02-17-2008 08:03 PM - edited 03-11-2019 05:03 AM
I'm about at my wits end here and hopefully someone here can help.
I have a soho 77 ADSL Router that I've successfully configured to connect to my ISP using PPPOE.
Connections go out from the LAN and come in from the Outside Network (Internet). All well and good.
Now when I place the PIX-501 in the mix, again traffic goes out from the LAN but my ACL's that were doing Port Address Translation no longer work. I get an error (Flag SYN in interface outside) or words to that effect when trying to access the ports defined in the ACL's on the PIX.
I know the issue here is that I'm double Nat'ing. Once on the Router and again on the PIX. I would like to get rid of the NAT on the PIX but still be able to map ports.
Thanks
Greg
02-17-2008 08:06 PM
here's the config from the PIX-501
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock summer-time EDT recurring
fixup protocol dns maximum-length 760
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.10.0 Deny_10
name 10.10.10.2 NS1
name 192.168.21.2 NS1-External
access-list acl_inbound remark
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any unreachable
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit tcp any host 10.1.0.2 eq 993
access-list acl_inbound permit tcp any host 10.1.0.2 eq ftp
access-list acl_inbound permit tcp any host 10.1.0.2 eq https
access-list acl_inbound permit tcp any host 10.1.0.2 eq smtp
access-list acl_inbound permit udp any host 10.1.0.2 eq domain
access-list acl_inbound permit tcp any host 10.1.0.2 eq domain
access-list acl_inbound permit tcp any host 10.1.0.2 eq www
access-list acl_inbound permit udp any host 10.1.0.2 eq ntp
access-list acl_inbound permit tcp any host 10.1.0.2 eq 4899
access-list inside_outbound_nat0_acl permit ip any Deny_10 255.255.255.224
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 23
logging host inside NS1
mtu outside 1500
mtu inside 1500
ip address outside NS1-External 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name Inbound_Info info action alarm
ip audit name Inbound_Attack attack action drop
ip audit interface outside Inbound_Info
ip audit interface outside Inbound_Attack
ip audit info action alarm
ip audit attack action alarm drop
pdm location Deny_10 255.255.255.0 inside
pdm location NS1 255.255.255.255 inside
pdm location Deny_10 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 Deny_10 255.255.255.0 0 0
static (inside,outside) tcp NS1-External smtp NS1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp NS1-External ftp NS1 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp NS1-External 993 NS1 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp NS1-External https NS1 https netmask 255.255.255.255 0 0
static (inside,outside) udp NS1-External domain NS1 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp NS1-External www NS1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp NS1-External 4899 NS1 4899 netmask 255.255.255.255 0 0
static (inside,outside) udp NS1-External ntp NS1 ntp netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.21.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Deny_10 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside NS1 /PIX_501
floodguard enable
sysopt connection permit-pptp
02-17-2008 08:20 PM
add this
access-l out_acl permit tcp any host NS1-External eq 4899
access-l out_acl permit tcp any host NS1-External eq ntp
access-l out_acl permit tcp any host NS1-External eq smtp
.
.
.
.similarly all the relevant ports for inbound acess
now add
access-g out_acl in interface outside
02-18-2008 04:09 PM
Thanks abinjola for your answer. It worked like a charm. Now I just need to understand what it was you told me to do and what it did.
I really like to learn about what I'm doing as opposed to just getting the answer.
Thank you all too who also stepped up and provide answers.
Greg
02-18-2008 09:18 PM
no problem.I am open on sundays too..:-)
and yeah do rate all my posts if you think they were helpful
02-19-2008 07:42 AM
Ratings have been entered for your repsonses as they were on target and resolved the issue as I mentioned before.
Can you tell me what those configuration additions actually did?
Greg
02-19-2008 08:09 AM
the access-list out_acl allowed explicit permissions for inbound traffic where as Nat (inside) 0 x.x.x.x provided nat bypass rule for outbound traffic
check this :-
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129
02-19-2008 10:53 AM
Thanks for the explanation and link abinjola.
I must've read that document a dozen times before posting up the question here. I think I need to really study how a PIX device works. It seems at times to be confusing in both explanation and implementation.
Greg
02-17-2008 08:16 PM
that should be very easy.
LAN---(i)Pix501(o)---(i)router(o)---internet
LAN= 192.168.1.0/24
Pix inside: 192.168.1.1
network between Pix outside and router inside: 192.168.2.0/24
pix outside: 192.168.2.2/24
router inside: 192.168.2.1/24
router outside PPoE IP address: assume 4.2.2.2
On the Pix:
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-list External permit icmp any any log
access-list External permit ip any any log (for testing only!)
access-group External in interface outside
address inside 192.168.1.1 255.255.255.0
address outside 192.168.2.2 255.255.255.0
route outside 0 0 192.168.2.1
ssh 0 0 outside
On the router:
interface f0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
interface f0/0
ip address PPoE
ip nat outside
ip route 192.168.1.0 255.255.255.0 192.168.2.2
access-list 100 permit 192.168.1.0 0.0.0.255 any
access-list 100 permit 192.168.2.0 0.0.0.255 any
ip nat inside source list 100 interface f0/0 overload
ip nat inside source static tcp 192.168.2.2 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.1.10 25 interface FastEthernet0/0 25
you get the idea...
CCIE Security
02-17-2008 08:43 PM
Since outside router is a PPOE client and you are only adding pix as a bump in wire, you don't eed to reconfigure anything anywhere except for the access-list out_acl that I suggested
Do not add the 1-1 static suggested to you
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
The above static rule is a self static translation rule as this would break the already existing static port forwarding (which is always unidirectional)
In case you need to bypass NAT for outbound access then you may add
nat (inside) 0 192.168.1.0 netmask 255.255.255.0
The above rule would bypass natting only for outbound acccess thus preserving the inbound static port forwarding
See how it goes
02-18-2008 10:02 AM
Thanks fellas, wow I thought I was the only one up and working at that time of night.
I'll give abinjola's response's a try first as it doesn't involve a re-configuring both devices.
I shouldn't think there is much more for me to do on the Router side as it's connecting, routing, and doing the Port Forwarding as configured.
It's just the PIX doesn't like the "Translated" packets it's seeing on the outside interface and as such won't pass them.
I'll post up how it goes.
Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide