Re: vier problem wiith NAT exemption on PIX 7.1

From: Alexei Monastyrnyi (alexeim@orcsoftware.com)
Date: Wed Mar 29 2006 - 09:05:30 GMT-3

• Next message: Petr Lapukhov: "Re: Frame-Relay QoS Options"
• Previous message: ZeroFlash: "RE: Question for Frame-relay"
• Maybe in reply to: Alexei Monastyrnyi: "vier problem wiith NAT exemption on PIX 7.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thant for the fresh look, Andras!

I have to, indeed! but with mirrored ACL entry

pix-sthlm(config)# sh access-list nonat | in 192.176
access-list nonat line 95 extended permit ip 192.176.3.0 255.255.255.0
192.168.143.0 255.255.255.0 (hitcnt=0) 0x1474b71
access-list nonat line 116 extended permit ip 192.176.3.0 255.255.255.0
host 172.27.251.128 (hitcnt=0) 0x2aa5d9b5

I did have it for my VPN traffic (!) but it was rather obvious.

A bit strange though since the example in PIX 7.1 configuration guide is
exactly like mine.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/cfgnat.htm#wp1043541

See "To use dynamic outside NAT for a DMZ network..."

Looks like either 'nat (inside) 0 ..." overrides the other similar
statements or they don't test what they put on DocCD... :-)

Cheers,
A.

on 29/03/2006 13:39 KulcsC!r AndrC!s BenjC!min wrote:
> Hello Alexei,
>
> I think you should apply nat 0 to the inside interface and not dmz3 or use static.
>
> Best regards,
> Andras Kulcsar
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Alexei Monastyrnyi
> Sent: Wednesday, March 29, 2006 1:28 PM
> To: ccielab@groupstudy.com
> Subject: vier problem wiith NAT exemption on PIX 7.1
>
>
> Hi Group.
>
> I am running PIX 515E 7.1.2 in production, two boxes in fail over mode
> (it is no laughing matter :-))
>
> There is an internal DMZ interface (i.e. using RFC 1918 addresses) on
> the PIX and I would like to do a NAT exemption for IP traffic from one
> of the hosts in that DMZ area towards some hosts behind inside interface
> (security-level 100). Looks straightforward... but doesn't work. Below
> you can find an extraction from config an logs.
>
> I can ping and connect to this host from behind the inside interface
> with no problems.
>
> Pulling my hair out... Hints would be highly appreciated!
>
> A.
>
> pix-sthlm# sh run in eth 4
> !
> interface Ethernet4
> nameif dmz3
> security-level 50
> ip address pix-sthlm-dmz3 255.255.255.0 standby pix2-sthlm-dmz3
>
> pix-sthlm# sh run | in sthlm-dmz3
> name 172.27.251.1 pix-sthlm-dmz3
> name 172.27.251.2 pix2-sthlm-dmz3
>
> pix-sthlm# sh run nat | in dmz3
> nat (dmz3) 0 access-list dmz3-nonat
>
> pix-sthlm(config)# sh access-list dmz3-nonat
> access-list dmz3-nonat; 1 elements
> access-list dmz3-nonat line 1 extended permit ip host 172.27.251.128
> 192.176.3.0 255.255.255.0 (hitcnt=0) 0xbe6a1ce0
>
> pix-sthlm# sh logg | in 192.176
> Mar 29 2006 12:59:35: %PIX-3-305005: No translation group found for tcp
> src dmz3:172.27.251.128/60983 dst inside:192.176.3.129/20001
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Petr Lapukhov: "Re: Frame-Relay QoS Options"
• Previous message: ZeroFlash: "RE: Question for Frame-relay"
• Maybe in reply to: Alexei Monastyrnyi: "vier problem wiith NAT exemption on PIX 7.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3