PIX 515 NAT/PcAnywhere help

Unanswered Question
Aug 21st, 2003
User Badges:

I'm in the process of writing a config for our PIX 515 that will allow telecommuters to work from home using PcAnywhere. We had a previous config on our router that did what we needed, but now that I'm putting a PIX in between the router and the internal network, I am kind of stumped. I'll reply to this post with the PIX config since this is too long. Here is the NAT portion of our current router config that has been working for years:



interface Ethernet0/0

ip address 216.x.x.x 255.255.255.224

ip nat outside

!

interface Serial0/0

!

interface Ethernet1/0

ip address 10.0.0.1 255.0.0.0

ip nat inside

!

ip nat pool HCDM 216.x.x.x 216.x.x.x netmask 255.255.255.224

ip nat inside source list 101 interface Ethernet0/0 overload

ip nat inside source static 10.0.0.2 216.x.x.x

ip nat inside source static 10.0.0.5 216.x.x.x

ip nat inside source static 10.0.0.7 216.x.x.x

ip nat inside source static 10.0.0.8 216.x.x.x

ip nat inside source static 10.0.0.10 216.x.x.x

ip nat inside source static 10.0.0.9 216.x.x.x

ip nat inside source static 10.0.0.11 216.x.x.x

ip nat inside source static 10.0.0.12 216.x.x.x

ip nat inside source static 10.0.0.13 216.x.x.x

ip nat inside source static 10.0.0.14 216.x.x.x

ip nat inside source static tcp 10.0.0.30 5631 216.x.x.90 5030 extendable

ip nat inside source static tcp 10.0.0.31 5631 216.x.x.90 5032 extendable

ip nat inside source static tcp 10.0.0.32 5631 216.x.x.90 5034 extendable

ip nat inside source static tcp 10.0.0.33 5631 216.x.x.90 5036 extendable

ip nat inside source static tcp 10.0.0.34 5631 216.x.x.90 5038 extendable

ip nat inside source static tcp 10.0.0.35 5631 216.x.x.90 5040 extendable

ip nat inside source static tcp 10.0.0.36 5631 216.x.x.90 5042 extendable

ip nat inside source static tcp 10.0.0.37 5631 216.x.x.90 5044 extendable

ip nat inside source static tcp 10.0.0.38 5631 216.x.x.90 5046 extendable

ip nat inside source static tcp 10.0.0.39 5631 216.x.x.90 5048 extendable

ip nat inside source static tcp 10.0.0.40 5631 216.x.x.90 5050 extendable

ip nat inside source static tcp 10.0.0.41 5631 216.x.x.90 5052 extendable

ip nat inside source static tcp 10.0.0.42 5631 216.x.x.90 5054 extendable

ip nat inside source static tcp 10.0.0.43 5631 216.x.x.90 5056 extendable

ip nat inside source static tcp 10.0.0.44 5631 216.x.x.90 5058 extendable

ip nat inside source static tcp 10.0.0.45 5631 216.x.x.90 5060 extendable

ip nat inside source static tcp 10.0.0.46 5631 216.x.x.90 5062 extendable

ip nat inside source static tcp 10.0.0.47 5631 216.x.x.90 5064 extendable

ip nat inside source static tcp 10.0.0.48 5631 216.x.x.90 5066 extendable

ip nat inside source static tcp 10.0.0.49 5631 216.x.x.90 5068 extendable

ip nat inside source static tcp 10.0.0.50 5631 216.x.x.90 5070 extendable

ip nat inside source static tcp 10.0.0.51 5631 216.x.x.90 5072 extendable

ip nat inside source static tcp 10.0.0.52 5631 216.x.x.90 5074 extendable

ip nat inside source static tcp 10.0.0.53 5631 216.x.x.90 5076 extendable

ip nat inside source static tcp 10.0.0.54 5631 216.x.x.90 5078 extendable

ip nat inside source static tcp 10.0.0.55 5631 216.x.x.90 5080 extendable

ip nat inside source static udp 10.0.0.30 5632 216.x.x.90 5031 extendable

ip nat inside source static udp 10.0.0.31 5632 216.x.x.90 5033 extendable

ip nat inside source static udp 10.0.0.32 5632 216.x.x.90 5035 extendable

ip nat inside source static udp 10.0.0.33 5632 216.x.x.90 5037 extendable

ip nat inside source static udp 10.0.0.34 5632 216.x.x.90 5039 extendable

ip nat inside source static udp 10.0.0.35 5632 216.x.x.90 5041 extendable

