RE: PIX501 PAT and Static NAT problems

["Smith Bruce" <bruces () petech ac za>]

Hi

I think your static is clashing with your PAT. What we've found works is something similar to this, assuming your 
servers are on a different subnet to your internal users.

global (outside) 1 interface
nat (inside) 0 192.168.1.0 255.255.255.0 (the server farm is not natted)
nat (inside) 1 192.168.2.0 255.255.255.0 (the clients, all subnets have to be specified)
static (inside, outside) 192.168.44.3 192.168.1.2
conduit permit tcp host 192.168.44.3 eq 80 any

Apparently the way you are doing the configs should work according to the Cisco manuals. But from experience with our 
PIX's, I would have to disagree with the manuals.

Hope this helps

Regards

Bruce Smith
PE Technikon Internet Services Administrator


-----Original Message-----
From: Aidan O'Rawe [mailto:a.orawe () ntlworld com]
Sent: Sunday, June 01, 2003 11:36 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] PIX501 PAT and Static NAT problems


Hi,

I'm having a bit of trouble with a PIX501, I have issued the following
commands to allow all the internal users to connect through the PIX to the
outside:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface

Everything works fine untill I add a static for an internal web server, then
all internal users can't get to the outside of the PIX anymore.  I
configured this with the
following commands:

static (inside,outside) <External IP> 192.168.1.2 0 8
conduit permit tcp host <External IP> eq 80 any

Does anyone know the right way to go about configuring this properly?

TIA

Arj.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards