07-07-2009 02:36 AM - edited 03-11-2019 08:51 AM
Hi netpro's
I am having a nightmare time trying to get some static nat working on the pix...
I have PIX 515 V8.2
inside i have 192.168.204.0 /22 network
outside I have 192.168.1.0 /24 network
the outside interface is connected to a cisco 877 router with a FTP server connected to one of the interface's on the 877 with an IP of 192.168.1.50.
I need to add a static map on the PIX inside interface that maps inside address 192.168.207.100 to the FTP server IP 192.168.1.50
I have added the following commands and it doesn't work !!!
static (inside.outside) 192.168.1.50 192.168.207.100 netmask 255.255.255.255
nat-control is disabled, and there is not other NAT or PAT configuraitons on the PIX.
What am I missing?
Thanks
Rod
07-07-2009 02:50 AM
Rod
Try this
static (outside,inside) 192.168.207.100 192.168.1.50 netmask 255.255.255.255
Jon
07-07-2009 02:57 AM
Hi John,
Thanks for the response. I tried your sugesstion and something strange happend.
I tried to remote desktop onto the FTP server via the 192.168.207.100 address and got as far as seeing the server screen, however the connection dropped before I could be presented with ctrl and delete screen from the server....
any suggestions?
rod
07-07-2009 02:59 AM
config below:
PIX Version 8.0(3)
!
hostname pixfirewall
domain-name corp.rwenukem.co.uk
enable password gtNhcavDCYG3V2bP encrypted
names
!
interface Ethernet0
nameif Outside
security-level 0
ip address 192.168.1.100 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.207.1 255.255.252.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name corp.rwenukem.co.uk
access-list out2in extended permit tcp host 192.168.1.50 any
access-list out2in extended permit tcp host 192.168.1.66 any
access-list out2in extended permit tcp host 192.168.1.1 any
access-list in2out extended permit ip any any
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm debugging
no logging message 710005
mtu Outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
static (Outside,inside) 192.168.207.100 192.168.1.50 netmask 255.255.255.255
access-group out2in in interface Outside
access-group in2out in interface inside
route Outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.200.0 255.255.255.0 192.168.204.3 1
route inside 192.168.201.0 255.255.255.0 192.168.204.3 1
route inside 192.168.202.0 255.255.255.0 192.168.204.3 1
route inside 192.168.203.0 255.255.255.0 192.168.204.3 1
route inside 192.168.208.0 255.255.252.0 192.168.204.3 1
route inside 192.168.214.0 255.255.255.0 192.168.204.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.204.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.204.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
username djrodb password hW62dJ9ElnD4Te0O encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c834da0a5217b69b71892500f83e5170
: end
pixfirewall(config)#
07-07-2009 03:05 AM
Rod
Not sure what is happening there without more details.
Just to clarify -
static (inside,outside) 192.168.1.50 192.168.207.100 netmask 255.255.255.255
means translate the source IP address of 192.168.207.100 to 192.168.1.50
that's why it wasn't working for you.
static (outside,inside) 192.168.207.100 192.168.1.50 netmask 255.255.255.255
means translate the destination address of 192.168.207.100 to 192.168.1.50
which is what you need.
So you now have the right static statement but a problem with the server by the sounds of it. Is there any other connectivity test you could try from the inside to the server ?
Jon
07-07-2009 07:04 AM
This configuration added to the above configuration solved me issues.
global (Outside) 101 interface
same-security-traffic permit intra-interface
Rod
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: