|
Home > Archive > alt.certification.cisco > July 2003 > nat (inside) 0 question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
nat (inside) 0 question
|
|
|
| Hi all,
I would like to put a computer with a public IP 20.20.20.10 inside our NATd
network behind the PIX.
Our PIX config looks something like this:
ip address outsite 20.20.20.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
route outside 0 0 20.20.20.1
I added the configuration:
access-list 103 permit ip host 20.20.20.10 255.255.255.255 any
nat (inside) 0 access-list 103
and I also tried:
nat (inside) 0 20.20.20.10 255.255.255.255
And I could communicate from the computer.
I tried adding:
static (inside,outside) 20.20.20.10 20.20.20.10
with no luck.
The computer's IP configurations are:
IP - 20.20.20.10
SM - 255.255.255.0
Default Gateway - 192.168.1.1
I also tried the Default Gateway of 20.20.20.1
still didn't work.
Please help,
Al
| |
|
| correction on the line
"And I could communicate from the computer."
I meant I coudn't communicate from the computer to the Internet.
sorry,
al
"al" <allen@somplace.com> wrote in message
news:WJ0Ua.927$JQ2.14769306@newssvr14.news.prodigy.com...
> Hi all,
> I would like to put a computer with a public IP 20.20.20.10 inside our
NATd
> network behind the PIX.
> Our PIX config looks something like this:
> ip address outsite 20.20.20.2 255.255.255.0
> ip address inside 192.168.1.1 255.255.255.0
> global (outside) 1 interface
> nat (inside) 1 0 0
> route outside 0 0 20.20.20.1
>
> I added the configuration:
> access-list 103 permit ip host 20.20.20.10 255.255.255.255 any
> nat (inside) 0 access-list 103
> and I also tried:
> nat (inside) 0 20.20.20.10 255.255.255.255
> And I could communicate from the computer.
> I tried adding:
> static (inside,outside) 20.20.20.10 20.20.20.10
> with no luck.
>
> The computer's IP configurations are:
> IP - 20.20.20.10
> SM - 255.255.255.0
> Default Gateway - 192.168.1.1
> I also tried the Default Gateway of 20.20.20.1
> still didn't work.
> Please help,
> Al
>
>
>
>
>
>
| |
| Walter Roberson 2003-07-25, 1:25 am |
| In article <WJ0Ua.927$JQ2.14769306@newssvr14.news.prodigy.com>,
al <allen@somplace.com> wrote:
:I would like to put a computer with a public IP 20.20.20.10 inside our NATd
:network behind the PIX.
:Our PIX config looks something like this:
:ip address outsite 20.20.20.2 255.255.255.0
:ip address inside 192.168.1.1 255.255.255.0
:global (outside) 1 interface
:nat (inside) 1 0 0
:route outside 0 0 20.20.20.1
:I added the configuration:
:access-list 103 permit ip host 20.20.20.10 255.255.255.255 any
Is that literally what you used? If so then the first problem is that
that is hosed. Take out the 255.255.255.255 .
:nat (inside) 0 access-list 103
Note that no proxy arp is done for anything in nat 0 access-list .
:and I also tried:
:nat (inside) 0 20.20.20.10 255.255.255.255
:And I could communicate from the computer.
:I tried adding:
:static (inside,outside) 20.20.20.10 20.20.20.10
:with no luck.
:The computer's IP configurations are:
:IP - 20.20.20.10
:SM - 255.255.255.0
 efault Gateway - 192.168.1.1
:I also tried the Default Gateway of 20.20.20.1
:still didn't work.
You do not mention whether this computer has to be reachable
from outside to form new connections (remembering that UDP
can be considered an incoming connection.) If you need to be able
to start new connections to it, then you must use either static
or nat 0 access-list -- the nat 0 IP form will not allow new
connections.
I would recommend using the static in order to make it most clear
to the PIX that you want to punch a whole from the outside IP range
to the inside.
