Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Qst about Cisco PIX 515E With Cisco PIX Security Appliance Software Version 7.0(6)

Hi,

I have Cisco PIX 515E With Cisco PIX Security Appliance Software Version 7.0(6).

We are using three interfaces. One outside, second WEB(for web server) & third DB(for database server)

We have published our web server and so available from public network.

Now, I want to access my website(web server) from inside network(servers connected to WEB interface) with public IP address. But it is not working.

When I try from inside of the network, the packet is handled by the default route and sent onto the outside interface. At that point, the packet disappears because the PIX does not turn the packet around and send it back inside. In fact, I'm not even sure that the NAT

rules come into play in this scenario.

So, is it possible to hit external IP of my web server from internally?

If yes than how?

Regards,

Anil Oza

18 REPLIES

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Hi,

Yes you can do it.

Let's say your internal network is 10.10.10.0/24

Your server dmz: 172.16.1.0/24

Outside: 200.200.200.0/24

If you want to access the dmz server from your internal network, normally you have to use the 172.16.1.x address.

If you want to access it with the public IP (200.200.200.x), then you do the following:

static (dmz,inside) 200.200.200.x 172.16.1.x

Federico.

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Hi,

I have followed the same step but still I can not access it from my dmz(in my case WA interface) network.

I am getting bellow error.

%PIX-3-305005: No translation group found for tcp src WA:x.x.x.x/4447 dst outside:x.x.x.x/443

Below is some part of my PIX config

There are 4 inerface.

1 interface - outside 92.60.xx.x

2 interface - WA 10.38.33.x

3 interface - DB 10.38.35.x

4 interface - inside 10.38.37.x

object-group icmp-type TRACERT-PING-RESPONSE
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable

object-group network WEB-HOSTS
network-object host 92.60.xx.x

object-group network WEB-HOSTS-SSL
network-object host 92.60.xx.x

object-group service WEB-PORTS tcp
port-object eq www
port-object eq https

access-list OUTSIDE extended permit icmp any any object-group TRACERT-PING-RESPONSE
access-list OUTSIDE extended permit tcp any object-group WEB-HOSTS object-group WEB-PORTS
access-list OUTSIDE extended permit tcp any object-group WEB-HOSTS-SSL eq https
access-list WA extended permit tcp any any object-group WEB-PORTS

nat-control
global (outside) 1 92.60.xx.x
global (outside) 2 92.60.xx.x
global (WA) 1 10.38.47.1-10.38.47.254
global (DB) 1 10.38.45.201-10.38.45.205
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.38.47.0 255.255.255.0
nat (WA) 0 access-list NO-NAT
nat (WA) 1 10.38.43.0 255.255.255.0
nat (DB) 0 access-list NO-NAT
nat (DB) 2 10.38.45.0 255.255.255.0
static (WA,outside) 92.60.xx.xx 10.38.43.33 netmask 255.255.255.255
static (outside,WA) 10.38.43.33 92.60.xx.xx netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group WA in interface WA
access-group DB in interface DB
route outside 0.0.0.0 0.0.0.0 92.60.xx.x 1

Let me know if you need more information .

Thanks,

Anil Oza

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Hi Anil,

What I get is that you have a server located in WA interface and you want to access it from some other interface with its publically mapped ip, right? Can you tell me from which interface you want to access this server which is in WA interface?

Ashu

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Hi Ashu,

I want to access it from WA interface.

Thanks,

Anil

Super Bronze

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

You do not need this line (static statement is bidirectional):

static (outside,WA) 10.38.43.33 92.60.xx.xx netmask 255.255.255.255

(The above line can safely be removed as long as you have the following line:

static (WA,outside) 92.60.xx.xx 10.38.43.33 netmask 255.255.255.255)

To access the public ip address of the WA server from your inside network, you would need the following 2 statements:

static (inside,WA) 10.38.37.0 10.38.37.0 netmask 255.255.255.0

static (WA,inside) 92.60.xx.xx 10.38.43.33 netmask 255.255.255.255

And lastly "clear xlate" for the new configuration to work.

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Hi,

I want to access it from WA interface not from inside interface.

Reagrds,

Anil

Super Bronze

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

If you would like to access the WA server (10.38.43.33) from the WA subnet (10.38.43.0/24) using its public ip address (92.60.xx.xx), then here is the config:

global (WA) 1 interface

same-security-traffic permit intra-interface

static (WA,WA) 92.60.xx.xx 10.38.43.33 netmask 255.255.255.255

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

hi,

As per you suggection, i hvae added below line

global (WA) 1 interface

same-security-traffic permit intra-interface

static (WA,WA) 92.60.xx.xx 10.38.43.33 netmask 255.255.255.255

But it is still not working. Also there is no any errors in PIX log.

Thanks,

Anil

Super Bronze

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Proxy arp is also enabled on WA interface?

You should have "no sysopt noproxyarp WA" command.

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

No, Proxy arp is not enabled on WA interface.

Super Bronze

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

You should enable proxy arp on WA interface for it to work.

Configure: no sysopt noproxyarp WA

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

I did that. Still it is not working.

If you want than I can send you my config file.

Super Bronze

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Yes, pls feel free to send me the whole config file. Thanks.

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Hi Anil,

As suggested by halijenn , it should work with the following config:

global (WA) 1 interface

same-security-traffic permit intra-interface

static (WA,WA) 92.60.xx.xx 10.38.43.33 netmask 255.255.255.255

However, the catch is that "same-security-traffic permit intra-interface" command is applicable for clear text traffic starting 7.2.x onwards. So, plrease upgrade the code to 7.2.4 and try again.

HTH

Ashu

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Hi,

Please find the attachment for PIX config.

Thanks,

Anil Oza

Super Bronze

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Hi Anil,

As Ashu advised earlier, you would need to upgrade the PIX to at least version 7.2.1 for the "same-security-traffic permit intra-interface" command to work for clear text traffic (as in your case).

Please upgrade the PIX to version 7.2.1 (I would recommend 7.2.4 as Ashu's advise) and what you are trying to achieve will work.

New Member

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Thanks to both of you for help.

last qst... what is a clear text traffic. Means it will work for only http not for https.

Super Bronze

Re: Qst about Cisco PIX 515E With Cisco PIX Security Appliance S

Clear text means it is not encrypted through IPSec VPN tunnel.

609
Views
0
Helpful
18
Replies