×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

static PAT statements, need help...

Answered Question
Feb 13th, 2003
User Badges:

Hello all,


I am in the process of setting up an email server, for the time being for reasons I'd rather not explain, I cannot put it on the DMZ. So it is sitting on the inside of the 515e firewall interface.

I have the internal IP of that server as 192.168.50.13, and from inside the network I can send , receive, etc email on that server. It is a new server so I recently setup my A and MX records. When pinging the Domain entry the proper IP is now assigned to the Domain name. However I cannot see my email server from the outside world. When running a DNS query on the MX record I get no response.

The problem is at the PIX level. My static statements dont seem to be working.

One of my 4 static statements works, (for our Terminal Services server) but the other 3 entries do not.

They are as follows:

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask

255.255.255.255 0 0


(the last entry is just to test and see if I could even host a win2k standard telnet server from my local desktop and see it through the firewall, the test was unsuccessful, I can telnet in via the local IP, .201, but not via the outside IP, MainOffice.)


Since often other places in the PIX config seem to affect the issues I have :), I am including a full running-config listing below for those who would like to reference it. Thank you for your time,


One other strange thing of note, with this current config, I cannot ping my outside interface IP from either external IP's, or from internal IP's. I have my ICMP entries set and thought I should be able to see it, but cant. This isnt as important of an issue as the above issue.

Dave


::

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

hostname YRPCI

domain-name yrpci.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol http 8080

fixup protocol ftp 22

names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit ip host 192.168.50.10 any

access-list acl_outbound permit ip host 192.168.50.75 any

access-list acl_outbound permit ip host 192.168.50.201 any

access-list acl_outbound permit ip host 192.168.50.202 any

access-list acl_outbound permit tcp host 192.168.50.203 any

access-list acl_outbound permit tcp host 192.168.50.204 any

access-list acl_outbound permit tcp host 192.168.50.205 any

access-list acl_outbound permit tcp host 192.168.50.206 any

access-list acl_outbound permit tcp host 192.168.50.207 any

access-list acl_outbound permit tcp host 192.168.50.208 any

access-list acl_outbound permit tcp host 192.168.50.209 any

access-list acl_outbound permit tcp host 192.168.50.210 any

access-list acl_outbound permit tcp host 192.168.50.211 any

access-list acl_outbound permit tcp host 192.168.50.212 any

access-list acl_outbound permit tcp host 192.168.50.213 any

access-list acl_outbound permit tcp host 192.168.50.214 any

access-list acl_outbound permit tcp host 192.168.50.215 any

access-list acl_outbound permit tcp host 192.168.50.216 any

access-list acl_outbound permit tcp host 192.168.50.217 any

access-list acl_outbound permit tcp host 192.168.50.218 any

access-list acl_outbound permit tcp host 192.168.50.219 any

access-list acl_outbound permit tcp host 192.168.50.220 any

access-list acl_outbound permit tcp host 192.168.50.221 any

access-list acl_outbound permit tcp host 192.168.50.222 any

access-list acl_outbound permit tcp host 192.168.50.223 any

access-list acl_outbound permit tcp host 192.168.50.224 any

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.51.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.52.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.53.0

access-list acl_outbound permit ip host 192.168.50.51 any

access-list acl_outbound permit tcp host 192.168.50.11 any

access-list acl_outbound permit ip host 192.168.50.13 any

access-list acl_outbound permit tcp host 192.168.50.225 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any time-exceeded

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit ip host MainOffice any

access-list acl_inbound permit tcp any any eq ssh

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

access-list 103 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging console debugging

logging buffered warnings

logging trap warnings

logging history warnings

logging host inside 192.168.50.201

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit host MainOffice outside

icmp permit host ConstOffice outside

icmp permit any unreachable outside

icmp permit any echo-reply outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list 100

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 8:00:00

timeout conn 7:00:00 half-closed 6:00:00 udp 7:00:00 rpc 7:00:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 7:30:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address 102

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet ConstOffice 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.52.0 255.255.255.0 outside

telnet BftOffice 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 10

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.50.0 255.255.255.0 inside

ssh timeout 20

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname xxxxxxxxx

vpdn group pppoex ppp authentication pap

vpdn username xxxxxxxxxx password *********

terminal width 80

: end

Correct Answer by b-pelphrey about 14 years 6 months ago

well i'll be a son-of-b!*$@!!!! i have no idea what i am talking about then!!! HA HA.


i am just glad you are working, and maybe someone else watching the boards can help us understand.