For further information on what you have to do, see my recent
posting in the "Cisco PIX 515E - Proxy ARP" thread,
http://groups.google.ca/groups?hl=e...cc.umanitoba.ca
--
Tenser, said the Tensor.
Tenser, said the Tensor.
Tension, apprehension,
And dissension have begun. -- Alfred Bester (tDM)
| |
| mickael 2003-07-25, 9:25 am |
| On Fri, 25 Jul 2003 02:37:42 GMT
"al" <allen@somplace.com> wrote:
> Hi all,
> I would like to put a computer with a public IP 20.20.20.10 inside our NATd
> network behind the PIX.
> Our PIX config looks something like this:
> ip address outsite 20.20.20.2 255.255.255.0
> ip address inside 192.168.1.1 255.255.255.0
> global (outside) 1 interface
> nat (inside) 1 0 0
> route outside 0 0 20.20.20.1
>
> I added the configuration:
> access-list 103 permit ip host 20.20.20.10 255.255.255.255 any
> nat (inside) 0 access-list 103
> and I also tried:
> nat (inside) 0 20.20.20.10 255.255.255.255
> And I could communicate from the computer.
> I tried adding:
> static (inside,outside) 20.20.20.10 20.20.20.10
> with no luck.
>
> The computer's IP configurations are:
> IP - 20.20.20.10
> SM - 255.255.255.0
> Default Gateway - 192.168.1.1
> I also tried the Default Gateway of 20.20.20.1
> still didn't work.
> Please help,
> Al
Why don't put a 192.168.1.X ip address for the computer instead of 20.20.20.10.
Ad do :
static (inside,outside) 20.20.20.10 192.168.4.X
I think it's the same result for what you want? no ?
mickaël
| |
|
| I know what you mean but we have a specific reason for doing this.
thanks,
al
"mickael" <essais@tfz.net> wrote in message
news:3f2126ff$0$16656$626a54ce
@news.free.fr...
> On Fri, 25 Jul 2003 02:37:42 GMT
> "al" <allen@somplace.com> wrote:
>
> > Hi all,
> > I would like to put a computer with a public IP 20.20.20.10 inside our
NATd
> > network behind the PIX.
> > Our PIX config looks something like this:
> > ip address outsite 20.20.20.2 255.255.255.0
> > ip address inside 192.168.1.1 255.255.255.0
> > global (outside) 1 interface
> > nat (inside) 1 0 0
> > route outside 0 0 20.20.20.1
> >
> > I added the configuration:
> > access-list 103 permit ip host 20.20.20.10 255.255.255.255 any
> > nat (inside) 0 access-list 103
> > and I also tried:
> > nat (inside) 0 20.20.20.10 255.255.255.255
> > And I could communicate from the computer.
> > I tried adding:
> > static (inside,outside) 20.20.20.10 20.20.20.10
> > with no luck.
> >
> > The computer's IP configurations are:
> > IP - 20.20.20.10
> > SM - 255.255.255.0
> > Default Gateway - 192.168.1.1
> > I also tried the Default Gateway of 20.20.20.1
> > still didn't work.
> > Please help,
> > Al
>
> Why don't put a 192.168.1.X ip address for the computer instead of
20.20.20.10.
> Ad do :
> static (inside,outside) 20.20.20.10 192.168.4.X
>
> I think it's the same result for what you want? no ?
>
> mickaël
| |
|
| I tried taking out 255.255.255.255 and still didn't work.
I tried all sorts of combinations.
What bothers me is I made this work long time ago (win9x days).
Could it be that Win2K or WinXP does not support using a default gateway
that is out of its own subnet? voilation of some rfc?
IP - 20.20.20.10
Mask - 255.255.255.0
Default Gateway - 192.168.1.1
Or the latest PIX IOS 6.31 does not support this anymore?
Thanks for your reply,
Al
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:bfqdut$6qq$1@canopus.cc.umanitoba.ca...
> In article <WJ0Ua.927$JQ2.14769306@newssvr14.news.prodigy.com>,
> al <allen@somplace.com> wrote:
> :I would like to put a computer with a public IP 20.20.20.10 inside our
NATd
> :network behind the PIX.
> :Our PIX config looks something like this:
> :ip address outsite 20.20.20.2 255.255.255.0
> :ip address inside 192.168.1.1 255.255.255.0
> :global (outside) 1 interface
> :nat (inside) 1 0 0
> :route outside 0 0 20.20.20.1
>
> :I added the configuration:
> :access-list 103 permit ip host 20.20.20.10 255.255.255.255 any
>
> Is that literally what you used? If so then the first problem is that
> that is hosed. Take out the 255.255.255.255 .
>
> :nat (inside) 0 access-list 103
>
> Note that no proxy arp is done for anything in nat 0 access-list .
>
> :and I also tried:
> :nat (inside) 0 20.20.20.10 255.255.255.255
> :And I could communicate from the computer.
> :I tried adding:
> :static (inside,outside) 20.20.20.10 20.20.20.10
> :with no luck.
>
> :The computer's IP configurations are:
> :IP - 20.20.20.10
> :SM - 255.255.255.0
> efault Gateway - 192.168.1.1
> :I also tried the Default Gateway of 20.20.20.1
> :still didn't work.
>
> You do not mention whether this computer has to be reachable
> from outside to form new connections (remembering that UDP
> can be considered an incoming connection.) If you need to be able
> to start new connections to it, then you must use either static
> or nat 0 access-list -- the nat 0 IP form will not allow new
> connections.
>
> I would recommend using the static in order to make it most clear
> to the PIX that you want to punch a whole from the outside IP range
> to the inside.
>
> For further information on what you have to do, see my recent
> posting in the "Cisco PIX 515E - Proxy ARP" thread,
>
>
http://groups.google.ca/groups?hl=e...cc.umanitoba.ca
> --
> Tenser, said the Tensor.
> Tenser, said the Tensor.
> Tension, apprehension,
> And dissension have begun. -- Alfred Bester (tDM)
| |
| inf1n1ty 2003-07-25, 11:25 am |
| There are so many reasons why this is not working, I do not know where to
begin. I'll start here. You state :
The computer's IP configurations are:[
color=darkred]
> > > IP - 20.20.20.10
> > > SM - 255.255.255.0
> > > Default Gateway - 192.168.1.1[/color]
As you may or may not know, a default gateway is the route to unknown hosts,
which must be reachable from the current network segment. If your address
is 20.20.20.10, there is no possible way that computer knows how to get to
192.168.1.1
Next, on the PIX you have:
ip address inside 192.168.1.1
With that being the case, only computers on the 192.168.1.0 subnet will be
able to communicate with the PIX. Unless you have a router between the
computer and the inside interface of the PIX, which you make no mention of.
Your best bet to fix this is to do one of the 3 following:
1. Put the PC outside the PIX with the 20.20.20.10 address, then punch holes
through the PIX as necessary to access it from the internal network.
2. Put the PC inside the PIX with a 192.168.1.x address and do a static NAT.
3. Set up a third NIC in the PIX and put the PC on that segment.
Your current ways of trying to configure the machine will never work, nor
did they ever work. OS doesn't matter, it comes down to simple network
configuration. Take a step back and look at the big picture.
--
inf1n1ty
"al" <allen@somplace.com> wrote in message
news:2saUa.99$Qn5.25157841@newssvr21.news.prodigy.com...
> I know what you mean but we have a specific reason for doing this.
> thanks,
> al
>
>
>
> "mickael" <essais@tfz.net> wrote in message
> news:3f2126ff$0$16656$626a54ce
@news.free.fr...
> > On Fri, 25 Jul 2003 02:37:42 GMT
> > "al" <allen@somplace.com> wrote:
> >
> > > Hi all,
> > > I would like to put a computer with a public IP 20.20.20.10 inside our
> NATd
> > > network behind the PIX.
