×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Strange PAT failure with PIX 501

Unanswered Question
Mar 21st, 2004
User Badges:
  • Bronze, 100 points or more

I have replaced an OpenBSD-based firewall with a PIX 501 and it seems very nearly perfect. However, there are a few PAT forwards that don't seem to be working from networks OUTSIDE our external netblock, and I can not for the life of me figure out why.


There are several machines that are on the same external network as the firewall (99.0.7.64/26) which ARE able to access the forwarded ports that don't work from the outside. One of these is SSH forwarding 99.0.7.94 to 10.0.0.196. Machines on the 99.0.7.64/26 network can ssh to 99.0.7.94 (which is forwarded to 10.0.0.196.) Machines on other external networks are unable to connect.


I will have to post my config (with substitutions for IPs and security info.) in a subsequent post, as the question AND config exceed 4000 characters...


Could someone please take a look and tell me what I've done wrong?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Sun, 03/21/2004 - 16:06
User Badges:

The config (missing a few lines, but the important parts are untouched):


PIX Version 6.3(3)

no fixup protocol dns

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out permit icmp any any echo-reply

access-list acl_out permit icmp any any time-exceeded

access-list acl_out permit icmp any any unreachable

access-list acl_out permit tcp any any eq ssh

access-list acl_out permit tcp any any eq www

access-list acl_out permit tcp host 99.0.7.95 host 99.0.7.94 eq 2396

access-list acl_out permit tcp host 200.4.3.100 host 99.0.7.66 eq ldap

access-list acl_out permit udp host 200.4.3.100 host 99.0.7.66 eq 389

access-list acl_out permit tcp any any eq 1111

access-list acl_out permit tcp any any eq 1935

access-list acl_out permit tcp any any eq 8500

access-list acl_out permit tcp host 200.4.3.1 host 99.0.7.86 eq 2583

access-list acl_out permit tcp any host 99.0.7.66 eq smtp

access-list acl_out permit tcp any host 99.0.7.66 eq pop3

access-list acl_out permit tcp any host 99.0.7.66 eq imap4

access-list acl_out permit udp any host 99.0.7.66 eq 143

access-list acl_out permit tcp any host 99.0.7.86 eq smtp

ip address outside 99.0.7.66 255.255.255.192

ip address inside 10.0.0.1 255.255.254.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.9 255.255.255.255 inside

pdm location 10.0.0.22 255.255.255.255 inside

pdm location 10.0.0.23 255.255.255.255 inside

pdm location 10.0.0.196 255.255.255.255 inside

pdm location 10.0.0.197 255.255.255.255 inside

pdm location 10.0.0.199 255.255.255.255 inside

pdm location 10.0.1.140 255.255.255.255 inside

pdm location 10.0.1.204 255.255.255.255 inside

pdm location 99.0.7.95 255.255.255.255 outside

pdm location 130.94.93.1 255.255.255.255 outside

pdm location 130.94.93.100 255.255.255.255 outside

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 99.0.7.92 www 10.0.1.204 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.94 ssh 10.0.0.196 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.94 2396 10.0.0.196 2396 netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.86 www 10.0.0.22 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.86 1111 10.0.0.22 1111 netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.86 1935 10.0.0.22 1935 netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.87 www 10.0.0.23 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.87 8500 10.0.0.23 8500 netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.86 81 10.0.1.140 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.86 smtp 10.0.0.199 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.86 2583 10.0.0.199 2583 netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.88 www 10.0.0.197 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.90 www 10.0.0.199 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 99.0.7.86 ssh 10.0.0.199 ssh netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 99.0.7.65 1

floodguard enable

Anonymous (not verified) Sun, 03/21/2004 - 16:18
User Badges:

Moments later, on a whim...


I issued "clear xlate", and within moments everything was perfect.


I'm not sure WHY that was necessary, because I hadn't made any changes to the device since setting the rules, writing it to memory, and rebooting (just to be sure I had gotten it right.) But at any rate, it does seem to be working wonderfully.

Actions

This Discussion