Firewall Wizards mailing list archives

PIX static NAT issue

From: "Ahmed, Balal" <balal.ahmed () cgey com>
Date: Wed, 4 Jun 2003 12:50:08 +0100

Wizards,

I am having problems with static NAT on a PIX running 6.2.2. An ascii
representation is given below. 'Host' is a dual homed machine. Its default
gateway is the inside interface of the PIX. It has static routes to 'admins'
through the mgt interface. the statics that are configured are.

static (inside,outside) 10.10.10.21 10.10.10.21 netmask 255.255.255.255 0 0
static (mgt,outside) 10.10.10.163 10.10.10.163 netmask 255.255.255.255 0 0

The behaviour we are seeing is that 'the world' can access the dual homed
host on 10.10.10.21. 'The admins' can connect on 10.10.10.21 but not on
10.10.10.163. If a clear xlate is performed ONE icmp echo reply comes back
and then it stops working. When a ping is initiiated on 'host' to 'admins'
connectivity works until the xlate timesout.

Routing on the firewall & host is correct but on checking the logs it seems
that inbound packets destined for 10.10.10.163 are being sent to the inside
interface whereas they should be sent to the mgt interface. 

actual IP addresses have been sanitised.

any ideas ?


    the world-----|------admins
                        |
                        |
                        |192.168.1.1/25
                        |outside
                '''''''''''''''''''
backup  '                       'mgt 10.10.10.189/27
    --------'   PIX             '------------   
172.16.1.1/29'                  '               |
                '''''''''''''''''''             |
                        |inside                 |
                        |10.10.10.13/28         |
                        |                               |
                        |                               |
                        |                               |10.10.10.163/27

                        |   10.10.10.21/28'''''''''
                        ----------------        'host     '
                                                '''''''''

                        Balal Ahmed
                        Security Analyst
                        






********************************************************************************************
" This message contains information that may be privileged or confidential and 
is the property of the Cap Gemini Ernst & Young Group. It is intended only for 
the person to whom it is addressed. If you are not the intended recipient, you 
are not authorized to read, print, retain, copy, disseminate, distribute, or use 
this message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message ".
********************************************************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX static NAT issue Ahmed, Balal (Jun 04)
- Re: PIX static NAT issue Luca Berra (Jun 04)
- <Possible follow-ups>
- RE: PIX static NAT issue Ahmed, Balal (Jun 05)