NAT Problem

itadebayo · ‎09-09-2007

Hi ALL

Kindly assist with this.

We use a PIX 506E with 6.3 and 1 public IP Address. We want all machines (6)on inside network to connect to Internet while Internet user can connect

to 2 services running on 2 machines inside.

Inside Machine: a) web server on 192.168.170.190 and ftp server on

192.168.170.186

PIX inside interface IP = 192.168.170.185

PIX outside interface IP = 80.1.1.1

My setup

access-list goutbound permit ip 192.168.170.184 255.255.255.248 any access-list ginside permit tcp any host 80.1.1.1 eq www

access-list ginside permit tcp any host 80.1.1.1 eq ftp

access-group goutbound in interface inside access-group ginside in interface outside

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) tcp interface www 192.168.170.190 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.170.186 www netmask 255.255.255.255

While we can connect to the Internet from any machine on our inside network, the static does not seem to work as we can not connect to our ftp or www

machines from the internet.

Is my access-list and acces-group ok?

Can I use static(outside,inside) instead of static (inside,outside) above?

Please help.

Thanks.

Ismail

a.alekseev · ‎09-09-2007

you need only this

access-list OUTSIDE-IN permit tcp any any eq ftp

access-list OUTSIDE-IN permit tcp any any eq www

access-group OUTSIDE-IN in interface outside

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) tcp interface www 192.168.170.190 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.170.186 www netmask 255.255.255.255