Re: PIX 501 inbound NAT problem

["Kevin Sheldrake" <kev () electriccat co uk>]

Hello

I could be wrong (quite new to PIX but I've got my 515E working!), but I  
think you're missing a 'static' to allow the packets to traverse from a  
lower security level to a higher one.  You'll probably want something like:

static (inside, outside) tcp interface 80 172.19.0.1 80 netmask  
255.255.255.255 0 0

You'll also probably need an ACL on the outside_access_in ACL to allow the  
packets in:

access-list outside_access_in permit tcp any host 100.1.1.1 eq 80

Kev


> Hi !
>
> I have a Cisco PIX 501 version 6.1 and have problem with setting up  
> inbound
> NAT to particular subnets in my particular network. It seems like some  
> kind
> of routing problem.
>
> The network topology:
>
>           |
>           |  outside IP 100.1.1.1 (fake address)
>          PIX
>           |  inside IP 192.168.0.1
>           |
>           |         network 192.168.0.0/24
>           |         network 192.168.100.0/24
>           |
>           |  IP 192.168.0.254
>           |  IP 192.168.100.254 secondary
>    Cisco 2621 Router
>           |  IP 172.19.0.254
>           |
>           |         network 172.19.0.0/16
>           |
>           |  IP 172.19.0.1
>       Web server
>
>
> What I try to do is to open public IP adress 100.1.1.1 port 80 and NAT  
> it to
> the Web server 172.19.0.1. I can not find what the problem is. I can not  
> see
> any packets in tcpdump of the Web server, but in the "sh access-list" I  
> can
> see that the "hitcnt" is increasing...
>
> If I try it on another server on network 192.168.0.0 or 192.168.100.0 it
> works fine, but they are on the same subnet as the "inside" of the PIX.  
> The
> failing subnet is on the "other side" of the Cisco router. The PIX can
> access the Web server via ICMP, so it is nothing on the routing on the
> network, but it seems like there must be something more in the PIX  
> config to
> make this work.
>
> Can anyone help me?
>
> My config (some rows like passwords are deleted, and some IP adresses are
> changed to fake addresses):
>
> Building configuration...
> : Saved
> :
> PIX Version 6.1(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname inabler-pix
> domain-name inabler.net
> fixup protocol ftp 21
> no fixup protocol http 80
> no fixup protocol h323 1720
> no fixup protocol rsh 514
> no fixup protocol rtsp 554
> no fixup protocol smtp 25
> no fixup protocol sqlnet 1521
> no fixup protocol sip 5060
> no fixup protocol skinny 2000
> names
> access-list outside_access_in permit udp any any eq 46130
> access-list outside_access_in permit icmp any any echo-reply
> access-list outside_access_in permit icmp any any traceroute
> access-list outside_access_in permit icmp any any time-exceeded
> access-list inside_access_in permit icmp any any
> access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 any
> access-list inside_access_in permit ip 192.168.100.0 255.255.255.0 any
> access-list inside_access_in permit ip 172.19.0.0 255.255.0.0 any
> pager lines 24
> logging on
> logging buffered debugging
> logging trap notifications
> logging history notifications
> logging facility 18
> logging host inside <"removed">
> interface ethernet0 10baset
> interface ethernet1 10full
> icmp permit any echo-reply outside
> icmp permit any echo outside
> icmp permit any echo inside
> icmp permit any echo-reply inside
> mtu outside 1500
> mtu inside 1500
> ip address outside 100.1.1.1 255.255.255.224
> ip address inside 192.168.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip audit signature 2000 disable
> ip audit signature 2004 disable
> pdm location <"removed">
> pdm logging informational 100
> pdm history enable
> arp timeout 900
> global (outside) 1 interface
> nat (inside) 1 192.168.0.128 255.255.255.128 0 0
> nat (inside) 1 192.168.100.0 255.255.255.0 0 0
> access-group outside_access_in in interface outside
> access-group inside_access_in in interface inside
> route outside 0.0.0.0 0.0.0.0 100.1.1.254 1
> route inside 172.19.0.0 255.255.0.0 192.168.0.254 1
> route inside 192.168.100.0 255.255.255.0 192.168.0.254 1
> timeout xlate 0:05:00
> timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:04:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> http server enable
> http 192.168.0.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> isakmp policy 10 authentication rsa-sig
> isakmp policy 10 encryption des
> isakmp policy 10 hash sha
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 86400
> ssh 192.168.0.0 255.255.255.0 inside
> ssh timeout 20
> dhcpd lease 3600
> dhcpd ping_timeout 750
> terminal width 80
> Cryptochecksum:601493e1ece31e9357db9698cfd95d9d
> : end
> [OK]
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Cheltenham) Ltd

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards