03-21-2004 03:59 PM
I have replaced an OpenBSD-based firewall with a PIX 501 and it seems very nearly perfect. However, there are a few PAT forwards that don't seem to be working from networks OUTSIDE our external netblock, and I can not for the life of me figure out why.
There are several machines that are on the same external network as the firewall (99.0.7.64/26) which ARE able to access the forwarded ports that don't work from the outside. One of these is SSH forwarding 99.0.7.94 to 10.0.0.196. Machines on the 99.0.7.64/26 network can ssh to 99.0.7.94 (which is forwarded to 10.0.0.196.) Machines on other external networks are unable to connect.
I will have to post my config (with substitutions for IPs and security info.) in a subsequent post, as the question AND config exceed 4000 characters...
Could someone please take a look and tell me what I've done wrong?
03-21-2004 04:06 PM
The config (missing a few lines, but the important parts are untouched):
PIX Version 6.3(3)
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any unreachable
access-list acl_out permit tcp any any eq ssh
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp host 99.0.7.95 host 99.0.7.94 eq 2396
access-list acl_out permit tcp host 200.4.3.100 host 99.0.7.66 eq ldap
access-list acl_out permit udp host 200.4.3.100 host 99.0.7.66 eq 389
access-list acl_out permit tcp any any eq 1111
access-list acl_out permit tcp any any eq 1935
access-list acl_out permit tcp any any eq 8500
access-list acl_out permit tcp host 200.4.3.1 host 99.0.7.86 eq 2583
access-list acl_out permit tcp any host 99.0.7.66 eq smtp
access-list acl_out permit tcp any host 99.0.7.66 eq pop3
access-list acl_out permit tcp any host 99.0.7.66 eq imap4
access-list acl_out permit udp any host 99.0.7.66 eq 143
access-list acl_out permit tcp any host 99.0.7.86 eq smtp
ip address outside 99.0.7.66 255.255.255.192
ip address inside 10.0.0.1 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.9 255.255.255.255 inside
pdm location 10.0.0.22 255.255.255.255 inside
pdm location 10.0.0.23 255.255.255.255 inside
pdm location 10.0.0.196 255.255.255.255 inside
pdm location 10.0.0.197 255.255.255.255 inside
pdm location 10.0.0.199 255.255.255.255 inside
pdm location 10.0.1.140 255.255.255.255 inside
pdm location 10.0.1.204 255.255.255.255 inside
pdm location 99.0.7.95 255.255.255.255 outside
pdm location 130.94.93.1 255.255.255.255 outside
pdm location 130.94.93.100 255.255.255.255 outside
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 99.0.7.92 www 10.0.1.204 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.94 ssh 10.0.0.196 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.94 2396 10.0.0.196 2396 netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.86 www 10.0.0.22 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.86 1111 10.0.0.22 1111 netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.86 1935 10.0.0.22 1935 netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.87 www 10.0.0.23 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.87 8500 10.0.0.23 8500 netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.86 81 10.0.1.140 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.86 smtp 10.0.0.199 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.86 2583 10.0.0.199 2583 netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.88 www 10.0.0.197 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.90 www 10.0.0.199 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 99.0.7.86 ssh 10.0.0.199 ssh netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 99.0.7.65 1
floodguard enable
03-21-2004 04:18 PM
Moments later, on a whim...
I issued "clear xlate", and within moments everything was perfect.
I'm not sure WHY that was necessary, because I hadn't made any changes to the device since setting the rules, writing it to memory, and rebooting (just to be sure I had gotten it right.) But at any rate, it does seem to be working wonderfully.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: