From: Tony Medeiros (tonygreat@xxxxxxxx)
Date: Thu Jul 13 2000 - 01:57:12 GMT-3
Things I would check:
*Gatway and mask on the outside workstation.
*Address assignments in your NAT pool and PAT address. Didn't use the
broadcast address for the /27 did you? (It's happened to me) :)
*Do a "debug icmp trace" No pings comeing back? This really sounds like an
IP problem
*Is the outside router pointing at the PIX for the /27?
*Try a reload. ( that's worked for me too)
Good luck
Tony Medeiros
CCDP, CCNP /security, voice, ATM
----- Original Message -----
From: "Vijay Venkatesh" <vijay.venkatesh@usa.net>
To: "Earl Aboytes" <earl@linkline.com>
Cc: "Stephens, Paul [Prof.Serv]" <Paul.Andrew.Stephens@compaq.com>;
<ccielab@groupstudy.com>
Sent: Wednesday, July 12, 2000 9:20 PM
Subject: PIX routing and NAT issues
> Hi all,
> I am running PIX version 4.4. Here is the situation -
>
> ethernet0: (outside) interface -
> has a class c ip address with a /27 mask
> has a global ip pool for nat also with a /27 mask
> has a global ip (not part of the pool) for overload
> has a default route to the next hop router.
>
> ethernet 1 (inside) interface -
> has a 10.10.10.0 ip with a /24
>
>
> Hosts on the 10.10.10.0/24 net get natted to the outside. If I place
> a worksstion on the inside I can ping the inside interface of the PIX.
> If I place a w/s on the perimeter interface of the pix I can ping the
> outside interface of the pix. I cannot however ping from the w/s on
> the
> inside interface to any host on the outside interface. In fact, I
> cannot
> ping across the PIX !! I did a debug and I see the nat occuring and
> the
> nat table getting populated. Yes, I have checked the arp entries also.
> Everything looks good. However it appears that the icmp pkt reaches
> the
> host on the outer interface but the response does not return. Yes, I
> have set the conduit to allow icmp any any. AM I missing something
> here ? ALso I have the mtu and the auto statement also in.
> Yes, from the pix I can ping both outer and inner devices. I just
> cannot ping across the pix. The pix is routing but it appears that
> the pix does not know how to realy back the icmp response pkt by
> reading entries from the NAT table. ANy ideas ? Please let me know.
> Thank you.
>
> Regards,
> Vijay.
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:53 GMT-3