only PAT works thru PIX, no static NAT

Unanswered Question
Jun 25th, 2007
User Badges:

I have a Cisco 2821 router that sits behind a PIX firewall. When this router is using a PAT IP it can ping and telnet outside public IPs thru the firewall with no problem. Recently I added a static NAT entry so I can telnet to this router from the outside. I made sure that there was an ACL entry on the PIX permitting telnet traffic to the router's public IP but I was not able to telnet into the router from the outside. After double-checking my work and doing some testing I found that the minute I create a static NAT entry for the router I lose all connectivity to the outside from the router. This includes pinging and telneting out from the router that works when the router is using a PAT IP but not when the router has a static IP. What can be causing this?


Thanks,

Diego


BTW, there are other devices, like Windows servers that are working successfully with static IPs thru this firewall. The problem seems isolated to the router. I also tried different public IPs to NAT to the router but the same situation persists.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
DIEGO ALONSO Fri, 06/29/2007 - 10:48
User Badges:

Here is the PIX config. I guess I am overlooking something but even after sleeping on it I can't find anything.


Thanks,

Diego



Attachment: 
JORGE RODRIGUEZ Fri, 06/29/2007 - 18:53
User Badges:
  • Green, 3000 points or more

Hi Diego,


assuming this is the static translation for the router ( 67.93.238.167 10.23.0.254 )


I see you have this statement :

access-list 101 permit ip any host 67.93.238.167


we have to allow tcp as suppose to ip.



I woudl change as follows:


no access-list 101 permit ip any host 67.93.238.167

access-list 101 permit tcp any host 65.43.92.54 eq 23



static nat statements looks ok.


If this does not work, check any acls in your router applied to VTY 0 4 lines.


JORGE RODRIGUEZ Fri, 06/29/2007 - 19:37
User Badges:
  • Green, 3000 points or more

typo on the acl.

it should be:


no access-list 101 permit ip any host 67.93.238.167

access-list 101 permit tcp any host 67.93.238.167 eq 23



DIEGO ALONSO Sat, 06/30/2007 - 09:33
User Badges:

My intention is to all full access to the router. I believe that by using the parameter "permit ip" I am allowing all protocols including tcp, udp and all other IP based. I will try "permit tcp" to test but I am pretty sure "permit ip" should also work.


Diego

JORGE RODRIGUEZ Sat, 06/30/2007 - 14:37
User Badges:
  • Green, 3000 points or more

Pedro, that is correct with the "permit ip".


can you post the routers config , something then must be blocking inbound telnet access at the router.. can you see any hits in the fw logs for inbound telnet to the router.


glynnd Sat, 06/30/2007 - 20:05
User Badges:

is there an "access-class" defined under

line vty 0 4 ?


DIEGO ALONSO Sun, 07/01/2007 - 11:32
User Badges:

There is no access lists defined for VTY but please keep in mind that it is not only telnet that doesn't work with static NAT. ICMP/pings do not work either and GRE doesn't work either. My point is that the "permit ip" command should allow all traffic to the internal 10.23.0.254 router but nothing works. Attached is the config of the router



Attachment: 
froggy3132000 Sun, 07/01/2007 - 14:09
User Badges:
  • Bronze, 100 points or more

if you do a show access-list do you see acl hits on 101 incrementing? Are you sure the traffic is making it to the PIX?

ryancolson Sun, 07/01/2007 - 20:05
User Badges:

I had a kinda similar experiance with a pix 501. It seemed like a possible bug with the 6.2.2 code.

DIEGO ALONSO Tue, 07/03/2007 - 06:33
User Badges:

Sounds like a good idea. I will try an upgrade over the holiday and let you know what happens.


Thanks,

Actions

This Discussion