Firewall Wizards mailing list archives
RE: PIX 501 inbound NAT problem
From: "Mathew Want" <mathew.want () ac3 com au>
Date: Wed, 2 Feb 2005 08:39:59 +1100
Inge, I have been bitten by similar problems before. I cannot actually see a NAT rule in place for your server on 172.19.0.1. Maybe you need a line similar to this: static (inside,outside) tcp 100.1.1.1 www 172.19.0.1 www netmask 255.255.255.255 0 0 I also cannot see an ACL to allow the traffic in. PIX's need rules to allow low security interfaces to send traffic to high securiity interface. Maybe something like: access-list outside_access_in permit tcp any host 100.1.1.1 eq www Something else to keep in mind it the number of licenced connections for the 501. Standard its 10 and it will only connect the first 10 internal machines that attempt. 'show version' will tell you how many licences are on the unit. A sign of this being an issue can be errors in the log files about no NAT rule present, even when you know there is one there. Hope this helps. -- Regards, Mathew Want ac3 Network and Security Engineer Phone: +61 2 9209 4600 Email: mathew.want () ac3 com au URL: http://www.ac3.com.au -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Inge Nilsson Sent: Monday, 31 January 2005 2:29 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX 501 inbound NAT problem Hi ! I have a Cisco PIX 501 version 6.1 and have problem with setting up inbound NAT to particular subnets in my particular network. It seems like some kind of routing problem. The network topology: | | outside IP 100.1.1.1 (fake address) PIX | inside IP 192.168.0.1 | | network 192.168.0.0/24 | network 192.168.100.0/24 | | IP 192.168.0.254 | IP 192.168.100.254 secondary Cisco 2621 Router | IP 172.19.0.254 | | network 172.19.0.0/16 | | IP 172.19.0.1 Web server What I try to do is to open public IP adress 100.1.1.1 port 80 and NAT it to the Web server 172.19.0.1. I can not find what the problem is. I can not see any packets in tcpdump of the Web server, but in the "sh access-list" I can see that the "hitcnt" is increasing... If I try it on another server on network 192.168.0.0 or 192.168.100.0 it works fine, but they are on the same subnet as the "inside" of the PIX. The failing subnet is on the "other side" of the Cisco router. The PIX can access the Web server via ICMP, so it is nothing on the routing on the network, but it seems like there must be something more in the PIX config to make this work. Can anyone help me? My config (some rows like passwords are deleted, and some IP adresses are changed to fake addresses): Building configuration... : Saved : PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname inabler-pix domain-name inabler.net fixup protocol ftp 21 no fixup protocol http 80 no fixup protocol h323 1720 no fixup protocol rsh 514 no fixup protocol rtsp 554 no fixup protocol smtp 25 no fixup protocol sqlnet 1521 no fixup protocol sip 5060 no fixup protocol skinny 2000 names access-list outside_access_in permit udp any any eq 46130 access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any traceroute access-list outside_access_in permit icmp any any time-exceeded access-list inside_access_in permit icmp any any access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 any access-list inside_access_in permit ip 192.168.100.0 255.255.255.0 any access-list inside_access_in permit ip 172.19.0.0 255.255.0.0 any pager lines 24 logging on logging buffered debugging logging trap notifications logging history notifications logging facility 18 logging host inside <"removed"> interface ethernet0 10baset interface ethernet1 10full icmp permit any echo-reply outside icmp permit any echo outside icmp permit any echo inside icmp permit any echo-reply inside mtu outside 1500 mtu inside 1500 ip address outside 100.1.1.1 255.255.255.224 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip audit signature 2000 disable ip audit signature 2004 disable pdm location <"removed"> pdm logging informational 100 pdm history enable arp timeout 900 global (outside) 1 interface nat (inside) 1 192.168.0.128 255.255.255.128 0 0 nat (inside) 1 192.168.100.0 255.255.255.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 100.1.1.254 1 route inside 172.19.0.0 255.255.0.0 192.168.0.254 1 route inside 192.168.100.0 255.255.255.0 192.168.0.254 1 timeout xlate 0:05:00 timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:04:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp policy 10 authentication rsa-sig isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 ssh 192.168.0.0 255.255.255.0 inside ssh timeout 20 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80 Cryptochecksum:601493e1ece31e9357db9698cfd95d9d : end [OK] _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 501 inbound NAT problem Inge Nilsson (Feb 01)
- Re: PIX 501 inbound NAT problem Kevin Sheldrake (Feb 03)
- RE: PIX 501 inbound NAT problem Inge Nilsson (Feb 03)
- RE: PIX 501 inbound NAT problem Mathew Want (Feb 19)
- <Possible follow-ups>
- RE: PIX 501 inbound NAT problem Rik Schneider (Feb 03)
- Re: PIX 501 inbound NAT problem Kevin Sheldrake (Feb 03)