Firewall Wizards mailing list archives

RE: PIX 501 inbound NAT problem

From: "Inge Nilsson" <inge.nilsson () inabler com>
Date: Thu, 3 Feb 2005 14:20:08 +0100


Hi everybody !

Thanks for the answers I got from you. You all said that I have missed the
static and access-list statements... I don't know why, I must have cleaned
them away when I wanted to make the actual addresses as "fake" addresses.

Anyhow, now I have got it working. I had earlier done exactly as some of you
told me to do, the problem was really a routing problem on my inside
network.

Thanks for the help.

/ Inge


Hi !

I have a Cisco PIX 501 version 6.1 and have problem with setting up
inbound
NAT to particular subnets in my particular network. It seems like some  
kind
of routing problem.

The network topology:

          |
          |  outside IP 100.1.1.1 (fake address)
         PIX
          |  inside IP 192.168.0.1
          |
          |         network 192.168.0.0/24
          |         network 192.168.100.0/24
          |
          |  IP 192.168.0.254
          |  IP 192.168.100.254 secondary
   Cisco 2621 Router
          |  IP 172.19.0.254
          |
          |         network 172.19.0.0/16
          |
          |  IP 172.19.0.1
      Web server


What I try to do is to open public IP adress 100.1.1.1 port 80 and NAT
it to
the Web server 172.19.0.1. I can not find what the problem is. I can not  
see
any packets in tcpdump of the Web server, but in the "sh access-list" I  
can
see that the "hitcnt" is increasing...

If I try it on another server on network 192.168.0.0 or 192.168.100.0 
it works fine, but they are on the same subnet as the "inside" of the PIX.
The
failing subnet is on the "other side" of the Cisco router. The PIX can
access the Web server via ICMP, so it is nothing on the routing on the
network, but it seems like there must be something more in the PIX  
config to
make this work.

Can anyone help me?

My config (some rows like passwords are deleted, and some IP adresses 
are changed to fake addresses):


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX 501 inbound NAT problem Inge Nilsson (Feb 01)
- Re: PIX 501 inbound NAT problem Kevin Sheldrake (Feb 03)
  - RE: PIX 501 inbound NAT problem Inge Nilsson (Feb 03)
- RE: PIX 501 inbound NAT problem Mathew Want (Feb 19)
- <Possible follow-ups>
- RE: PIX 501 inbound NAT problem Rik Schneider (Feb 03)