kenny
> ----------
> From: Bill Dellamar[SMTP:WDELLAMAR@YAHOO.COM]
> Sent: Friday, July 14, 2000 4:39:44 AM
> To: Vijay Venkatesh; ccielab@groupstudy.com
> Subject: Re: [Fwd: PIX routing and NAT issues]
> Auto forwarded by a Rule
>
> Try adding a default route on the inside interface.
>
> route inside 0.0.0.0 0.0.0.0 10.10.10.2 1
>
>
>
> --- Vijay Venkatesh <vijay.venkatesh@usa.net> wrote:
> > Vijay Venkatesh wrote:
> > >
> > > Okay people here is the config file -
> > > Please advise. Thank you.
> > >
> > > Regards,
> > > Vijay.
> > >
> > > "Garcia, Frank" wrote:
> > > >
> > > > I believe the PIX will deny ICMP by default.
> > You need to add a 'conduit
> > > > permit icmp any any' to allow inbound and
> > outbound pings.
> > > >
> > > > -----Original Message-----
> > > > From: Vijay Venkatesh
> > [mailto:vijay.venkatesh@usa.net]
> > > > Sent: Wednesday, July 12, 2000 9:20 PM
> > > > To: Earl Aboytes
> > > > Cc: Stephens, Paul [Prof.Serv];
> > ccielab@groupstudy.com
> > > > Subject: PIX routing and NAT issues
> > > >
> > > > Hi all,
> > > > I am running PIX version 4.4. Here is
> > the situation -
> > > >
> > > > ethernet0: (outside) interface -
> > > > has a class c ip address with a /27 mask
> > > > has a global ip pool for nat also with a /27
> > mask
> > > > has a global ip (not part of the pool) for
> > overload
> > > > has a default route to the next hop router.
> > > >
> > > > ethernet 1 (inside) interface -
> > > > has a 10.10.10.0 ip with a /24
> > > >
> > > > Hosts on the 10.10.10.0/24 net get natted to the
> > outside. If I place
> > > > a worksstion on the inside I can ping the inside
> > interface of the PIX.
> > > > If I place a w/s on the perimeter interface of
> > the pix I can ping the
> > > > outside interface of the pix. I cannot however
> > ping from the w/s on
> > > > the
> > > > inside interface to any host on the outside
> > interface. In fact, I
> > > > cannot
> > > > ping across the PIX !! I did a debug and I see
> > the nat occuring and
> > > > the
> > > > nat table getting populated. Yes, I have checked
> > the arp entries also.
> > > > Everything looks good. However it appears that
> > the icmp pkt reaches
> > > > the
> > > > host on the outer interface but the response
> > does not return. Yes, I
> > > > have set the conduit to allow icmp any any. AM I
> > missing something
> > > > here ? ALso I have the mtu and the auto
> > statement also in.
> > > > Yes, from the pix I can ping both outer and
> > inner devices. I just
> > > > cannot ping across the pix. The pix is routing
> > but it appears that
> > > > the pix does not know how to realy back the icmp
> > response pkt by
> > > > reading entries from the NAT table. ANy ideas ?
> > Please let me know.
> > > > Thank you.
> > > >
> > > > Regards,
> > > > Vijay.
> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:53 GMT-3