×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Why is my static doing this?

Unanswered Question
Jun 1st, 2006
User Badges:

Hi- hope someone can help with this one.


I've a PIX501, with a fairly basic config: patting an RFC1918 network on a single public IP (PIX's outside interface), PIX is a PPTP server with local authentication, and, up until now, any traffic has originated on the inside and is headed outbound.


Anyway: I now want to forward https (443 on tcp) into my network, to allow Microsoft webmail into one of my servers, on 192.168.2. Fairly straightforward, you would think...


So, I add the following 3 lines:


-access-list webmail_in permit tcp any host (PIX-EXTERNAL-IP-ADDRESS) eq https


-access-group webmail_in in interface outside


-static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255 0 0


However- after I add the static in, oddly, this then knocks out internet access to my other LAN clients- apart from the server on 192.168.1.2!


I'm really stuck on this one.


Anyway, if anyone cares to delve in, here's my sanitised config:



----------------------------------------


PIX Version 6.3(5)


interface ethernet0 auto


interface ethernet1 100full


nameif ethernet0 outside security0


nameif ethernet1 inside security100


enable password (changed) encrypted


passwd (changed) encrypted


hostname (changed)


domain-name (changed)


fixup protocol dns maximum-length 512


fixup protocol ftp 21


fixup protocol h323 h225 1720


fixup protocol h323 ras 1718-1719


fixup protocol http 80


fixup protocol rsh 514


fixup protocol rtsp 554


fixup protocol sip 5060


fixup protocol sip udp 5060


fixup protocol skinny 2000


no fixup protocol smtp 25


fixup protocol sqlnet 1521


fixup protocol tftp 69


names


access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0


access-list webmail_in permit tcp any host (PIX-EXTERNAL-IP-ADDRESS) eq https


pager lines 100


icmp permit any outside


icmp permit any inside


mtu outside 1500


mtu inside 1500


ip address outside (PIX-EXTERNAL-IP-ADDRESS)


ip address inside 192.168.1.1 255.255.255.0


ip audit info action alarm


ip audit attack action alarm


ip local pool vpnpool 192.168.1.100-192.168.1.150


pdm logging informational 100


pdm history enable


arp timeout 14400


global (outside) 1 interface


nat (inside) 0 access-list inside_outbound_nat0_acl


nat (inside) 1 0.0.0.0 0.0.0.0 0 0


static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255 0 0


access-group webmail_in in interface outside


route outside 0.0.0.0 0.0.0.0 (NEXT HOP) 1


timeout xlate 0:05:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00


timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00


timeout sip-disconnect 0:02:00 sip-invite 0:03:00


timeout uauth 0:05:00 absolute


aaa-server TACACS+ protocol tacacs+


aaa-server TACACS+ max-failed-attempts 3


aaa-server TACACS+ deadtime 10


aaa-server RADIUS protocol radius


aaa-server RADIUS max-failed-attempts 3


aaa-server RADIUS deadtime 10


aaa-server LOCAL protocol local


http server enable


http 192.168.1.0 255.255.255.0 inside


http 0.0.0.0 0.0.0.0 inside


no snmp-server location


no snmp-server contact


snmp-server community dascapito


no snmp-server enable traps


floodguard enable


sysopt connection permit-pptp


telnet timeout 5


ssh 0.0.0.0 0.0.0.0 inside


ssh timeout 5


console timeout 0


vpdn group pptp-vpn accept dialin pptp


vpdn group pptp-vpn ppp authentication mschap


vpdn group pptp-vpn ppp encryption mppe auto


vpdn group pptp-vpn client configuration address local vpnpool


vpdn group pptp-vpn client configuration dns 192.168.1.2


vpdn group pptp-vpn client configuration wins 192.168.1.2


vpdn group pptp-vpn pptp echo 60


vpdn group pptp-vpn client authentication local


vpdn username (username) password (password)


vpdn enable outside


terminal width 80


----------------------------------------


TIA-


Gary



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cpembleton Thu, 06/01/2006 - 11:36
User Badges:
  • Silver, 250 points or more

Your config is a little off. You have only 1 external ip address so if you static that address to 1 internal host all other host won't have and addres to translate. The static needs to have the tcp port translation. Try the following


static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255 0 0


access-list webmail_in permit tcp any interface outside eq 443


access-group webmail_in in interface outside


http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic9


Thanks,

Chad

0r8it Thu, 06/01/2006 - 13:02
User Badges:

Chad, thanks a lot. I had assumed that the acl would cover what the static would translate, port-wise. I will try this out.


Cheers-


Gary

Actions

This Discussion