RE: [fw-wiz] No connection once the translation rules are applied

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 12/11/03

  • Next message: WhiteHat_at_btclick.com: "[fw-wiz] Firewalls v. Router ACLs" 
    To: <geoffreyh@frontlinedefensesystems.com>, <firewall-wizards@honor.icsalabs.com>
Date: Thu, 11 Dec 2003 09:26:59 -0500

    Any time you change NAT rules on a PIX, your first troubleshooting step
    should always be to run 'clear xlate'.

    If the IP address doesn't change, why perform static NAT for it? Instead
    of the static, try:

    nat (outside) 0 192.168.1.10 255.255.255.255

    With other types of connections, you might be able to perform static
    PAT via the outside interface, but I'm not sure that the PIX supports
    GRE in that configuration.

    Also, it looks like you're missing a source 'any' in the permit tcp rule
    below. Good luck!

    PaulM

    -----Original Message-----
    I have a 501 v. 6.3(1). I am attempting to establish a PPTP VPN server
    (192.168.1.10) behind the firewall. I lose Internet connectivity once I apply
    the translation rules. I do not have an electronic copy available, but here is
    a quick synopsis of the pertinent entires.

    fixup protocol pptp 1723
    access-list outside_access_in permit gre any host 192.168.1.10
    access-list outside_access_in permit tcp eq pptp host 192.168.1.10 eq pptp
    access-list outside_access_in permit icmp any any echo-reply
    ip address outside xxx.xxx.xxx.xxx 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0 0
    static (inside,outside) 192.168.1.10 192.168.1.10 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside

    What am I missing here?
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: WhiteHat_at_btclick.com: "[fw-wiz] Firewalls v. Router ACLs"

    Relevant Pages

    • Cisco 1750 to PIX 515 Routing question
      ... 1750 Router and a PIX 515 Firewall. ... fixup protocol dns maximum-length 512 ... access-list 102 permit tcp any host x.x.117.30 eq smtp ... access-group 102 in interface outside ...
      (comp.dcom.sys.cisco)
    • Hub/Spoke VPN Concentrator and 2 PIX 506E
      ... two with PIX 506Es and one with a VPN3005 ... fixup protocol dns maximum-length 512 ... access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq telnet ... access-group acl_out in interface outside ...
      (comp.dcom.sys.cisco)
    • Re: Cisco 1750 to PIX 515 Routing question
      ... Try putting a "floating" static route on the router behind the PIX. ... The dynamic routing protocol, such as EIGRP which has an ... access-list 102 permit tcp any host x.x.117.30 eq smtp ... access-group 102 in interface outside ...
      (comp.dcom.sys.cisco)
    • SSL Email SLOW sending through PIX
      ... I've got a PIX 506 that seems to be having trouble allowing SSL email (ports ... Now, I thought I opened everything that I would need on the PIX, and like I ... access-list mail_send_out permit tcp any any eq 465 ... access-group mail_send_out in interface outside ...
      (comp.dcom.sys.cisco)
    • Re: PIX VPN help.
      ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
      (comp.dcom.sys.cisco)