Firewall Wizards mailing list archives
RE: PIX 501 inbound NAT problem
From: "Rik Schneider" <riks () wni com>
Date: Tue, 1 Feb 2005 11:56:03 -0600
I may be missing it in the config but I don't see outside_access_in and static entries allowing the web services. I would expect to see entries like: outside_access_in permit tcp any host 172.19.0.1 eq www static (inside,outside) tcp 172.19.0.1 www 100.1.1.1 \ www netmask 255.255.255.255 0 0 These entries can be added via ssh or the PDM. More information and example can be found on Cisco's site @ http://www.cisco.com -- Rik Schneider Weathernews Americas Inc. (405) 310-2840 - Office (405) 310-2900 - Main (405) 388-1318 - Mobile riks () wni com No trees were harmed during the creation of this message; however some electrons were inconvenienced. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Inge Nilsson Sent: Sunday, January 30, 2005 9:29 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX 501 inbound NAT problem Hi ! I have a Cisco PIX 501 version 6.1 and have problem with setting up inbound NAT to particular subnets in my particular network. It seems like some kind of routing problem. The network topology: | | outside IP 100.1.1.1 (fake address) PIX | inside IP 192.168.0.1 | | network 192.168.0.0/24 | network 192.168.100.0/24 | | IP 192.168.0.254 | IP 192.168.100.254 secondary Cisco 2621 Router | IP 172.19.0.254 | | network 172.19.0.0/16 | | IP 172.19.0.1 Web server What I try to do is to open public IP adress 100.1.1.1 port 80 and NAT it to the Web server 172.19.0.1. I can not find what the problem is. I can not see any packets in tcpdump of the Web server, but in the "sh access-list" I can see that the "hitcnt" is increasing... If I try it on another server on network 192.168.0.0 or 192.168.100.0 it works fine, but they are on the same subnet as the "inside" of the PIX. The failing subnet is on the "other side" of the Cisco router. The PIX can access the Web server via ICMP, so it is nothing on the routing on the network, but it seems like there must be something more in the PIX config to make this work. Can anyone help me? My config (some rows like passwords are deleted, and some IP adresses are changed to fake addresses): Building configuration... : Saved : PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname inabler-pix domain-name inabler.net fixup protocol ftp 21 no fixup protocol http 80 no fixup protocol h323 1720 no fixup protocol rsh 514 no fixup protocol rtsp 554 no fixup protocol smtp 25 no fixup protocol sqlnet 1521 no fixup protocol sip 5060 no fixup protocol skinny 2000 names access-list outside_access_in permit udp any any eq 46130 access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any traceroute access-list outside_access_in permit icmp any any time-exceeded access-list inside_access_in permit icmp any any access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 any access-list inside_access_in permit ip 192.168.100.0 255.255.255.0 any access-list inside_access_in permit ip 172.19.0.0 255.255.0.0 any pager lines 24 logging on logging buffered debugging logging trap notifications logging history notifications logging facility 18 logging host inside <"removed"> interface ethernet0 10baset interface ethernet1 10full icmp permit any echo-reply outside icmp permit any echo outside icmp permit any echo inside icmp permit any echo-reply inside mtu outside 1500 mtu inside 1500 ip address outside 100.1.1.1 255.255.255.224 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip audit signature 2000 disable ip audit signature 2004 disable pdm location <"removed"> pdm logging informational 100 pdm history enable arp timeout 900 global (outside) 1 interface nat (inside) 1 192.168.0.128 255.255.255.128 0 0 nat (inside) 1 192.168.100.0 255.255.255.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 100.1.1.254 1 route inside 172.19.0.0 255.255.0.0 192.168.0.254 1 route inside 192.168.100.0 255.255.255.0 192.168.0.254 1 timeout xlate 0:05:00 timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:04:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp policy 10 authentication rsa-sig isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 ssh 192.168.0.0 255.255.255.0 inside ssh timeout 20 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80 Cryptochecksum:601493e1ece31e9357db9698cfd95d9d : end [OK] _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 501 inbound NAT problem Inge Nilsson (Feb 01)
- Re: PIX 501 inbound NAT problem Kevin Sheldrake (Feb 03)
- RE: PIX 501 inbound NAT problem Inge Nilsson (Feb 03)
- RE: PIX 501 inbound NAT problem Mathew Want (Feb 19)
- <Possible follow-ups>
- RE: PIX 501 inbound NAT problem Rik Schneider (Feb 03)
- Re: PIX 501 inbound NAT problem Kevin Sheldrake (Feb 03)