I have PIX 515e firewall with os Version 6.3(3).Today i am doing static nating on this but facing a strange prolem. static nat is not working.My ACL is okay.
However couple of weeks before i done same thing successfully.
Please help me out.
I am entering following commands for Static nating
static (inside,outside) *.*.*.* 192.168.0.213 netmask 255.255.255.255
access-list outside_int permit tcp any host *.*.*.* eq www
access-list outside_int permit tcp any host *.*.*.* eq https
access-list outside_int permit ip any host *.*.*.*
I don't think that issue is commands.I done same static nating before many times.But this time its not working.
One of my friend told me use "clear xlate" command or restart your firewall.
Could there be a problem with the public IP address you are using? Is there perhaps a typo in the IP address? Could you be accidentally used a broadcast/network address?
Have you checked if the new ACL rules are getting any hitcount when you test connections to this staticly NATed host?
Have you monitored the logs when testing the connections? Do you see the connection attempt forming through the firewall? Perhaps the problem is at the actual server? It might have missconfigured network settings, a software firewall or something similiar causing the problems?
Can you please tell me how i see the connection attemp???And how i verify staic nating??/
ACL are already implemented and working fine i just did amendement regarding IP addresses.And ACL are working with other static Nating.
I checked from my ISP about live ip.Its okay.
Well both your firewall hardware and software are very very old so that already prevents us from using some usefull tools the more uptodate devices can use.
I would suggest checking the device log through the CLI or if you have access to a graphical user interface on the firewall.
The command on the log would be "show logging" , but depending on how many connections are formed through the firewall it might be hard to catch the correct logs on the CLI.
Naturally a great option would be the Syslog server if you are using one and sending the firewall log messages to a separate Syslog server.
I would still like to see the ACL rule hitcounts on the actual ACL with "show access-list" to confirm that traffic is hitting the ACL configured for this Static NAT IP address.
You could also check
show xlate | inc
To confirm that the translation is showing up. I am not sure if its an hardware related thing but on some Cisco devices Static NAT translation doesnt show up in the translation table until there is some traffic to the host. On newer devices I think the Static NAT entry is always present.
I would still suggest going through the whole path from the server to the firewall and double/triple checking that everything is ok. I would also suggest trying to test connectivity to the host with other services like ICMP or whatever you might be running on the server.
I dont think you need to do anything on any switch. There is no need to add any MAC address anywhere. I would imagine that in some cases a static ARP entry might be entered on some device but I am not sure what the case here is.
As you have only provided the configurations for the new host and not the complete configurations I cant take those into account when trying to think what the problem could be. The problem could even be that the server is actually not behind the "inside" interface and perhaps behind some "dmz" interface and this is why its not working. But as I said I cant see your configurations so I can only guess and suggest what to check.
Internally your IP is pinging ??
It could be with your Switch issue check if your switch is getting MAC Address of that particular Server (192.168.0.213) if not, manually add MAC address of the server in the switch or Restart would fix your issue.
Kindly rate if this resolve your Issue.
Again static nating stop working i restart firewall its start working
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password QPOcXkiG6/gi/fOw encrypted
clock timezone PKT 5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_int permit tcp any host 192.168.0.233 eq www
access-list outside_int permit tcp any host 192.168.0.233 eq 1024
access-list outside_int permit tcp any host 220.127.116.11 eq pop3
access-list outside_int permit tcp any host 18.104.22.168 eq www
access-list outside_int permit tcp any host 22.214.171.124 eq lotusnotes
access-list outside_int permit tcp any host 126.96.36.199 eq www
access-list outside_int permit tcp any host 188.8.131.52 eq 1532
access-list outside_int permit tcp any host 184.108.40.206 eq 1533
access-list outside_int permit tcp any host 220.127.116.11 eq ftp-data
access-list outside_int permit tcp any host 18.104.22.168 eq ftp
access-list outside_int permit tcp any host 22.214.171.124 eq 1433
access-list outside_int permit tcp any host 126.96.36.199 eq imap4
access-list outside_int permit tcp any host 188.8.131.52 eq www
access-list outside_int permit tcp any host 184.108.40.206 eq https
access-list outside_int permit tcp any host 220.127.116.11 eq lotusnotes
access-list outside_int permit tcp any host 18.104.22.168 eq smtp
access-list outside_int permit tcp any host 22.214.171.124 eq www
access-list outside_int permit tcp any host 126.96.36.199 eq 1533
access-list outside_int permit tcp any host 188.8.131.52 eq smtp
access-list outside_int permit tcp any host 184.108.40.206 eq https
access-list outside_int permit tcp any host 220.127.116.11 eq https
access-list outside_int permit icmp any any echo-reply
access-list outside_int permit icmp any any source-quench
access-list outside_int permit icmp any any unreachable
access-list outside_int permit icmp any any time-exceeded
access-list 90 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 90 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 90 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 90 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list lahore_map permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.2
access-list lahore_map permit ip host 18.104.22.168 192.168.2.0 255.255.255.0
access-list peshawar_map permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255
access-list peshawar_map permit ip host 22.214.171.124 192.168.3.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 any
access-list karachi_map permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.
access-list karachi_map permit ip host 126.96.36.199 192.168.1.0 255.255.255.0
pager lines 24
logging trap informational
logging host inside 192.168.0.229
mtu outside 1500
mtu inside 1500
ip address outside 188.8.131.52 255.255.255.240
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool client_pool 192.168.10.1-192.168.10.254
pdm location 184.108.40.206 255.255.255.255 outside
pdm location 220.127.116.11 255.255.255.255 outside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.27 255.255.255.255 inside
pdm location 192.168.0.28 255.255.255.255 inside
pdm location 192.168.0.224 255.255.255.255 inside
pdm location 192.168.0.225 255.255.255.255 inside
pdm location 192.168.0.233 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) 192.168.0.233 192.168.0.233 netmask 255.255.255.255 0 0
static (inside,outside) 18.104.22.168 192.168.0.224 dns netmask 255.255.255.255
static (inside,outside) 22.214.171.124 192.168.0.225 dns netmask 255.255.255.255
static (inside,outside) 126.96.36.199 192.168.0.28 netmask 255.255.255.255 0 0
static (inside,outside) 188.8.131.52 192.168.0.27 netmask 255.255.255.255 0 0
static (inside,outside) 184.108.40.206 192.168.0.16 netmask 255.255.255.255 0 0
access-group outside_int in interface outside
route outside 0.0.0.0 0.0.0.0 220.127.116.11 1
route outside 192.168.1.0 255.255.255.0 18.104.22.168 1
route outside 192.168.2.0 255.255.255.0 22.214.171.124 1
route outside 192.168.3.0 255.255.255.0 126.96.36.199 1
timeout xlate 0:15:00
timeout conn 0:20:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.229
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.173 /bk
sysopt connection permit-ipsec
crypto ipsec transform-set tset esp-des esp-md5-hmac
crypto dynamic-map dmap 200 set transform-set tset
crypto map smap 6 ipsec-isakmp
crypto map smap 6 match address karachi_map
crypto map smap 6 set peer 188.8.131.52
crypto map smap 6 set transform-set tset
crypto map smap 7 ipsec-isakmp
crypto map smap 7 match address lahore_map
crypto map smap 7 set peer 184.108.40.206
crypto map smap 7 set transform-set tset
crypto map smap 8 ipsec-isakmp dynamic dmap
crypto map smap 9 ipsec-isakmp
crypto map smap 9 match address peshawar_map
crypto map smap 9 set peer 220.127.116.11
crypto map smap 9 set transform-set tset
crypto map smap client configuration address respond
crypto map smap interface outside
isakmp enable outside
isakmp key ******** address 18.104.22.168 netmask 255.255.255.255
isakmp key ******** address 22.214.171.124 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255
isakmp key ******** address 126.96.36.199 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnclient address-pool client_pool
vpngroup vpnclient split-tunnel 90
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********
vpngroup client idle-time 1800
telnet 192.168.0.0 255.255.255.255 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80