RE: PIX 501 inbound NAT problem

["Mathew Want" <mathew.want () ac3 com au>]

Inge,

I have been bitten by similar problems before.

I cannot actually see a NAT rule in place for your server on 172.19.0.1.
Maybe you need a line similar to this:

static (inside,outside) tcp 100.1.1.1 www 172.19.0.1 www netmask
255.255.255.255 0 0 

I also cannot see an ACL to allow the traffic in. PIX's need rules to allow
low security interfaces to send traffic to high securiity interface. Maybe
something like:

access-list outside_access_in permit tcp any host 100.1.1.1 eq www 

Something else to keep in mind it the number of licenced connections for the
501. Standard its 10 and it will only connect the first 10 internal machines
that attempt. 'show version' will tell you how many licences are on the
unit. A sign of this being an issue can be errors in the log files about no
NAT rule present, even when you know there is one there.

Hope this helps.
--
Regards,
Mathew Want
ac3
Network and Security Engineer
Phone:      +61 2 9209 4600
Email:      mathew.want () ac3 com au 
URL:        http://www.ac3.com.au


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Inge Nilsson
Sent: Monday, 31 January 2005 2:29 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] PIX 501 inbound NAT problem


Hi !

I have a Cisco PIX 501 version 6.1 and have problem with setting up inbound
NAT to particular subnets in my particular network. It seems like some kind
of routing problem.

The network topology:

          |
          |  outside IP 100.1.1.1 (fake address)
         PIX
          |  inside IP 192.168.0.1
          |
          |         network 192.168.0.0/24
          |         network 192.168.100.0/24
          |
          |  IP 192.168.0.254
          |  IP 192.168.100.254 secondary
   Cisco 2621 Router
          |  IP 172.19.0.254
          | 
          |         network 172.19.0.0/16
          |
          |  IP 172.19.0.1
      Web server


What I try to do is to open public IP adress 100.1.1.1 port 80 and NAT it to
the Web server 172.19.0.1. I can not find what the problem is. I can not see
any packets in tcpdump of the Web server, but in the "sh access-list" I can
see that the "hitcnt" is increasing...

If I try it on another server on network 192.168.0.0 or 192.168.100.0 it
works fine, but they are on the same subnet as the "inside" of the PIX. The
failing subnet is on the "other side" of the Cisco router. The PIX can
access the Web server via ICMP, so it is nothing on the routing on the
network, but it seems like there must be something more in the PIX config to
make this work. 

Can anyone help me?

My config (some rows like passwords are deleted, and some IP adresses are
changed to fake addresses):

Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname inabler-pix
domain-name inabler.net
fixup protocol ftp 21
no fixup protocol http 80
no fixup protocol h323 1720
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
names
access-list outside_access_in permit udp any any eq 46130 
access-list outside_access_in permit icmp any any echo-reply 
access-list outside_access_in permit icmp any any traceroute 
access-list outside_access_in permit icmp any any time-exceeded 
access-list inside_access_in permit icmp any any 
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 any 
access-list inside_access_in permit ip 192.168.100.0 255.255.255.0 any 
access-list inside_access_in permit ip 172.19.0.0 255.255.0.0 any 
pager lines 24
logging on
logging buffered debugging
logging trap notifications
logging history notifications
logging facility 18
logging host inside <"removed">
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 100.1.1.1 255.255.255.224
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2004 disable
pdm location <"removed">
pdm logging informational 100
pdm history enable
arp timeout 900
global (outside) 1 interface
nat (inside) 1 192.168.0.128 255.255.255.128 0 0
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 100.1.1.254 1
route inside 172.19.0.0 255.255.0.0 192.168.0.254 1
route inside 192.168.100.0 255.255.255.0 192.168.0.254 1
timeout xlate 0:05:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:04:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:601493e1ece31e9357db9698cfd95d9d
: end
[OK]

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards