PIX 501 behind Soho77/877 Router

Unanswered Question
Feb 17th, 2008

I'm about at my wits end here and hopefully someone here can help.

I have a soho 77 ADSL Router that I've successfully configured to connect to my ISP using PPPOE.

Connections go out from the LAN and come in from the Outside Network (Internet). All well and good.

Now when I place the PIX-501 in the mix, again traffic goes out from the LAN but my ACL's that were doing Port Address Translation no longer work. I get an error (Flag SYN in interface outside) or words to that effect when trying to access the ports defined in the ACL's on the PIX.

I know the issue here is that I'm double Nat'ing. Once on the Router and again on the PIX. I would like to get rid of the NAT on the PIX but still be able to map ports.

Thanks

Greg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
GByoung Sun, 02/17/2008 - 20:06

here's the config from the PIX-501

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

clock summer-time EDT recurring

fixup protocol dns maximum-length 760

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.10.0 Deny_10

name 10.10.10.2 NS1

name 192.168.21.2 NS1-External

access-list acl_inbound remark

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit icmp any any time-exceeded

access-list acl_inbound permit tcp any host 10.1.0.2 eq 993

access-list acl_inbound permit tcp any host 10.1.0.2 eq ftp

access-list acl_inbound permit tcp any host 10.1.0.2 eq https

access-list acl_inbound permit tcp any host 10.1.0.2 eq smtp

access-list acl_inbound permit udp any host 10.1.0.2 eq domain

access-list acl_inbound permit tcp any host 10.1.0.2 eq domain

access-list acl_inbound permit tcp any host 10.1.0.2 eq www

access-list acl_inbound permit udp any host 10.1.0.2 eq ntp

access-list acl_inbound permit tcp any host 10.1.0.2 eq 4899

access-list inside_outbound_nat0_acl permit ip any Deny_10 255.255.255.224

pager lines 24

logging on

logging timestamp

logging trap informational

logging facility 23

logging host inside NS1

mtu outside 1500

mtu inside 1500

ip address outside NS1-External 255.255.255.0

ip address inside 10.10.10.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit name Inbound_Info info action alarm

ip audit name Inbound_Attack attack action drop

ip audit interface outside Inbound_Info

ip audit interface outside Inbound_Attack

ip audit info action alarm

ip audit attack action alarm drop

pdm location Deny_10 255.255.255.0 inside

pdm location NS1 255.255.255.255 inside

pdm location Deny_10 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 Deny_10 255.255.255.0 0 0

static (inside,outside) tcp NS1-External smtp NS1 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp NS1-External ftp NS1 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp NS1-External 993 NS1 993 netmask 255.255.255.255 0 0

static (inside,outside) tcp NS1-External https NS1 https netmask 255.255.255.255 0 0

static (inside,outside) udp NS1-External domain NS1 domain netmask 255.255.255.255 0 0

static (inside,outside) tcp NS1-External www NS1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp NS1-External 4899 NS1 4899 netmask 255.255.255.255 0 0

static (inside,outside) udp NS1-External ntp NS1 ntp netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 192.168.21.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http Deny_10 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside NS1 /PIX_501

floodguard enable

sysopt connection permit-pptp

abinjola Sun, 02/17/2008 - 20:20

add this

access-l out_acl permit tcp any host NS1-External eq 4899

access-l out_acl permit tcp any host NS1-External eq ntp

access-l out_acl permit tcp any host NS1-External eq smtp

.

.

.

.similarly all the relevant ports for inbound acess

now add

access-g out_acl in interface outside

GByoung Mon, 02/18/2008 - 16:09

Thanks abinjola for your answer. It worked like a charm. Now I just need to understand what it was you told me to do and what it did.

I really like to learn about what I'm doing as opposed to just getting the answer.

Thank you all too who also stepped up and provide answers.

Greg

abinjola Mon, 02/18/2008 - 21:18

no problem.I am open on sundays too..:-)

and yeah do rate all my posts if you think they were helpful

GByoung Tue, 02/19/2008 - 07:42

Ratings have been entered for your repsonses as they were on target and resolved the issue as I mentioned before.

Can you tell me what those configuration additions actually did?

Greg

GByoung Tue, 02/19/2008 - 10:53

Thanks for the explanation and link abinjola.

I must've read that document a dozen times before posting up the question here. I think I need to really study how a PIX device works. It seems at times to be confusing in both explanation and implementation.

Greg

cisco24x7 Sun, 02/17/2008 - 20:16

that should be very easy.

LAN---(i)Pix501(o)---(i)router(o)---internet

LAN= 192.168.1.0/24

Pix inside: 192.168.1.1

network between Pix outside and router inside: 192.168.2.0/24

pix outside: 192.168.2.2/24

router inside: 192.168.2.1/24

router outside PPoE IP address: assume 4.2.2.2

On the Pix:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-list External permit icmp any any log

access-list External permit ip any any log (for testing only!)

access-group External in interface outside

address inside 192.168.1.1 255.255.255.0

address outside 192.168.2.2 255.255.255.0

route outside 0 0 192.168.2.1

ssh 0 0 outside

On the router:

interface f0/1

ip address 192.168.2.1 255.255.255.0

ip nat inside

interface f0/0

ip address PPoE

ip nat outside

ip route 192.168.1.0 255.255.255.0 192.168.2.2

access-list 100 permit 192.168.1.0 0.0.0.255 any

access-list 100 permit 192.168.2.0 0.0.0.255 any

ip nat inside source list 100 interface f0/0 overload

ip nat inside source static tcp 192.168.2.2 22 interface FastEthernet0/0 22

ip nat inside source static tcp 192.168.1.10 25 interface FastEthernet0/0 25

you get the idea...

CCIE Security

abinjola Sun, 02/17/2008 - 20:43

Since outside router is a PPOE client and you are only adding pix as a bump in wire, you don't eed to reconfigure anything anywhere except for the access-list out_acl that I suggested

Do not add the 1-1 static suggested to you

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

The above static rule is a self static translation rule as this would break the already existing static port forwarding (which is always unidirectional)

In case you need to bypass NAT for outbound access then you may add

nat (inside) 0 192.168.1.0 netmask 255.255.255.0

The above rule would bypass natting only for outbound acccess thus preserving the inbound static port forwarding

See how it goes

GByoung Mon, 02/18/2008 - 10:02

Thanks fellas, wow I thought I was the only one up and working at that time of night.

I'll give abinjola's response's a try first as it doesn't involve a re-configuring both devices.

I shouldn't think there is much more for me to do on the Router side as it's connecting, routing, and doing the Port Forwarding as configured.

It's just the PIX doesn't like the "Translated" packets it's seeing on the outside interface and as such won't pass them.

I'll post up how it goes.

Greg

Actions

This Discussion