Pix translation issue

Bl8ckr0uter · April 2011

Ok guys guru I have a problem. I am trying to set up sonicwall netextender on a SSL 4200 with a pix 515 firewall. I have configured the SSL to a T but in the pix I keep getting this error:

106011: Deny inbound (No xlate) icmp src inside: internalserver dst inside:192.168.200.201 (type 0, code 0)
106011: Deny inbound (No xlate) icmp src inside:internalserver dst inside:192.168.200.201 (type 0, code 0)

192.168.200.X is the net extender range. I checked the nat config:

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 192.168.200.0 255.255.255.0 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0

Everything looks good to me. I did added an entry on the access-list inside_outbound list for the 192.168.200.0 range bu it did not help. Anyone have any ideas?

Ahriakin · April 2011

What version are you running? If 7+ do you have nat-control enabled. Even if it's disabled check your globals. If there is a NAT statement that can cover the range of source IPs on the ingress int but no Global on the egress (or nat exemption, identity NAT etc.) it will still fail even with NAT-Control disabled.

You have a NAT exemption ACL but are these flows covered by it (as in have you defined both source AND dest subnet(s), not just that subnet to any)?

Also it looks like you are hairpinning traffic on the INSIDE (The message is from the INSIDE to a dst also routed back through that DMZ). Have you enabled Intra-interface same-security traffic, otherwise hairpinning will fail?

Really we'd need the matching Globals, that NAT-0 ACL, your NAT-Control status and the routing involved to be sure where to start but the above covers the basics.

Bl8ckr0uter · April 2011

Ahriakin wrote: »

What version are you running? If 7+ do you have nat-control enabled. Even if it's disabled check your globals. If there is a NAT statement that can cover the range of source IPs on the ingress int but no Global on the egress (or nat exemption, identity NAT etc.) it will still fail even with NAT-Control disabled.

Pix os 6.2.

Ahriakin wrote: »

You have a NAT exemption ACL but are these flows covered by it (as in have you defined both source AND dest subnet(s), not just that subnet to any)?

This is probably the problem. I know I have the source the but I don't think I defined the Lan subnet(s) as the destination. Would I need to define all of my lan subnets in a nat list? Could you give me an example of what one would look like?

Ahriakin wrote: »

Also it looks like you are hairpinning traffic on the INSIDE (The message is from the INSIDE to a dst also routed back through that DMZ). Have you enabled Intra-interface same-security traffic, otherwise hairpinning will fail?

Really we'd need the matching Globals, that NAT-0 ACL, your NAT-Control status and the routing involved to be sure where to start but the above covers the basics.

How do you enable intra-interface same-security traffic?

I won't be able to get back to that box until Sunday but thanks for the advice!

Bl8ckr0uter · April 2011

Xishan anwar wrote: »

???????????

WTF.......

I am rereading the deployment docs on the SSL tonight.

Ahriakin · April 2011

Got to run to a meeting but basically:

same-security-traffic permit intra-interface
Allows traffic to hairpin on the same int.

Offhand I'm not sure this is supported pre 7.x, I have a funny feeling it's not...actually pretty sure.

For Nat exemption use an extended ACL, the resulting exemption is bidirectional (Not all NAT types are).

e.g.
access-list NONAT-INSIDE permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!
nat (INSIDE) 0 access-list NONAT-INSIDE

This sits at the top of the NAT heirarchy and overrides all other NAT types. (You can add denies earlier in the ACL if need be but try to avoid this, it gets messy but is sometimes needed to essentially exempt from the exemption

)

Pix translation issue

Comments