Later.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
wolfrikk Thu, 02/13/2003 - 07:49
User Badges:

Two things I would look at first. Do a Show Xlate and see if the static mapping shows up, and make sure that the server does not have a dynamicly NATed IP. If you do not see the Static Mapping, do a clear xlate, then another show xlate and see if the static mapping connects. Second, you can do a show access-list acl_inbound and see if there are any hits on the ACL.

dsingleterry Thu, 02/13/2003 - 08:01
User Badges:

Ok, first, I forgot to add the following lines, but it still didnt fix the problem, but these are now added:

access-list acl_inbound permit tcp any host MainOffice eq pop3 (hitcnt=0)

access-list acl_inbound permit tcp any host MainOffice eq smtp (hitcnt=0)

access-list acl_inbound permit tcp any host MainOffice eq telnet (hitcnt=0)


Second, when I run xlate, Ive got a bunch of entries, but the only ones that seem to pertain to the issue are:

PAT Global MainOffice(63878) Local 192.168.50.13(2461)

PAT Global MainOffice(25) Local 192.168.50.13(25)


I did a clear xlate, and then a show a few seconds later, and still have not seen the 10.13 show back up in there.


No NAT'ing is happening anywhere but on the PIX, so the only NAT's I have set there are statics.


the hit list shows as follows:

access-list acl_inbound permit tcp any host MainOffice eq pop3 (hitcnt=0)

access-list acl_inbound permit tcp any host MainOffice eq smtp (hitcnt=2)

access-list acl_inbound permit tcp any host MainOffice eq telnet (hitcnt=0)


I've tried hitting all 3 ports, the smtp and pop3 via telnetting to their ports, no connection from the outside IP, but can connect from the servers inside IP.

and I've tried telnetting to the .201 entry from the outside IP, and no go there as well. Again, from inside these services work fine.


Thanks for the quick response, maybe this will help you with narrowing down the issue.

wolfrikk Thu, 02/13/2003 - 08:25
User Badges:

It looks like you do have a dynamic PAT pool set up. The following commands will allow the entire 192.168.50.0 network NAT outside using the Outside interface's IP Address.


global (outside) 2 interface

nat (inside) 2 192.168.50.0 255.255.255.0 0 0


There are two hits on the ACL for smtp, so it looks like the static map is connecting. The next step would be to start a debug and see what the packets do when the PIX processes them from the outside. You can try a "debug access-list all" and try connecting from the outside and see what the access-list is doing.



dsingleterry Thu, 02/13/2003 - 08:43
User Badges:

I tried the debug access-list all, nothing seemed to pop up when i tried to use those statics by telnetting to port 25 and 23 for the outside IP. I then did a show access-li acl_inbound and the smtp traffic hitcnt has moved to 5, but that didnt change in succession with the telnet attempts. It seems to be going up possibly in relation to the active email server on IP 50.13.. maybe?


I havent seen anything show from the debug though.


I see what you mean about the dynamic PAT, my bad. Although I dont see how that global and nat statement should prevent the static PAT from happening. One of my statics has worked for a while for port 3389.


Thanks again for your time,

Dave

wolfrikk Thu, 02/13/2003 - 08:53
User Badges:

I wasn't implying that the Static mappings were the problem. In the past, I have seen issues where the newly created static mapping would not work and when looking at the show xlate, the server already had a dynamic NAT Mapping. That dynamic mapping would have to time out before the static mapping would connect. Clearing the xlate would force the PIX to remap everything. One thing that may make everything easier to see would be to create the static mapping useing IP Addresses only, and not using the Hostnames. This was we will know the two IP's are mapping correctly.