> > > Our PIX config looks something like this:
> > > ip address outsite 20.20.20.2 255.255.255.0
> > > ip address inside 192.168.1.1 255.255.255.0
> > > global (outside) 1 interface
> > > nat (inside) 1 0 0
> > > route outside 0 0 20.20.20.1
> > >
> > > I added the configuration:
> > > access-list 103 permit ip host 20.20.20.10 255.255.255.255 any
> > > nat (inside) 0 access-list 103
> > > and I also tried:
> > > nat (inside) 0 20.20.20.10 255.255.255.255
> > > And I could communicate from the computer.
> > > I tried adding:
> > > static (inside,outside) 20.20.20.10 20.20.20.10
> > > with no luck.
> > >
> > > The computer's IP configurations are:
> > > IP - 20.20.20.10
> > > SM - 255.255.255.0
> > > Default Gateway - 192.168.1.1
> > > I also tried the Default Gateway of 20.20.20.1
> > > still didn't work.
> > > Please help,
> > > Al
> >
> > Why don't put a 192.168.1.X ip address for the computer instead of
> 20.20.20.10.
> > Ad do :
> > static (inside,outside) 20.20.20.10 192.168.4.X
> >
> > I think it's the same result for what you want? no ?
> >
> > mickaël
>
>
| |
| Walter Roberson 2003-07-25, 11:25 am |
| In article <cdbUa.51007$b03.22367@lakeread03>,
inf1n1ty <inf1n1ty@hotmail.com> wrote:
:As you may or may not know, a default gateway is the route to unknown hosts,
:which must be reachable from the current network segment. If your address
:is 20.20.20.10, there is no possible way that computer knows how to get to
:192.168.1.1
You would normally be right, but some versions of Windows
presume that the default gateway is reachable on the local segment and
somehow or other manage to reach it even if it is on a different
logical subnet.
Here I was telling my co-workers it couldn't be done that way, and
they came back and said "But it's working!" And indeed, I can see
clear traces from our PIX log that it *is* working. We have implimented
exactly the situation the OP has asked for. I don't know -why- it works,
but it does.
:Your best bet to fix this is to do one of the 3 following:
All sound pieces of advice, but one small thing:
:3. Set up a third NIC in the PIX and put the PC on that segment.
We get a hint from the configuration shown that the PIX in question
is a 501 or 506 or 506E and thus does not support a third
interface. The hint is subtle and possibly misleading:
ip address inside 192.168.1.1 255.255.255.0
The hint in this is that 192.168.1.1 is the factory default setting
for the three models of PIX listed. No other model of PIX defaults
to that IP address, and those models all happen to be the ones that
cannot take DMZs.
--
Cannot open .signature: Permission denied
| |
| inf1n1ty 2003-07-25, 11:25 am |
| It's not my job to investigate, it's his job to post relevant information.
If you truly have a network address of 20.20.20.10 mask 255.255.255.0
and it is the only ip address assigned, and then you have a gateway of
192.168.1.1 as the only gateway assigned it will never work. Gateway is the
last hop on the current network. It does not make logical sense. The only
way a computer will "sense" it's default gateway is with dhcp.
--
inf1n1ty
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:bfrgig$ktt$1@canopus.cc.umanitoba.ca...
> In article <cdbUa.51007$b03.22367@lakeread03>,
> inf1n1ty <inf1n1ty@hotmail.com> wrote:
> :As you may or may not know, a default gateway is the route to unknown
hosts,
> :which must be reachable from the current network segment. If your
address
> :is 20.20.20.10, there is no possible way that computer knows how to get
to
> :192.168.1.1
>
> You would normally be right, but some versions of Windows
> presume that the default gateway is reachable on the local segment and
> somehow or other manage to reach it even if it is on a different
> logical subnet.
>
> Here I was telling my co-workers it couldn't be done that way, and
> they came back and said "But it's working!" And indeed, I can see
> clear traces from our PIX log that it *is* working. We have implimented
> exactly the situation the OP has asked for. I don't know -why- it works,
> but it does.
