Друзья, подскажите, почему не работает NAT на PIX 515e (8.04)
Где ошибка?
<---outside_0(sl=0, dhcp)-PIX--lan(sl=100,172.20.1.1/30)-------->Fa0/0(172.20.1.2/30)-ISR1841
Код:
!
PIX Version 8.0(4)28
!
interface Ethernet0
description ISP-1-BeeLine
nameif outside_0
ip address dhcp
no shutdown
exit
!
no ip verify reverse-path interface outside_0
no ip verify reverse-path interface outside_1
!
interface Ethernet2
description GW-uplink
nameif lan
security-level 100
ip address 172.20.1.1 255.255.255.252
no shutdown
!
route outside_0 0.0.0.0 0.0.0.0 95.28.0.1 251
route outside_0 0.0.0.0 0.0.0.0 100.112.0.1 252
!
access-list NAT extended permit ip 172.20.1.0 255.255.255.252 interface outside_0
!
global (outside_0) 1 interface
nat (lan) 1 access-list NAT 0 0
exit
!
policy-map global_policy
class inspection_default
inspect icmp
inspect http
!
Код:
PIX-LAB(config)# sh interface ip brie
Interface IP-Address OK? Method Status Protocol
Ethernet0 100.112.12.200 YES DHCP up up
Ethernet1 unassigned YES unset administratively down down
Ethernet2 172.20.1.1 YES CONFIG up up
Код:
PIX-LAB(config)# sh interface ethernet 0
Interface Ethernet0 "outside_0", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Description: ISP-1-BeeLine
MAC address 001b.54d0.e0b8, MTU 1500
IP address 100.112.12.200, subnet mask 255.255.128.0
15 packets input, 5374 bytes, 0 no buffer
Received 1 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
300 packets output, 26564 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (0/1)
output queue (curr/max packets): hardware (0/3) software (0/1)
Traffic Statistics for "outside_0":
15 packets input, 5164 bytes
300 packets output, 16072 bytes
0 packets dropped
Код:
PIX-LAB(config)# sh interface ethernet 2
Interface Ethernet2 "lan", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 000e.0cba.eba8, MTU 1500
IP address 172.20.1.1, subnet mask 255.255.255.252
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
652 packets output, 41728 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
1 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/6) software (0/5)
Traffic Statistics for "lan":
0 packets input, 0 bytes
1 packets output, 28 bytes
0 packets dropped
Пинги с хоста (172.20.1.2):
Код:
Peters-Book:~ peter$ ping 172.20.1.1
PING 172.20.1.1 (172.20.1.1): 56 data bytes
64 bytes from 172.20.1.1: icmp_seq=0 ttl=255 time=0.777 ms
64 bytes from 172.20.1.1: icmp_seq=1 ttl=255 time=0.609 ms
64 bytes from 172.20.1.1: icmp_seq=2 ttl=255 time=0.686 ms
--------------------------------------------
Peters-Book:~ peter$ ping 100.112.12.200
PING 100.112.12.200 (100.112.12.200): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
---------------------------------------------
Peters-Book:~ peter$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Пинги с PIX int-to-lan, int-to-inet и int-to-int
Код:
PIX-LAB(config)# ping lan 172.20.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Код:
PIX-LAB(config)# ping outside_0 100.112.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.112.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Код:
ping outside_0 172.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
PIX-LAB(config)# ping lan 100.112.12.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.112.12.200, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Соответственно , и NAT не работает ни в каком виде.
Где что не донастроил?
Спасибо.