cant connect to server thru pix

Unanswered Question
Nov 21st, 2007
User Badges:

PIX 501 - unable to connect to / from server behind PIX 501 firewall.


inside 172.25.188.4

outside 10.25.188.4


server 10.25.188.5


traffic from 172.25.188.x needs to access server.


config:




PIX Version 6.3(5)


interface ethernet0 100full


interface ethernet1 100full


nameif ethernet0 outside security0


nameif ethernet1 inside security100


enable password xxx


passwd xxxx


hostname POWfgMUSsal03dv


domain-name nowhere.it


no fixup protocol dns


no fixup protocol ftp 21


fixup protocol h323 h225 1720


fixup protocol h323 ras 1718-1719


fixup protocol http 80


fixup protocol rsh 514


fixup protocol rtsp 554


fixup protocol sip 5060


fixup protocol sip udp 5060


fixup protocol skinny 2000


fixup protocol smtp 25


fixup protocol sqlnet 1521


no fixup protocol tftp 69


names


name 172.25.188.5 msvst


name 172.25.194.138 proxy


name 172.25.193.158 domain_controller


object-group network server


network-object msvst 255.255.255.255


object-group network clients


network-object 172.176.0 255.255.255.0


network-object 172.25.180.0 255.255.255.255


network-object 172.25.182.0 255.255.255.255


network-object 172.29.0.0 255.255.224.0


object-group network proxy


network-object proxy 255.255.255.255


object-group service msvst_tcp tcp


port-object eq 8080


port-object eq www


port-object eq https


port-object eq 1433


port-object eq 3389


object-group icmp-type icmp_allowed


icmp-object echo


icmp-object time-exceeded


icmp-object echo-reply


object-group service DCPorts tcp-udp


port-object eq 137


port-object eq 138


port-object eq 139


object-group network mgmt_access


network-object 172.25.176.0 255.255.255.0


network-object 172.29.0.0 255.255.224.0


object-group service mgmt_prots tcp


port-object eq ssh


port-object eq telnet


object-group service SMBPorts tcp-udp


port-object range 135 139


port-object eq 389


port-object eq 445


access-list inside_access_in permit icmp object-group clients object-group server object-group icmp_allowed


access-list inside_access_in permit tcp object-group mgmt_access any object-group mgmt_prots


access-list inside_access_in permit tcp any object-group server object-group msvst_tcp


access-list inside_access_in permit tcp object-group clients object-group server object-group SMBPorts


access-list inside_access_in permit ip any any


access-list outside_access_in permit icmp any any object-group icmp_allowed


access-list outside_access_in permit tcp object-group server object-group proxy eq www


access-list outside_access_in permit icmp object-group server any object-group icmp_allowed


access-list outside-access_in permit tcp object-group server host domain_controller object-group DCPorts


pager lines 24


logging on


logging timestamp


logging facility 7


mtu outside 1500


mtu inside 1500


ip address outside 10.25.188.4 255.255.255.0


ip address inside 172.25.188.4 255.255.255.0


ip audit info action alarm


ip audit attack action alarm


pdm logging informational 100


pdm history enable


arp timeout 14400


nat (inside) 1 172.25.188.0 255.255.255.0 0 0

static (inside,outside) msvst msvst netmask 255.255.255.255 0 0


static (inside,outside) proxy proxy netmask 255.255.255.255 0 0


static (inside,outside) domain_controller domain_controller netmask 255.255.255.255 0 0


access-group outside_access_in in interface outside


access-group inside_access_in in interface inside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 11/21/2007 - 06:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


The most obvious thing that stands out is that you have no global statement that ties up with the "nat (inside) 1 172.25.188.0 255.255.255.0 0.0" statement.


Assuming you want to Nat all your hosts to the IP address attached to the outside interface of your pix


global (outside) 1 interface


HTH


Jon

Actions

This Discussion