ip nat inside source static udp 10.0.0.36 5632 216.x.x.90 5043 extendable

ip nat inside source static udp 10.0.0.37 5632 216.x.x.90 5045 extendable

ip nat inside source static udp 10.0.0.38 5632 216.x.x.90 5047 extendable

ip nat inside source static udp 10.0.0.39 5632 216.x.x.90 5049 extendable

ip nat inside source static udp 10.0.0.40 5632 216.x.x.90 5051 extendable

ip nat inside source static udp 10.0.0.41 5632 216.x.x.90 5053 extendable

ip nat inside source static udp 10.0.0.42 5632 216.x.x.90 5055 extendable

ip nat inside source static udp 10.0.0.43 5632 216.x.x.90 5057 extendable

ip nat inside source static udp 10.0.0.44 5632 216.x.x.90 5059 extendable

ip nat inside source static udp 10.0.0.45 5632 216.x.x.90 5061 extendable

ip nat inside source static udp 10.0.0.46 5632 216.x.x.90 5063 extendable

ip nat inside source static udp 10.0.0.47 5632 216.x.x.90 5065 extendable

ip nat inside source static udp 10.0.0.48 5632 216.x.x.90 5067 extendable

ip nat inside source static udp 10.0.0.49 5632 216.x.x.90 5069 extendable

ip nat inside source static udp 10.0.0.50 5632 216.x.x.90 5071 extendable

ip nat inside source static udp 10.0.0.51 5632 216.x.x.90 5073 extendable

ip nat inside source static udp 10.0.0.52 5632 216.x.x.90 5075 extendable

ip nat inside source static udp 10.0.0.53 5632 216.x.x.90 5077 extendable

ip nat inside source static udp 10.0.0.54 5632 216.x.x.90 5079 extendable

ip nat inside source static udp 10.0.0.55 5632 216.x.x.90 5081 extendable

ip nat inside source static 10.0.0.3 216.x.x.x

ip nat inside source static 10.0.0.4 216.x.x.x

ip nat inside source static tcp 10.0.0.56 5631 216.x.x.91 5030 extendable

ip nat inside source static tcp 10.0.0.57 5631 216.x.x.91 5032 extendable

ip nat inside source static tcp 10.0.0.58 5631 216.x.x.91 5034 extendable

ip nat inside source static tcp 10.0.0.59 5631 216.x.x.91 5036 extendable

ip nat inside source static tcp 10.0.0.60 5631 216.x.x.91 5038 extendable

ip nat inside source static tcp 10.0.0.61 5631 216.x.x.91 5040 extendable

ip nat inside source static tcp 10.0.0.62 5631 216.x.x.91 5042 extendable

ip nat inside source static tcp 10.0.0.63 5631 216.x.x.91 5044 extendable

ip nat inside source static tcp 10.0.0.64 5631 216.x.x.91 5046 extendable

ip nat inside source static tcp 10.0.0.65 5631 216.x.x.91 5048 extendable

ip nat inside source static tcp 10.0.0.66 5631 216.x.x.91 5050 extendable

ip nat inside source static tcp 10.0.0.67 5631 216.x.x.91 5052 extendable

ip nat inside source static tcp 10.0.0.68 5631 216.x.x.91 5054 extendable

ip nat inside source static tcp 10.0.0.69 5631 216.x.x.91 5056 extendable

ip nat inside source static tcp 10.0.0.70 5631 216.x.x.91 5058 extendable

ip nat inside source static tcp 10.0.0.71 5631 216.x.x.91 5060 extendable

ip nat inside source static tcp 10.0.0.72 5631 216.x.x.91 5062 extendable

ip nat inside source static tcp 10.0.0.73 5631 216.x.x.91 5064 extendable

ip nat inside source static tcp 10.0.0.74 5631 216.x.x.91 5066 extendable

ip nat inside source static tcp 10.0.0.75 5631 216.x.x.91 5068 extendable

ip nat inside source static tcp 10.0.0.76 5631 216.x.x.91 5070 extendable

ip nat inside source static tcp 10.0.0.77 5631 216.x.x.91 5072 extendable

ip nat inside source static tcp 10.0.0.78 5631 216.x.x.91 5074 extendable

ip nat inside source static tcp 10.0.0.79 5631 216.x.x.91 5076 extendable

ip nat inside source static udp 10.0.0.56 5632 216.x.x.91 5031 extendable

ip nat inside source static udp 10.0.0.57 5632 216.x.x.91 5033 extendable

ip nat inside source static udp 10.0.0.58 5632 216.x.x.91 5035 extendable

ip nat inside source static udp 10.0.0.59 5632 216.x.x.91 5037 extendable

ip nat inside source static udp 10.0.0.60 5632 216.x.x.91 5039 extendable

ip nat inside source static udp 10.0.0.61 5632 216.x.x.91 5041 extendable

ip nat inside source static udp 10.0.0.62 5632 216.x.x.91 5043 extendable

ip nat inside source static udp 10.0.0.63 5632 216.x.x.91 5045 extendable

ip nat inside source static udp 10.0.0.64 5632 216.x.x.91 5047 extendable

ip nat inside source static udp 10.0.0.65 5632 216.x.x.91 5049 extendable

ip nat inside source static udp 10.0.0.66 5632 216.x.x.91 5051 extendable

ip nat inside source static udp 10.0.0.67 5632 216.x.x.91 5053 extendable

ip nat inside source static udp 10.0.0.68 5632 216.x.x.91 5055 extendable

ip nat inside source static udp 10.0.0.69 5632 216.x.x.91 5057 extendable

ip nat inside source static udp 10.0.0.70 5632 216.x.x.91 5059 extendable

ip nat inside source static udp 10.0.0.71 5632 216.x.x.91 5061 extendable

ip nat inside source static udp 10.0.0.72 5632 216.x.x.91 5063 extendable

ip nat inside source static udp 10.0.0.73 5632 216.x.x.91 5065 extendable

ip nat inside source static udp 10.0.0.74 5632 216.x.x.91 5067 extendable

ip nat inside source static udp 10.0.0.75 5632 216.x.x.91 5069 extendable

ip nat inside source static udp 10.0.0.76 5632 216.x.x.91 5071 extendable

ip nat inside source static udp 10.0.0.77 5632 216.x.x.91 5073 extendable

ip nat inside source static udp 10.0.0.78 5632 216.x.x.91 5075 extendable

ip nat inside source static udp 10.0.0.79 5632 216.x.x.91 5077 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 216.x.x.x

!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abruso Thu, 08/21/2003 - 09:07
User Badges:

Here is the PIX config I am working on. Not sure how to get NAT to work with PcANywhere like it does in the router. Will it work how it is set up now?


PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password

hostname xxx

domain-name xxx.xxx

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host 216.x.x.93 eq www

access-list outside_access_in permit tcp host 216.x.x.82 host 216.x.x.93 eq smtp

access-list outside_access_in permit tcp any host 216.x.x.92 eq syslog

access-list outside_access_in permit tcp any host 216.x.x.93 eq 443

pager lines 24

logging on

logging timestamp

logging monitor debugging

logging buffered errors

logging trap debugging

logging history errors

logging host dmz 192.168.0.5

mtu outside 1500

mtu inside 1500

mtu Corp-DMZ 1500

mtu Training 1500

mtu Future-DMZ 1500

mtu State-Fail 1500

ip address outside 216.x.x.94 255.255.255.240

ip address inside 10.0.0.1 255.255.255.0

ip address DMZ 192.168.0.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 3

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (Corp-DMZ) 1 0.0.0.0 0.0.0.0 0 0

nat (Training) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 216.x.x.93 192.168.0.100 netmask 255.255.255.255 0 0

static (dmz,outside) 216.x.x.92 192.168.0.5 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 216.27.224.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

no floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt noproxyarp outside

sysopt noproxyarp inside

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

console timeout 0

vpdn enable outside

vpdn enable inside

terminal width 80

edmonds_robert Thu, 08/21/2003 - 09:27
User Badges:

I don't see any access-list allowing PCAnywhere traffic.


access-list acl_outside permit tcp host host eq pcanywhere-data

access-list acl_outside permit udp host host eq pcanywhere-status


Unless I'm totally missing something (which I do at times) you'll need those lines. The bad part is, you will have to add those for each PAT translation you have built.

Actions

This Discussion