>
>
> :Your best bet to fix this is to do one of the 3 following:
>
> All sound pieces of advice, but one small thing:
>
> :3. Set up a third NIC in the PIX and put the PC on that segment.
>
> We get a hint from the configuration shown that the PIX in question
> is a 501 or 506 or 506E and thus does not support a third
> interface. The hint is subtle and possibly misleading:
>
> ip address inside 192.168.1.1 255.255.255.0
>
> The hint in this is that 192.168.1.1 is the factory default setting
> for the three models of PIX listed. No other model of PIX defaults
> to that IP address, and those models all happen to be the ones that
> cannot take DMZs.
> --
> Cannot open .signature: Permission denied
| |
| Walter Roberson 2003-07-25, 12:25 pm |
| In article <0MbUa.51295$b03.42217@lakeread03>,
inf1n1ty <inf1n1ty@hotmail.com> wrote:
:It's not my job to investigate, it's his job to post relevant information.
I don't think I understand what that remark is aimed at? The
presumption in newsgroups is that people are not paid for their
efforts, so it would be considered somewhat unusual if it -were- your
"job" to investigate, and I don't believe that anything in my posting
asked you to investigate anything.
I did point out a couple of obscure points that not many people would
realize on first reading, but those were not any manner of criticism.
People who hang around these newsgroups -usually- like to learn.
:If you truly have a network address of 20.20.20.10 mask 255.255.255.0
:and it is the only ip address assigned, and then you have a gateway of
:192.168.1.1 as the only gateway assigned it will never work. Gateway is the
:last hop on the current network. It does not make logical sense.
I agree that it does not make *logical* sense, but the fact is that
in some versions of Windows it DOES work. I have not investigated
to find out -how- it works. I can say that in one of our offices
we are doing -exactly- what the OP wants to do, -without- using
an inside router, by making use of this illogical property of
Windows.
--
Contents: 100% recycled post-consumer statements.
| |
|
| I totally agree with you because I've done it myself before but I couldn't
make it work now.
Here's a Cisco link.
http://www.cisco.com/en/US/products...ad.shtml#topic8
if I use the above example
my computer's IP address would be 175.1.1.254 / 24 using a default gateway
of 10.1.1.2 because I am inside the PIX Firewall using a public IP address.
thanks,
Al
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:bfrkec$mjo$1@canopus.cc.umanitoba.ca...
> In article <0MbUa.51295$b03.42217@lakeread03>,
> inf1n1ty <inf1n1ty@hotmail.com> wrote:
> :It's not my job to investigate, it's his job to post relevant
information.
>
> I don't think I understand what that remark is aimed at? The
> presumption in newsgroups is that people are not paid for their
> efforts, so it would be considered somewhat unusual if it -were- your
> "job" to investigate, and I don't believe that anything in my posting
> asked you to investigate anything.
>
> I did point out a couple of obscure points that not many people would
> realize on first reading, but those were not any manner of criticism.
> People who hang around these newsgroups -usually- like to learn.
>
>
> :If you truly have a network address of 20.20.20.10 mask 255.255.255.0
> :and it is the only ip address assigned, and then you have a gateway of
> :192.168.1.1 as the only gateway assigned it will never work. Gateway is
the
> :last hop on the current network. It does not make logical sense.
>
> I agree that it does not make *logical* sense, but the fact is that
> in some versions of Windows it DOES work. I have not investigated
> to find out -how- it works. I can say that in one of our offices
> we are doing -exactly- what the OP wants to do, -without- using
> an inside router, by making use of this illogical property of
> Windows.
> --
> Contents: 100% recycled post-consumer statements.
| |
| inf1n1ty 2003-07-25, 12:25 pm |
| I am not gonna argue all day. The config is a kludgy one. It needs to be
implemented properly to be both understood and to ease in troubleshooting.