On the debug, are you connected with a console cable or telnet? If you are using telnet you will have to enter the "terminal monitor" command to see the debug information. By default, all system information is only displayed on the Console.


dsingleterry Thu, 02/13/2003 - 09:17
User Badges:

Oh, my bad again, learned something :)


the static mappings were actually created with static IP's, but the config has taken my names and automatically put them in, I have kept the names in there since its easier to replace 3 IP's with x.x.x.x for display here instead of every entry in the config :)


Well, I'm still not seeing those static PAT's in xlate, just dynamic ones. Its strange though since below you can see it building the PAT when I attempt to connect.


Ok, from the console I see: (just a little of it, im sure you dont want to see all the masses of dynamics, but i included one, the rest are built outbounds)


168.50.201/2413 duration 0:02:01 bytes 0 SYN Timeout

305011: Built dynamic TCP translation from inside:192.168.50.10/3846 to outside:

x.x.71.7/64579


302013: Built outbound TCP connection 129518 for outside:x.x.71.7/23 (x.x.71.7/23) to inside:192.168.50.10/3846 (x.x.71.7/64579)


302013: Built outbound TCP connection 129530 for outside:x.x.71.7/25 (x.x.71.7/25) to inside:192.168.50.10/3851 (x.x.71.7/64585)


302013: Built inbound TCP connection 129531 for outside:192.168.51.51/1226 (192.168.51.51/1226) to inside:192.168.50.10/445 (192.168.50.10/445)


302015: Built inbound UDP connection 129532 for outside:192.168.51.51/1228 (192.168.51.51/1228) to inside:192.168.50.10/389 (192.168.50.10/389)


302013: Built outbound TCP connection 129533 for outside:x.x.6.213/110 (x.x.6.213/110) to inside:192.168.50.204/1210 (x.x.71.7/64586)


Thanks for your patience on this.

Dave

dsingleterry Thu, 02/13/2003 - 11:09
User Badges:

thanks for the link, but I think I've covered everything they list there... didnt hurt to read though :)


I also tried just now to unbind all access-lists, thus basically opening up both inside and outside interfaces. Then I tried to connect, and still had no dice. So that would imply that the access-lists arent the culprit.


My static statements seem to be text-book, yet in xlate I see no PAT entries pointing to the 3 statements in question.

(those being:

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

)


My smtp access-li has moved to 7 on hitcnt, but thats only since I added it this morning about 5 hours ago with multiple attempts to access it since then.


So... I'm still stumped, thanks for your help guys.

Dave

wolfrikk Thu, 02/13/2003 - 11:26
User Badges:

PIX's by default do not allow any traffic from outside until you let it in. If there is no inbound access-list on the outbound interface, all incoming traffic should be blocked. What I normally do when I have very weird problems with access-list is to try a very liberal access-list. Create an access-list allowing all IP traffic from the external IP Address you are using to test to the outside IP Address you are using for your static mapping to the email server.


access-list test permit ip host host


We should be able to test the static map and IP connections with this access-list.

b-pelphrey Thu, 02/13/2003 - 11:56
User Badges:

I have run into situations where with the way that a particular mail server is being accessed and/or with what parts of the smtp flags are needed, it may not work with fixup protocol smtp 25. So what I would suggest for a test is to turn off fixup for smtp. Remember fixup only allows certain smtp flags thru...turning it off allows all.



TRY:

no fixup protocol smtp 25



Just to see if it works. Hope this helps.

wolfrikk Thu, 02/13/2003 - 12:12
User Badges:

That is a good point. PIX's only support SMTP. If the email server is configured for just ESMTP, you will have to disable the fixup protocol for smtp for ESMTP to work through the PIX.

dsingleterry Thu, 02/13/2003 - 12:36
User Badges:

dang, i knew better on that one, ha, im scoring lots of idiot points today :)

It's the outbound access list that lets all go out if theres nothing there not the inbound.... oops


So I just slapped the line

access-list test permit ip host x.x.71.7 any

and assigned it to my outside interface. (not sure what to put to fit your "Global IP of Static Map" since I have several computers assigned to diff ports for our 1 external IP that we have)


I didnt get anything different from that, and the hitcnt's didnt go up any.


If you had something diff in mind for that line, let me know, I apologize if I didnt catch what you meant by Global IP of Static Map.


In response to the other two posts...

For sake of argument I tried to do a no fixup smtp 25, which really didnt change anything, but we knew it was a deeper problem since I also cant get my telnet traffic to go through on a static either, and thats nothing but standard telnet traffic, nothing special.

But I dont mind any and all suggestions either way.

Thanks...

wolfrikk Thu, 02/13/2003 - 12:44
User Badges:

The Global IP of Static Map is the x.x.71.7 IP Address. The External address is the IP address you are using to test from outside you network. You could try this Access-list temporarly, but it will allow all IP traffic to the x.x.71.7 Server.


access-list test permit ip any host x.x.71.7


If this works, change to this one to test just the protocols.



access-list test permit tcp any host x.x.71.7 eq 25

access-list test permit tcp any host x.x.71.7 eq 23


This ACL will test just STMP and Telnet. Then we can go from there.


dsingleterry Thu, 02/13/2003 - 13:12
User Badges:

oh i see,

Ok, i tried that and still no go... sorry.


I even tried to set it to

access-list test permit ip any any


just to make sure, and i still couldnt get through.


wolfrikk Thu, 02/13/2003 - 13:16
User Badges:

can you paste the current config file. This really does not make sense.

dsingleterry Thu, 02/13/2003 - 13:24
User Badges:

certainly...

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

hostname YRPCI

domain-name yrpci.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol http 8080

fixup protocol ftp 22

fixup protocol smtp 25

names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit ip host 192.168.50.10 any

access-list acl_outbound permit ip host 192.168.50.75 any

access-list acl_outbound permit ip host 192.168.50.201 any

access-list acl_outbound permit ip host 192.168.50.202 any

access-list acl_outbound permit tcp host 192.168.50.203 any

access-list acl_outbound permit tcp host 192.168.50.204 any

...

access-list acl_outbound permit tcp host 192.168.50.225 any

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.51.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.52.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.53.0

access-list acl_outbound permit ip host 192.168.50.51 any

access-list acl_outbound permit tcp host 192.168.50.11 any

access-list acl_outbound permit ip host 192.168.50.13 any

access-list acl_outbound permit tcp host 192.168.50.225 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any time-exceeded

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit ip host MainOffice any

access-list acl_inbound permit tcp any any eq ssh

access-list acl_inbound permit tcp any host MainOffice eq pop3

access-list acl_inbound permit tcp any host MainOffice eq smtp

access-list acl_inbound permit tcp any host MainOffice eq telnet

access-list test permit ip any any

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

access-list 103 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging console debugging

logging buffered warnings

logging trap warnings

logging history warnings

logging host inside 192.168.50.201

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit host MainOffice outside

icmp permit host ConstOffice outside

icmp permit any unreachable outside

icmp permit any echo-reply outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list 100

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.2

55.255 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 8:00:00

timeout conn 7:00:00 half-closed 6:00:00 udp 7:00:00 rpc 7:00:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 7:30:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable


http 192.168.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address 102

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet ConstOffice 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.52.0 255.255.255.0 outside

telnet BftOffice 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 10

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.50.0 255.255.255.0 inside

ssh timeout 20

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname xxxx

vpdn group pppoex ppp authentication pap

vpdn username xxxxx password *********

username cisco password BS/vQ9dzYT2I3rJy encrypted privilege 15

terminal width 80

: end

wolfrikk Thu, 02/13/2003 - 13:43
User Badges:

I noticed you are using PPPoE (ip address outside pppoe setroute). This is new, so I am going to look and see if there are any issues with the Static Mappings and PPPoE. I am going to see if there is any other protocols we need to allow with the ACL with PPPoE. The config looks good, except for on line in the access-list.


access-list acl_inbound permit ip host MainOffice any Should be

access-list acl_inbound permit ip any host MainOffice


Actually, you don't even need that line with the permit tcp statements later in the list.

b-pelphrey Thu, 02/13/2003 - 13:45
User Badges:

it seems that you are using the same external ip address to translate into multiple internal addresses. i would ask, if any of the other translations work inbound? do you have any other external ip addresses in the block you have been given to translate one-to-one with your email server?


instead of having all these statics:


static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.2

55.255 0 0


use the same external, i would suggest getting additional external ip addresses to translate with or to.


i hope this helps.

dsingleterry Thu, 02/13/2003 - 16:54
User Badges:

I wish I could get more external IP's, our dsl providers wont give us any more than one, they claim its some sort of hardware limitation on their part. :( (and living on Hilton Head Island limits my choices of ISP suppliers)


Yes as of 2 weeks ago the top static was working, port 3389, I dont have the stuff I need here at home to use it at the moment, but I will double check that it still is tomorrow.


According to what i've done in the past and seen done, (heck i even do it with my simple linksys router at home) is standard PAT and I could use as many computers as I want running through that one external as long as they all use different ports to jump through as that one IP.


Thanks,

Dave

gfullage Thu, 02/13/2003 - 18:57
User Badges:
  • Cisco Employee,

OK, first of all, for your inability to ping the outside IP address of the firewall, do this:


> clear icmp

> icmp permit any echo outside

> icmp permit any unreachable outside


Note that you won't be able to ping the outside IP address from any inside host, the PIX doesn't allow that.


As for your port static's not working, try the following (keep the port static's in place):


> nat (inside) 10 192.168.50.13 255.255.255.255

> global (outside) 10 MainOffice


That should get your SMTP/POP3 connectivity going hopefully.

dsingleterry Fri, 02/14/2003 - 05:06
User Badges:

I have everything in except that last global line, it gives me

"Start and end addresses overlap with outside interface address"


I wasnt aware I could have that global statement in with my existing one


"global (outside) 2 interface"


Am I missing something here? Thanks.

Dave

b-pelphrey Fri, 02/14/2003 - 06:35
User Badges:

i guess i misunderstood, i was under the impression that you were having difficulties with access your email server inbound, not outbound. with that being said, how are you able to PAT inbound to several different internal ip addresses. my assumption is that the only inbound translation that works is: static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0


if you are having trouble with what i have said above, i don't believe you can do what you are doing. you will need additional NIC addresses to translate into your many internal addresses. you need to be doing a one-to-one translation with these servers, however, you are trying to complete this with a one-to-many premise inbound. this (i don't believe) will work inbound like this. yes PAT will work outbound in this senario, but i believe the PAT inbound is your problem. Try my theory out if your works: static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0


Put your smtp or pop3 static at the top of the static statements and see what works then.


Unless i am not understanding (which is truly possible) i believe this is your problem.


Hope this helps explain a little more what i was saying before.


dsingleterry Fri, 02/14/2003 - 08:46
User Badges:

Oh my goodness...

Well that worked, which amazes me. Why would it only limit me to one static inbound traffic entry?

Heck, on my SOHO linksys router I can do multiple PAT inbounds with a single IP!

So for every device host I have I'll need a seperate public IP. Wow, its a good thing I dont plan on hosting more than 2-3 diff things. I just hope I can get my ISP to work out their issues with supplying more than one IP to us.


b-pelphrey Fri, 02/14/2003 - 09:59
User Badges:

Well, I am glad it works. To be honest with you, I am not sure why it works at home. I don't know all, however, I truly thought that you could not do PAT like this inbound.


But, from what I know, yes, you will have to have one external address for every internal system you want to translate too.


Unless, someone else knows something I don't (that is absolutely possible) you will have to do this. And like you say, hopefully you can get yourself some more addresses.


Good luck, and I am glad at least this part of the issue is kind of resolved!

wolfrikk Fri, 02/14/2003 - 10:25
User Badges:

I am glad that it is working. I really thought you could configure it the way you were doing it also. I have not tried it that way before, but the configuration options are there, so I don't know why it wouldn't work.

dsingleterry Fri, 02/14/2003 - 10:30
User Badges:

Thanks guys, I appreciate your help.

Until I get more IP's I can only host one service at a time, but thats the way the cookie crumbles...


Thanks again.

wolfrikk Fri, 02/14/2003 - 10:33
User Badges:

You can create the static mapping without using the port mappings. This will send all traffic to the server so you can use SMTP and POP3 to the mail server. This way you only use your RDP access.


static (inside,outside) MainOffice 192.168.50.13 netmask 255.255.255.255 0 0

dsingleterry Fri, 02/14/2003 - 10:38
User Badges:

well, the PAT's are working as long as I direct it to the same IP, for example I have

static (inside,outside) MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0


and both work, but when I add

static (inside,outside) MainOffice telnet 192.168.50.201 telnet netmask 255.255.255.255 0 0

that doesnt work...


just thought you'd like to know that for future reference :)

wolfrikk Fri, 02/14/2003 - 10:39
User Badges:

Great, as long as email is working. I know most companies consider it the most important service.


b-pelphrey Fri, 02/14/2003 - 10:51
User Badges:

that i will definitely buy! good deal...i am glad your moving forward. i love this forum stuff, we not only reinforce the knowledge everyone has but everyone continues to learn. :)

dsingleterry Fri, 02/14/2003 - 11:33
User Badges:

ok, now that we've gone through all of this... for the sheer heck of it I added all the other static lines back in....

you're gonna love this...


its all working now! What's with that?! haha.


I dont know why it wouldnt pick up but now it is on all ports.

I have the following in static now...


static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0


All of which work... (I had to come home to test all of them of course since its hard to do from within the network that the firewall is protecting.)


So, negate what we 'learned'... you can do inbound PAT on a one to many basis. But I still dont understand why it didnt work until I removed all the static lines and added them back in. (that seems to be what changed when it started working since i removed them all to add just one at a time)


So... I dunno, maybe its user error? ha, wouldnt surprise me, but it all works now.


Thanks guys,

Dave

Correct Answer
b-pelphrey Fri, 02/14/2003 - 11:44
User Badges:

well i'll be a son-of-b!*$@!!!! i have no idea what i am talking about then!!! HA HA.


i am just glad you are working, and maybe someone else watching the boards can help us understand.


Later.

wolfrikk Fri, 02/14/2003 - 11:51
User Badges:

I have seen some weird things the the static mappings on PIX's. I had one issue with a client when I could not get a one to one static map to one server work. I tried everything. After a while, I decided that I would try the mapping a different external address just to test, and it worked. I switched back to the other one and it stopped working. The first IP was in the middle of the range, so I know it wasn't a subnet issue. I ended up calling their ISP and changing their DNS records instead of using that other IP. To make matters worse, later they added a server that needed to be accessed from the internet and I had to use the other IP because it was the only one left in their range, and it worked when I used it with that server. I just chalked it up to one of those computer things I will never figure out.

gfullage Sun, 02/16/2003 - 15:32
User Badges:
  • Cisco Employee,

Can you send me all your static statements AND all your NAT/Global statements (or maybe post your entire working config one last time), I want to check this cause you certainly can create multiple PAT statements to different ports, I've done it plenty of times.

dsingleterry Mon, 02/17/2003 - 05:15
User Badges:

Well, its all working fine now, but here they are anyway. :)


static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0


nat (inside) 0 access-list 100

nat (inside) 10 192.168.50.13 255.255.255.255 0 0

nat (inside) 2 192.168.50.0 255.255.255.0 0 0


I dont think in need that nat 10 entry, so i'll be taking it out next time im at home and testing to make sure.


Actions

This Discussion