cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3415
Views
3
Helpful
8
Replies

PIX 515E Single Public IP to use in NAT(i have configed,but not succeed)

jordielau
Level 1
Level 1

I have a single public IP address that I have assigned to my outside interface,and i want to access the internal web server 192.168.10.7 from internet.i have configed but still can not access from internet,what is wrong with my configuration? the following is my configuration:

PIX Version 7.2(1)

!

hostname wanshitong

domain-name wanshitong.com

enable password xxx

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 218.xx.xx.26 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

passwd vda4u.Aio7ssMh5X encrypted

boot system flash:/image.bin

ftp mode passive

dns server-group DefaultDNS

domain-name wanshitong.com

same-security-traffic permit intra-interface

access-list 100 extended permit tcp any interface outside eq www

access-list 100 extended permit ip any any

access-list 101 extended permit ip any any

pager lines 24

logging enable

logging asdm errors

mtu outside 1500

mtu inside 1500

no failover

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm521.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 192.168.20.0 255.255.255.0

nat (inside) 1 192.168.30.0 255.255.255.0

nat (inside) 1 192.168.100.0 255.255.255.0

static (inside,outside) tcp interface www 192.168.10.7 www netmask 255.255.255.255

access-group 100 in interface outside

access-group 101 in interface inside

route outside 0.0.0.0 0.0.0.0 218.xx.xx.254 1

route inside 192.168.10.0 255.255.255.0 192.168.100.2 1

route inside 192.168.20.0 255.255.255.0 192.168.100.2 1

route inside 192.168.30.0 255.255.255.0 192.168.100.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

username cisco password 3USUcOPFUiMCO4Jk encrypted

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.10.0 255.255.255.0 inside

http 192.168.20.0 255.255.255.0 inside

http 192.168.30.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

telnet 58.63.6.0 255.255.255.0 outside

telnet 192.168.100.0 255.255.255.0 inside

telnet 192.168.10.0 255.255.255.0 inside

telnet 192.168.20.0 255.255.255.0 inside

telnet 192.168.30.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 1

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect http

inspect ftp

inspect dns

inspect icmp

inspect icmp error

inspect tftp

inspect esmtp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect sip

inspect sqlnet

inspect sunrpc

inspect xdmcp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

tftp-server inside 192.168.100.100 pix721

prompt hostname context

Cryptochecksum:xxx

: end

appreciate you !

1 Accepted Solution

Accepted Solutions

Access lists and NAT seems ok.

Could you check what port the server 192.168.10.7 is listening on.. port 80 or something else.

Is the server 192.168.10.7 reachable from the firewall.

View solution in original post

8 Replies 8

Hi Dear,

you can try to replace this line: 'nat (inside) 1 192.168.10.0 255.255.255.0 '

with: 'nat (inside) 1 access-list 102' and in access-list 102 deny the ip address of the server 192.168.10.7 and then permit 192.168.10.0/24.

you can issue a show xlate and post it as it may help diagnose the problem.

Thanks.

Thanks mohammed_moustafa

I am a newbie at firewall,I am puzzle how to write the statement about " in access-list 102 deny the ip address of the server 192.168.10.7 and then permit 192.168.10.0/24. "

It will be nice of you if you give me some example .

Hi Jordielau,

Here are the commands:

access-list 102 deny host 192.168.10.7

access-list 102 permit 192.168.10.0 255.255.255.0

no nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 access-list 102

Hope it works,

thanks mohammed_moustafa

when i execute the statements you gave and the error happen:

wanshitong(config)# nat (inside) 1 access-list 102

ERROR: Cannot mix different types of access lists

ERROR: Access-list "102" does not exist

Usage: [no] nat () []

[dns] [outside]

[[tcp] [ []]]

[udp ]

[no] nat (if_name) access-list

[dns] [outside]

[[tcp] [ []]]

[udp ]

what is wrong?

Access lists and NAT seems ok.

Could you check what port the server 192.168.10.7 is listening on.. port 80 or something else.

Is the server 192.168.10.7 reachable from the firewall.

Thanks dhananjoychowdhury

I can ping from inside of the firewall but outside can't reachable!

***************************

wanshitong# ping inside 192.168.10.7

Sending 5, 100-byte ICMP Echos to 192.168.10.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

wanshitong# ping out

wanshitong# ping outside 192.168.10.7

Sending 5, 100-byte ICMP Echos to 192.168.10.7, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

wanshitong#

jordielau
Level 1
Level 1

Hi all,the problem is still remain and

following is the packet-tracer command

**********************************************

wanshitong# packet-tracer input outside tcp 202.101.103.55 www 192.168.10.7 www detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.10.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 100 in interface outside

access-list 100 extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2587818, priority=12, domain=permit, deny=false

hits=263683, user_data=0x2985b90, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x25853e8, priority=0, domain=permit-ip-option, deny=true

hits=637567, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0x291e718, priority=70, domain=inspect-http, deny=false

hits=12, user_data=0x2920d18, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=80

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

static (inside,outside) tcp 218.66.13.26 www 192.168.10.7 www netmask 255.255.255.255

match tcp inside host 192.168.10.7 eq 80 outside any

static translation to 218.66.13.26/80

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0x18a41d0, priority=5, domain=nat-reverse, deny=false

hits=5, user_data=0x29dadb8, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=192.168.10.7, mask=255.255.255.255, port=80

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

wanshitong#

jordielau
Level 1
Level 1

Thanks everyone!I finally found out the problem.as dhananjoychowdhury said,it's ok on my pix515e configuration but the configuration of the web server.strangely,the 80 port can't be used to web server but I changed to other port (82) and it work correctly.Just change the port NO. on my web server! oh my god ,I have spent one month for this case!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: