Create NAT definition through PIX running OS 8.0

I recently installed a Cisco 3750 switch so that I could deploy some VLAN's. I am able to establish a session to the internet but I cannot establish as NAT session from the internet to the new VLAN.

 

I have a Cisco 2821 router installed as my internet router. My inside and DMZ networks are protected by a PIX running version 8.0.

 

I have the NAT translastion set up but the session will not establish.

 

Here is my PIX config with pertinant details

PIX Version 8.0(4)
!
hostname colofw
domain-name ddci.net
dns-guard
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 192.168.64.2
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address
!
interface Ethernet2
 speed 100
 duplex full
 nameif colo
 security-level 50
 ip address 192.168.65.1 255.255.255.0
!
interface Ethernet3
 speed 100
 duplex full
 nameif mainframe
 security-level 10
 ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
banner login ^c Unauthorized access to this equipment is punishable by local, national and international laws. Illegal access to this system will be punished to the full extent of these laws. ^c
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name ddci.net
access-list inside extended permit ip host 192.168.64.67 host 192.168.67.12
access-list inside extended permit ip any any
logging enable
logging timestamp
logging buffer-size 10000
logging buffered debugging
logging trap informational
logging history errors
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level alerts
logging host inside 172.16.1.52
logging permit-hostdown
no logging message 410001
no logging message 106006
no logging message 106001
no logging message 305005
no logging message 305012
no logging message 305011
no logging message 411001
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
mtu outside 1500
mtu inside 1500
mtu colo 1500
mtu mainframe 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name blockattackssh attack action alarm drop reset
ip audit name blocksshattack info action alarm drop reset
ip audit name sshblock attack action alarm drop
ip audit name blockssh info action alarm drop
ip audit interface outside sshblock
ip audit interface mainframe blockattackssh
ip audit attack action alarm dro
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 199.34.64.3
global (colo) 1 interface
global (mainframe) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
nat (colo) 0 access-list 100
nat (colo) 1 0.0.0.0 0.0.0.0
nat (mainframe) 0 access-list 100
nat (mainframe) 1 0.0.0.0 0.0.0.0
static (colo,outside) 192.168.64.67 192.168.67.12 netmask 255.255.255.255
access-group inside in interface outside
access-group inside in interface inside
access-group inside in interface colo
access-group inside in interface mainframe
route outside 0.0.0.0 0.0.0.0 199.34.64.1 1
route colo 192.168.67.0 255.255.255.0 192.168.67.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
service resetinbound

 

Here is the config of the 3750 switch

version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
!
!
no aaa new-model
clock timezone central 5
clock summer-time CST recurring
switch 2 provision ws-c3750-48p
ip subnet-zero
ip routing
ip domain-name DDCI
ip name-server 199.34.66.36
ip name-server 199.34.64.35
!
ip dhcp pool vlan20
   network 192.168.67.0 255.255.255.0
   default-router 192.168.67.1
   lease 7
!
ip dhcp pool vlan30
   network 192.168.80.0 255.255.255.0
   default-router 192.168.80.2
   lease 7
!
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet2/0/1
 description UPLINK to COLOFW
 switchport mode access
 duplex full
 spanning-tree portfast
!
interface FastEthernet2/0/2
 description 192.168.65.10
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet2/0/3
 description 192.168.65.20
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet2/0/4
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet2/0/47
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet2/0/48
 description UPLINK to Sonicwall
 switchport mode access
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface Vlan1
 ip address 192.168.65.2 255.255.255.0
 no ip route-cache cef
 no ip route-cache
!
interface Vlan20
 ip address 192.168.67.1 255.255.255.0
!
interface Vlan30
 ip address 192.168.80.2 255.255.255.0
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.65.1
ip http server
ip http authentication local
ip http secure-server
!
!
control-plane
!
banner motd ^CCC
############
#Data Dallas#
#Unauthorized access to this system is restricted by local,
and national and laws.
# Illegal access will be prosecuted.#
############################## ^C
!
line con 0
line vty 0 4
  login
line vty 5 15
 no login
!
end

 

Any help will be appreciated.

Thanks

ICEMAN84

 

Comments

  • This would be a good post for the Security page but Nat is on the R&S blueprint so its also good here. I cant see anywhere where you have an Internet routable address. Obviously there is one if you are accessing the Web. Can you post some info like "show ip route x.x.x.x" (where x.x.x.x is a Vlan address) from your Internet Router. Also a "show ip nat translation" when you area attempting to access the Vlan from the Web. Maybe even a "Show run | i nat" on the Internet router as well.

  • I currently have many NAT definitions set up going to the another DMZ on the firewall. However this DMZ only has a management vlan defined on them.

    Here is the information requested:

    Firewall NIC address 199.34.64.2/24

    External Natted address Target IP 199.34.64.67
    DMZ computer target address 192.168.67.12

    Sho ip route command from internet router

    sho ip route 192.168.67.12
    Routing entry for 192.168.67.0/24
      Known via "static", distance 1, metric 0
      Routing Descriptor Blocks:
      * 199.34.64.2
          Route metric is 0, traffic share count is 1

    Sho NAT command from firewall

    sho nat colo | begin 199.34.64.67
        static translation to 199.34.64.67
        translate_hits = 730, untranslate_hits = 1430
      match ip colo any outside any
        dynamic translation to pool 1 (199.34.64.3)
        translate_hits = 1335, untranslate_hits = 230
      match ip colo any colo any
        dynamic translation to pool 1 (192.168.65.1 [Interface PAT])
        translate_hits = 0, untranslate_hits = 0
      match ip colo any mainframe any
        dynamic translation to pool 1 (199.34.66.1 [Interface PAT])
        translate_hits = 2452, untranslate_hits = 76
      match ip colo any outside any
        no translation group, implicit deny
        policy_hits = 0
      match ip colo any mainframe any
        no translation group, implicit deny
        policy_hits = 0

    Thanks

    ICEMAN84

     

Sign In or Register to comment.