Why fight the way networking is supposed to work?
Oh yeah, regarding the statement that you didn't understand. I was just
stating logical solutions to the problem. I was not interested in looking
for "subtle" items I might have glanced over. If the original poster needs
a third zone, then he needs the appropriate hardware to support it. Enough
said?
--
inf1n1ty
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:bfrkec$mjo$1@canopus.cc.umanitoba.ca...
> In article <0MbUa.51295$b03.42217@lakeread03>,
> inf1n1ty <inf1n1ty@hotmail.com> wrote:
> :It's not my job to investigate, it's his job to post relevant
information.
>
> I don't think I understand what that remark is aimed at? The
> presumption in newsgroups is that people are not paid for their
> efforts, so it would be considered somewhat unusual if it -were- your
> "job" to investigate, and I don't believe that anything in my posting
> asked you to investigate anything.
>
> I did point out a couple of obscure points that not many people would
> realize on first reading, but those were not any manner of criticism.
> People who hang around these newsgroups -usually- like to learn.
>
>
> :If you truly have a network address of 20.20.20.10 mask 255.255.255.0
> :and it is the only ip address assigned, and then you have a gateway of
> :192.168.1.1 as the only gateway assigned it will never work. Gateway is
the
> :last hop on the current network. It does not make logical sense.
>
> I agree that it does not make *logical* sense, but the fact is that
> in some versions of Windows it DOES work. I have not investigated
> to find out -how- it works. I can say that in one of our offices
> we are doing -exactly- what the OP wants to do, -without- using
> an inside router, by making use of this illogical property of
> Windows.
> --
> Contents: 100% recycled post-consumer statements.
| |
| inf1n1ty 2003-07-25, 1:24 pm |
| This is not meant for one particular outside address on your inside network.
This sort of config is meant if you do not want to enable NAT. That is, if
your LAN is of public addresses and you still want to put a firewall between
that LAN and the Internet. Is that clear?
--
inf1n1ty
"al" <allen@somplace.com> wrote in message
news:tJcUa.7812$Fd.33368219@newssvr14.news.prodigy.com...
> I totally agree with you because I've done it myself before but I couldn't
> make it work now.
> Here's a Cisco link.
>
http://www.cisco.com/en/US/products...ad.shtml#topic8
> if I use the above example
> my computer's IP address would be 175.1.1.254 / 24 using a default gateway
> of 10.1.1.2 because I am inside the PIX Firewall using a public IP
address.
> thanks,
> Al
>
>
>
> "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
> news:bfrkec$mjo$1@canopus.cc.umanitoba.ca...
> > In article <0MbUa.51295$b03.42217@lakeread03>,
> > inf1n1ty <inf1n1ty@hotmail.com> wrote:
> > :It's not my job to investigate, it's his job to post relevant
> information.
> >
> > I don't think I understand what that remark is aimed at? The
> > presumption in newsgroups is that people are not paid for their
> > efforts, so it would be considered somewhat unusual if it -were- your
> > "job" to investigate, and I don't believe that anything in my posting
> > asked you to investigate anything.
> >
> > I did point out a couple of obscure points that not many people would
> > realize on first reading, but those were not any manner of criticism.
> > People who hang around these newsgroups -usually- like to learn.
> >
> >
> > :If you truly have a network address of 20.20.20.10 mask 255.255.255.0
> > :and it is the only ip address assigned, and then you have a gateway of
> > :192.168.1.1 as the only gateway assigned it will never work. Gateway
is
> the
> > :last hop on the current network. It does not make logical sense.
> >
> > I agree that it does not make *logical* sense, but the fact is that
> > in some versions of Windows it DOES work. I have not investigated
> > to find out -how- it works. I can say that in one of our offices
> > we are doing -exactly- what the OP wants to do, -without- using
> > an inside router, by making use of this illogical property of
> > Windows.
> > --
> > Contents: 100% recycled post-consumer statements.
>
>
|
|
|
|
|