STATIC NAT - INSIDE TO OUTSIDE

rod.blackie · ‎07-07-2009

Hi netpro's

I am having a nightmare time trying to get some static nat working on the pix...

I have PIX 515 V8.2

inside i have 192.168.204.0 /22 network

outside I have 192.168.1.0 /24 network

the outside interface is connected to a cisco 877 router with a FTP server connected to one of the interface's on the 877 with an IP of 192.168.1.50.

I need to add a static map on the PIX inside interface that maps inside address 192.168.207.100 to the FTP server IP 192.168.1.50

I have added the following commands and it doesn't work !!!

static (inside.outside) 192.168.1.50 192.168.207.100 netmask 255.255.255.255

nat-control is disabled, and there is not other NAT or PAT configuraitons on the PIX.

What am I missing?

Thanks

Rod

Jon Marshall · ‎07-07-2009

Rod

Try this

static (outside,inside) 192.168.207.100 192.168.1.50 netmask 255.255.255.255

Jon

rod.blackie · ‎07-07-2009

Hi John,

Thanks for the response. I tried your sugesstion and something strange happend.

I tried to remote desktop onto the FTP server via the 192.168.207.100 address and got as far as seeing the server screen, however the connection dropped before I could be presented with ctrl and delete screen from the server....

any suggestions?

rod

rod.blackie · ‎07-07-2009

config below:

PIX Version 8.0(3)

!

hostname pixfirewall

domain-name corp.rwenukem.co.uk

enable password gtNhcavDCYG3V2bP encrypted

names

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.1.100 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.207.1 255.255.252.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name corp.rwenukem.co.uk

access-list out2in extended permit tcp host 192.168.1.50 any

access-list out2in extended permit tcp host 192.168.1.66 any

access-list out2in extended permit tcp host 192.168.1.1 any

access-list in2out extended permit ip any any

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging asdm debugging

no logging message 710005

mtu Outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-603.bin

no asdm history enable

arp timeout 14400

static (Outside,inside) 192.168.207.100 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface Outside

access-group in2out in interface inside

route Outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.200.0 255.255.255.0 192.168.204.3 1

route inside 192.168.201.0 255.255.255.0 192.168.204.3 1

route inside 192.168.202.0 255.255.255.0 192.168.204.3 1

route inside 192.168.203.0 255.255.255.0 192.168.204.3 1

route inside 192.168.208.0 255.255.252.0 192.168.204.3 1

route inside 192.168.214.0 255.255.255.0 192.168.204.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.204.0 255.255.252.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 192.168.204.0 255.255.252.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

username djrodb password hW62dJ9ElnD4Te0O encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c834da0a5217b69b71892500f83e5170

: end

pixfirewall(config)#

Jon Marshall · ‎07-07-2009

Rod

Not sure what is happening there without more details.

Just to clarify -

static (inside,outside) 192.168.1.50 192.168.207.100 netmask 255.255.255.255

means translate the source IP address of 192.168.207.100 to 192.168.1.50

that's why it wasn't working for you.

static (outside,inside) 192.168.207.100 192.168.1.50 netmask 255.255.255.255

means translate the destination address of 192.168.207.100 to 192.168.1.50

which is what you need.

So you now have the right static statement but a problem with the server by the sounds of it. Is there any other connectivity test you could try from the inside to the server ?

Jon

rod.blackie · ‎07-07-2009

This configuration added to the above configuration solved me issues.

global (Outside) 101 interface

same-security-traffic permit intra-interface

Rod