RE: [fw-wiz] PIX 501 inbound NAT problem

From: Mathew Want (mathew.want_at_ac3.com.au)
Date: 02/01/05

  • Next message: Carson Gaspar: "Re: [fw-wiz] i-cap proposals"
    To: "'Inge Nilsson'" <inge.nilsson@inabler.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 2 Feb 2005 08:39:59 +1100
    
    

    Inge,

    I have been bitten by similar problems before.

    I cannot actually see a NAT rule in place for your server on 172.19.0.1.
    Maybe you need a line similar to this:

    static (inside,outside) tcp 100.1.1.1 www 172.19.0.1 www netmask
    255.255.255.255 0 0

    I also cannot see an ACL to allow the traffic in. PIX's need rules to allow
    low security interfaces to send traffic to high securiity interface. Maybe
    something like:

    access-list outside_access_in permit tcp any host 100.1.1.1 eq www

    Something else to keep in mind it the number of licenced connections for the
    501. Standard its 10 and it will only connect the first 10 internal machines
    that attempt. 'show version' will tell you how many licences are on the
    unit. A sign of this being an issue can be errors in the log files about no
    NAT rule present, even when you know there is one there.

    Hope this helps.

    --
    Regards,
    Mathew Want
    ac3
    Network and Security Engineer
    Phone:      +61 2 9209 4600
    Email:      mathew.want@ac3.com.au 
    URL:        http://www.ac3.com.au
    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Inge Nilsson
    Sent: Monday, 31 January 2005 2:29 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] PIX 501 inbound NAT problem
    Hi !
    I have a Cisco PIX 501 version 6.1 and have problem with setting up inbound
    NAT to particular subnets in my particular network. It seems like some kind
    of routing problem.
    The network topology:
              |
              |  outside IP 100.1.1.1 (fake address)
             PIX
              |  inside IP 192.168.0.1
              |
              |         network 192.168.0.0/24
              |         network 192.168.100.0/24
              |
              |  IP 192.168.0.254
              |  IP 192.168.100.254 secondary
       Cisco 2621 Router
              |  IP 172.19.0.254
              | 
              |         network 172.19.0.0/16
              |
              |  IP 172.19.0.1
          Web server
    What I try to do is to open public IP adress 100.1.1.1 port 80 and NAT it to
    the Web server 172.19.0.1. I can not find what the problem is. I can not see
    any packets in tcpdump of the Web server, but in the "sh access-list" I can
    see that the "hitcnt" is increasing...
    If I try it on another server on network 192.168.0.0 or 192.168.100.0 it
    works fine, but they are on the same subnet as the "inside" of the PIX. The
    failing subnet is on the "other side" of the Cisco router. The PIX can
    access the Web server via ICMP, so it is nothing on the routing on the
    network, but it seems like there must be something more in the PIX config to
    make this work. 
    Can anyone help me?
    My config (some rows like passwords are deleted, and some IP adresses are
    changed to fake addresses):
    Building configuration...
    : Saved
    :
    PIX Version 6.1(1)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname inabler-pix
    domain-name inabler.net
    fixup protocol ftp 21
    no fixup protocol http 80
    no fixup protocol h323 1720
    no fixup protocol rsh 514
    no fixup protocol rtsp 554
    no fixup protocol smtp 25
    no fixup protocol sqlnet 1521
    no fixup protocol sip 5060
    no fixup protocol skinny 2000
    names
    access-list outside_access_in permit udp any any eq 46130 
    access-list outside_access_in permit icmp any any echo-reply 
    access-list outside_access_in permit icmp any any traceroute 
    access-list outside_access_in permit icmp any any time-exceeded 
    access-list inside_access_in permit icmp any any 
    access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 any 
    access-list inside_access_in permit ip 192.168.100.0 255.255.255.0 any 
    access-list inside_access_in permit ip 172.19.0.0 255.255.0.0 any 
    pager lines 24
    logging on
    logging buffered debugging
    logging trap notifications
    logging history notifications
    logging facility 18
    logging host inside <"removed">
    interface ethernet0 10baset
    interface ethernet1 10full
    icmp permit any echo-reply outside
    icmp permit any echo outside
    icmp permit any echo inside
    icmp permit any echo-reply inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 100.1.1.1 255.255.255.224
    ip address inside 192.168.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip audit signature 2000 disable
    ip audit signature 2004 disable
    pdm location <"removed">
    pdm logging informational 100
    pdm history enable
    arp timeout 900
    global (outside) 1 interface
    nat (inside) 1 192.168.0.128 255.255.255.128 0 0
    nat (inside) 1 192.168.100.0 255.255.255.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 100.1.1.254 1
    route inside 172.19.0.0 255.255.0.0 192.168.0.254 1
    route inside 192.168.100.0 255.255.255.0 192.168.0.254 1
    timeout xlate 0:05:00
    timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:04:00 absolute
    aaa-server TACACS+ protocol tacacs+ 
    aaa-server RADIUS protocol radius 
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    isakmp policy 10 authentication rsa-sig
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 20
    dhcpd lease 3600
    dhcpd ping_timeout 750
    terminal width 80
    Cryptochecksum:601493e1ece31e9357db9698cfd95d9d
    : end
    [OK]
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Carson Gaspar: "Re: [fw-wiz] i-cap proposals"

    Relevant Pages

    • Re: Lose internet access when vpn enabled cisco 501
      ... access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 ... fixup protocol dns maximum-length 512 ... access-group outside_access_in in interface outside ... aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable ...
      (comp.dcom.sys.cisco)
    • Port forwarding help?
      ... fixup protocol esp-ike ... access-list outside permit tcp any host 99.99.99.231 eq pop3 ... access-group outside in interface outside ...
      (comp.dcom.sys.cisco)
    • Re: Port forwarding help?
      ... fixup protocol esp-ike ... access-list outside permit tcp any host 99.99.99.231 eq pop3 ... access-group outside in interface outside ...
      (comp.dcom.sys.cisco)
    • [fw-wiz] PIX 501 inbound NAT problem
      ... access the Web server via ICMP, so it is nothing on the routing on the ... no fixup protocol http 80 ... access-list outside_access_in permit icmp any any echo-reply ... access-group outside_access_in in interface outside ...
      (Firewall-Wizards)
    • NAT question for Cisco 851 router
      ... I've configured an Easy VPN Server, to which I can connect with Cisco ... Following is my startup configuration: ... access-list 101 permit udp any any eq non500-isakmp ...
      (comp.dcom.sys.cisco)