RE: [fw-wiz] No connection once the translation rules are applied

• Previous message: Joshua Vince: "RE: [fw-wiz] No connection once the translation rules are applied"
• Maybe in reply to: geoffreyh_at_frontlinedefensesystems.com: "[fw-wiz] No connection once the translation rules are applied"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <geoffreyh@frontlinedefensesystems.com>, <firewall-wizards@honor.icsalabs.com>
Date: Thu, 11 Dec 2003 09:26:59 -0500

Any time you change NAT rules on a PIX, your first troubleshooting step
should always be to run 'clear xlate'.

If the IP address doesn't change, why perform static NAT for it? Instead
of the static, try:

nat (outside) 0 192.168.1.10 255.255.255.255

With other types of connections, you might be able to perform static
PAT via the outside interface, but I'm not sure that the PIX supports
GRE in that configuration.

Also, it looks like you're missing a source 'any' in the permit tcp rule
below. Good luck!

PaulM

-----Original Message-----
I have a 501 v. 6.3(1). I am attempting to establish a PPTP VPN server
(192.168.1.10) behind the firewall. I lose Internet connectivity once I apply
the translation rules. I do not have an electronic copy available, but here is
a quick synopsis of the pertinent entires.

fixup protocol pptp 1723
access-list outside_access_in permit gre any host 192.168.1.10
access-list outside_access_in permit tcp eq pptp host 192.168.1.10 eq pptp
access-list outside_access_in permit icmp any any echo-reply
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0
static (inside,outside) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside

What am I missing here?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Joshua Vince: "RE: [fw-wiz] No connection once the translation rules are applied"
• Maybe in reply to: geoffreyh_at_frontlinedefensesystems.com: "[fw-wiz] No connection once the translation rules are applied"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Cisco 1750 to PIX 515 Routing question ... 1750 Router and a PIX 515 Firewall. ... fixup protocol dns maximum-length 512 ... access-list 102 permit tcp any host x.x.117.30 eq smtp ... access-group 102 in interface outside ... (comp.dcom.sys.cisco) Hub/Spoke VPN Concentrator and 2 PIX 506E ... two with PIX 506Es and one with a VPN3005 ... fixup protocol dns maximum-length 512 ... access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq telnet ... access-group acl_out in interface outside ... (comp.dcom.sys.cisco) Re: Cisco 1750 to PIX 515 Routing question ... Try putting a "floating" static route on the router behind the PIX. ... The dynamic routing protocol, such as EIGRP which has an ... access-list 102 permit tcp any host x.x.117.30 eq smtp ... access-group 102 in interface outside ... (comp.dcom.sys.cisco) SSL Email SLOW sending through PIX ... I've got a PIX 506 that seems to be having trouble allowing SSL email (ports ... Now, I thought I opened everything that I would need on the PIX, and like I ... access-list mail_send_out permit tcp any any eq 465 ... access-group mail_send_out in interface outside ... (comp.dcom.sys.cisco) Re: PIX VPN help. ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ... (comp.dcom.sys.cisco)