RE: PIX 501 inbound NAT problem

["Rik Schneider" <riks () wni com>]

I may be missing it in the config but I don't see outside_access_in and
static entries allowing the web services.  I would expect to see entries
like:
outside_access_in permit tcp any host 172.19.0.1 eq www
static (inside,outside) tcp 172.19.0.1 www 100.1.1.1 \
   www netmask 255.255.255.255 0 0

These entries can be added via ssh or the PDM.

More information and example can be found on Cisco's site @
http://www.cisco.com 


--
Rik Schneider

Weathernews Americas Inc. 
(405) 310-2840 - Office
(405) 310-2900 - Main
(405) 388-1318 - Mobile
riks () wni com
 No trees were harmed during the creation of this message; however some
electrons were inconvenienced.


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Inge
Nilsson
Sent: Sunday, January 30, 2005 9:29 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] PIX 501 inbound NAT problem


Hi !

I have a Cisco PIX 501 version 6.1 and have problem with setting up
inbound
NAT to particular subnets in my particular network. It seems like some
kind
of routing problem.

The network topology:

          |
          |  outside IP 100.1.1.1 (fake address)
         PIX
          |  inside IP 192.168.0.1
          |
          |         network 192.168.0.0/24
          |         network 192.168.100.0/24
          |
          |  IP 192.168.0.254
          |  IP 192.168.100.254 secondary
   Cisco 2621 Router
          |  IP 172.19.0.254
          | 
          |         network 172.19.0.0/16
          |
          |  IP 172.19.0.1
      Web server


What I try to do is to open public IP adress 100.1.1.1 port 80 and NAT
it to
the Web server 172.19.0.1. I can not find what the problem is. I can not
see
any packets in tcpdump of the Web server, but in the "sh access-list" I
can
see that the "hitcnt" is increasing...

If I try it on another server on network 192.168.0.0 or 192.168.100.0 it
works fine, but they are on the same subnet as the "inside" of the PIX.
The
failing subnet is on the "other side" of the Cisco router. The PIX can
access the Web server via ICMP, so it is nothing on the routing on the
network, but it seems like there must be something more in the PIX
config to
make this work. 

Can anyone help me?

My config (some rows like passwords are deleted, and some IP adresses
are
changed to fake addresses):

Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname inabler-pix
domain-name inabler.net
fixup protocol ftp 21
no fixup protocol http 80
no fixup protocol h323 1720
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
names
access-list outside_access_in permit udp any any eq 46130 
access-list outside_access_in permit icmp any any echo-reply 
access-list outside_access_in permit icmp any any traceroute 
access-list outside_access_in permit icmp any any time-exceeded 
access-list inside_access_in permit icmp any any 
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 any 
access-list inside_access_in permit ip 192.168.100.0 255.255.255.0 any 
access-list inside_access_in permit ip 172.19.0.0 255.255.0.0 any 
pager lines 24
logging on
logging buffered debugging
logging trap notifications
logging history notifications
logging facility 18
logging host inside <"removed">
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 100.1.1.1 255.255.255.224
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2004 disable
pdm location <"removed">
pdm logging informational 100
pdm history enable
arp timeout 900
global (outside) 1 interface
nat (inside) 1 192.168.0.128 255.255.255.128 0 0
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 100.1.1.254 1
route inside 172.19.0.0 255.255.0.0 192.168.0.254 1
route inside 192.168.100.0 255.255.255.0 192.168.0.254 1
timeout xlate 0:05:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:04:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:601493e1ece31e9357db9698cfd95d9d
: end
[OK]

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards