[c-nsp] Solved: interesting problem with PIX, double NAT and routing

Aldo Valente aldo.valente at gmx.de
Wed Mar 9 05:46:47 EST 2005 

Dear all,

since i wasted your time with my problem, i want to show you the solution.

The pix *always* uses the more specific route, even over a connected one. 
Against the Cisco Docs, the pix *can* have the same route twice, here inside
and outside.  You just have to use another metric.

Now i have 

route outside 0.0.0.0 0.0.0.0 outer.router 1
route inside 0.0.0.0 0.0.0.0 inner.router 2

And that`s how it works both ways.  To ping a host which is inside
you have to "ping inside inner.host" due to the better metric to the
outside.

Meanwhile, i even found the Docs, which i had only printed on paper on the
net:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1113552


Thanks,
Aldo

--- Weitergeleitete Nachricht / Forwarded Message ---
Date: Mon, 28 Feb 2005 11:21:01 +0100 (MET)
From: "Aldo Valente" <aldo.valente at gmx.de>
To: cisco-nsp at puck.nether.net
Subject: interesting problem with PIX, double NAT and routing

We have an setup with another Net which uses partially the same IP Adresses.

Should be no problem:

nat (inside) 1 0 0 
global (outside) 1 our.outside.ip
nat (outside) 2 0 0 outside
global (inside) 2 our.inside.ip

This works, what remains is the routing problem.  The Docs 
have a similar example, there is written that you cannot
have the same routing entry for inside and outside and in 
that example there is 10.0.0.0/24 connected inside and you have
to "route outside 10.0.0.0   255.255.255.128 outer.router" and 
   "route outside 10.0.0.128 255.255.255.128 outer.router"

So, we have

route inside  0          0         inner.router
and 
route outside 0          128.0.0.0 outer.router
route outside 128.0.0.0  128.0.0.0 outer.router

Basically the same as in the example, but our inner net 
is not connected.

Guess what, it doesn't work.  The Pix takes the more specific route. We 
tried the routing both ways.

Additionally we get weird errors when we try to remove the default route
(0/0) and even crash the pix.  It`s 6.3(4).

Some Suggestions?


Thanks,
Aldo

-- 
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail

-- 
SMS bei wichtigen e-mails und Ihre Gedanken sind frei ...
Alle Infos zur SMS-Benachrichtigung: http://www.gmx.net/de/go/sms

More information about the cisco-nsp mailing list