Re: [fw-wiz] PIX 501 inbound NAT problem
From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 02/01/05
- Previous message: George Capehart: "Re: [fw-wiz] Application-level Attacks"
- In reply to: Inge Nilsson: "[fw-wiz] PIX 501 inbound NAT problem"
- Next in thread: Inge Nilsson: "RE: [fw-wiz] PIX 501 inbound NAT problem"
- Reply: Inge Nilsson: "RE: [fw-wiz] PIX 501 inbound NAT problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Inge Nilsson" <inge.nilsson@inabler.com>, firewall-wizards@honor.icsalabs.com Date: Tue, 01 Feb 2005 17:02:00 -0000
Hello
I could be wrong (quite new to PIX but I've got my 515E working!), but I
think you're missing a 'static' to allow the packets to traverse from a
lower security level to a higher one. You'll probably want something like:
static (inside, outside) tcp interface 80 172.19.0.1 80 netmask
255.255.255.255 0 0
You'll also probably need an ACL on the outside_access_in ACL to allow the
packets in:
access-list outside_access_in permit tcp any host 100.1.1.1 eq 80
Kev
>
> Hi !
>
> I have a Cisco PIX 501 version 6.1 and have problem with setting up
> inbound
> NAT to particular subnets in my particular network. It seems like some
> kind
> of routing problem.
>
> The network topology:
>
> |
> | outside IP 100.1.1.1 (fake address)
> PIX
> | inside IP 192.168.0.1
> |
> | network 192.168.0.0/24
> | network 192.168.100.0/24
> |
> | IP 192.168.0.254
> | IP 192.168.100.254 secondary
> Cisco 2621 Router
> | IP 172.19.0.254
> |
> | network 172.19.0.0/16
> |
> | IP 172.19.0.1
> Web server
>
>
> What I try to do is to open public IP adress 100.1.1.1 port 80 and NAT
> it to
> the Web server 172.19.0.1. I can not find what the problem is. I can not
> see
> any packets in tcpdump of the Web server, but in the "sh access-list" I
> can
> see that the "hitcnt" is increasing...
>
> If I try it on another server on network 192.168.0.0 or 192.168.100.0 it
> works fine, but they are on the same subnet as the "inside" of the PIX.
> The
> failing subnet is on the "other side" of the Cisco router. The PIX can
> access the Web server via ICMP, so it is nothing on the routing on the
> network, but it seems like there must be something more in the PIX
> config to
> make this work.
>
> Can anyone help me?
>
> My config (some rows like passwords are deleted, and some IP adresses are
> changed to fake addresses):
>
> Building configuration...
> : Saved
> :
> PIX Version 6.1(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname inabler-pix
> domain-name inabler.net
> fixup protocol ftp 21
> no fixup protocol http 80
> no fixup protocol h323 1720
> no fixup protocol rsh 514
> no fixup protocol rtsp 554
> no fixup protocol smtp 25
> no fixup protocol sqlnet 1521
> no fixup protocol sip 5060
> no fixup protocol skinny 2000
> names
> access-list outside_access_in permit udp any any eq 46130
> access-list outside_access_in permit icmp any any echo-reply
> access-list outside_access_in permit icmp any any traceroute
> access-list outside_access_in permit icmp any any time-exceeded
> access-list inside_access_in permit icmp any any
> access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 any
> access-list inside_access_in permit ip 192.168.100.0 255.255.255.0 any
> access-list inside_access_in permit ip 172.19.0.0 255.255.0.0 any
> pager lines 24
> logging on
> logging buffered debugging
> logging trap notifications
> logging history notifications
> logging facility 18
> logging host inside <"removed">
> interface ethernet0 10baset
> interface ethernet1 10full
> icmp permit any echo-reply outside
> icmp permit any echo outside
> icmp permit any echo inside
> icmp permit any echo-reply inside
> mtu outside 1500
> mtu inside 1500
> ip address outside 100.1.1.1 255.255.255.224
> ip address inside 192.168.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip audit signature 2000 disable
> ip audit signature 2004 disable
> pdm location <"removed">
> pdm logging informational 100
> pdm history enable
> arp timeout 900
> global (outside) 1 interface
> nat (inside) 1 192.168.0.128 255.255.255.128 0 0
> nat (inside) 1 192.168.100.0 255.255.255.0 0 0
> access-group outside_access_in in interface outside
> access-group inside_access_in in interface inside
> route outside 0.0.0.0 0.0.0.0 100.1.1.254 1
> route inside 172.19.0.0 255.255.0.0 192.168.0.254 1
> route inside 192.168.100.0 255.255.255.0 192.168.0.254 1
> timeout xlate 0:05:00
> timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:04:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> http server enable
> http 192.168.0.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> isakmp policy 10 authentication rsa-sig
> isakmp policy 10 encryption des
> isakmp policy 10 hash sha
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 86400
> ssh 192.168.0.0 255.255.255.0 inside
> ssh timeout 20
> dhcpd lease 3600
> dhcpd ping_timeout 750
> terminal width 80
> Cryptochecksum:601493e1ece31e9357db9698cfd95d9d
> : end
> [OK]
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: George Capehart: "Re: [fw-wiz] Application-level Attacks"
- In reply to: Inge Nilsson: "[fw-wiz] PIX 501 inbound NAT problem"
- Next in thread: Inge Nilsson: "RE: [fw-wiz] PIX 501 inbound NAT problem"
- Reply: Inge Nilsson: "RE: [fw-wiz] PIX 501 inbound NAT problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
