cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
0
Helpful
14
Replies

static route confusing pix itself

alexus
Level 1
Level 1

i have a big problem, not sure maybe i'm just doing something incorectly, but here is the thing

i have a pix 515e with outside interface connected directly to my isp, and i have my local network on inside

one of my computers has a local ip, and in order for me to reach it from outside, i made a static route, yet the problem is that even though that IP is local some of the software on that computer must connect to public it to itself, and thats where confusion comes in (at least for the pix)

i dont even know where to start either :(

please help

thanks

14 Replies 14

alexus
Level 1
Level 1

this is what i get in syslog messages

2 Mar 31 2008 23:00:07 106017 38.96.132.42 38.96.132.42 Deny IP due to Land Attack from 38.96.132.42 to 38.96.132.42

yet my local ip is 192.168.1.251

Alexus,

Not 100% sure what you are trying to do. I think you are just trying to access an inside host from the Internet ?

Your local IP can be made accessible from the Internet, but you need to use nat, not static routes. Then you connect to the nat address (a real Internet IP address) and this translates to the local address. If you only have one 'real' IP, this can be used to acces the local host as well as available for many local hosts to access the Internet, providing you know what tcp/udp ports you need for getting to the local host.

Post the config here and it should make it clearer what you have done, and are trying to achieve.

You will need to issue a static nat statement along with updates to your outside-inside ACL.

can you show me an example?

You need a static nat

static (inside,outside) {outside ip address} {inside ip address} netmask 255.255.255.255

where {outside ip address} is an ip address given to you by your service provider, and {inside ip address} is the ip address on your lan of the server you want to access from outside.

And you need an access list on the outside interface to let this traffic in

access-list Outside-Inbound extended permit tcp any host {outside ip address} eq http

access-group Outside-Inbound in interface outside

This is for http, but it can be for any protocol.

I hope that answers your question ?

Regards,

Iain

i already do have static route set, and i have access-list as well, i'm able to reach this machine and port from outside, like i said the problem is not that, the actual problem is that whenever i try to reach same public ip with port from inside of network (from same machine) it wont allow me, please read my previose msg as i explained in more details where and how it fails, so your solution isn't going help me:(

Do you mean static nat or route ?

Post a copy of the config and it may be a bit clearer what you are trying to achieve. Give us the IP addresses for each step so we can follow what you are doing.

Regards,

Iain

my config is too long, it wont let me post it

please go my url

http://jot.jothost.com/03242008142600

i put it in there

anyone got a solution for me?

Please go over this link, it should provide some type of solution.. dns doctoring or hairpining.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

HTH

Rgds

Jorge

Jorge Rodriguez

I do have DNS Doctoring in my system

this is what I get in logs

2 Apr 15 2008 11:39:42 106017 38.96.132.42 38.96.132.42 Deny IP due to Land Attack from 38.96.132.42 to 38.96.132.42

whats hairpining?

Please read the link I provided Alternative Solution: Hairpinning

"the actual problem is that whenever i try to reach same public ip with port from inside of network (from same machine) it wont allow me"

it seems to me you are trying to access the public IP from the same local machine whose public IP NAT is configured for or from your inside LAN, so you are trying a U-turn, if you read the link I posted you will get a better picture on how to go about and what needs to be done in terms of NAT and other settings.

Jorge Rodriguez

i did read that link, and i do have dns doctor enable, yet that doesn't help me:( and unless i'm missing something, that solution isn't helping me... as far as Hairpinning i tried to implment that and that seem to help me, hopefully this is fixes my issue, i'll try few things out, if it helps thanks! if not i'll ask more questions:)

as far as Hairpinning i tried to implment that and that seem to help me, hopefully this is fixes my issue, i'll try few things out

This should solve your issue, keep us posted, if it does'nt resolve the problem we'll take a different approach but basically hairpining applies in your situation and it should solve it, if it does please rate post as resolved.

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: