Re: address translation

moreauj · ‎02-08-2004

I have a PIX 501 and would like to forward requests made to addresses on the public interface to internal servers. ...this is currently a lab but once I get it working will be moved to a live net.

Public interface is 192.168.0.2

Private interface is 192.168.1.1

Static NAT 192.168.0.200-->192.168.1.200

I have an ACL to allow Any from ..0.200 to the inside interface.

I am unable to ping 192.168.0.200 from the outside

...therefor no traffic is forwarding to 1.200.

Please advise what as to what I may have missed or done wrong. Thank you!

Jeff

bdube · ‎02-08-2004

Hi Jeff,

The ACL & ACG (Access group) should be applied to the outside interface, not the inside as indicated.

Ping from outside is, by default, blocked by the PIX.

If you need further help, it will be fine to post your config and by masking public IP addresses.

Regards,

Ben

moreauj · ‎02-08-2004

Ben, you asked for it! :)

Below is my config file.

I changed the ACL to the outside, but still cannot ping the 192.168.0.200 address, or access the web page hosted by it.

Thanks for replying.

names

name 192.168.1.0 Local

name 192.168.0.200 Admin

access-list inside_access_in remark Allows response from inside IP to outside IP requests.

access-list inside_access_in permit tcp any host 192.168.1.200

access-list inside_access_in remark Allow ping reply from Public side to address 200.

access-list inside_access_in permit icmp any host 192.168.1.200

pager lines 24

logging on

logging timestamp

logging trap informational

logging host inside 192.168.1.1 format emblem

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Admin 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (outside,inside) 192.168.1.200 Admin netmask 255.255.255.255 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 outside

http Local 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxxxxxxx

: end

[OK]

jackko · ‎02-08-2004

i'm not too sure what you were trying to achieve with the existing access-list. anyway, if you tried to access the server from the outside:

access-l xxx permit ip any host Admin

access-g xxx in interface outside

depends on what sort of server you have there, you may want to restrict the access further:

access-l xxx permit tcp any host Admin eq www

access-g xxx in interface outside

bdube · ‎02-08-2004

access-list inside_access_in remark Allows response from inside IP to outside IP requests.

access-list inside_access_in permit tcp any host 192.168.1.200

*

* should be access-list inside_access_in permit tcp any host 192.168.0.200

*

access-list inside_access_in remark Allow ping reply from Public side to address 200.

access-list inside_access_in permit icmp any host 192.168.1.200

*

* should be access-list inside_access_in permit icmp any host 192.168.0.200

*

static (outside,inside) 192.168.1.200 Admin netmask 255.255.255.255 0 0

*

* should be static (inside,outside) Admin 192.168.1.200 netmask 255.255.255.255 0 0

*

access-group inside_access_in in interface inside

*

* should be access-group inside_access_in in interface outside

*

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

Ben

moreauj · ‎02-08-2004

Thank you for your comments. I have been working on this in the meantime and you'll notice some changes. to the ACL list. I have been able to make some of the changes you suggest, but not to the ACL. Here is the current config. Would you mind taking another look and help identify which lines need attention? Thanks.

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name mylab.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.1.0 Local

name 192.168.0.200 admin

access-list inside_access_in permit tcp host 192.168.1.200 host admin

access-list inside_access_in remark Default allow any inside to any outside.

access-list inside_access_in permit tcp any any

pager lines 24

logging on

logging timestamp

logging trap informational

logging host inside 192.168.1.1 format emblem

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location admin 255.255.255.255 inside

pdm location admin 255.255.255.255 outside

pdm location 192.168.1.200 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) admin 192.168.1.200 netmask 255.255.255.255 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 outside

http Local 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

jackko · ‎02-08-2004

please follow carefully with what ben and myself were pointing out and modify the conf

moreauj · ‎02-09-2004

Thank you for your response.

I spent hours trying to follow your recommendations using the PDM and was a complete failure. I found the CLI and cut/paste Ben's S/B lines to the CLI to come up with the current config. I regret that I do not understand your abbrev. I think I now have the the config exactly as Ben suggested, but from the outside I am unable to receive the web page on 192.168.1.200.

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.1.0 Local

name 192.168.0.200 admin

access-list inside_access_in permit tcp any host 192.168.0.200

access-list inside_access_in permit icmp any host 192.168.0.200

pager lines 24

logging on

logging timestamp

logging trap informational

logging host inside 192.168.1.1 format emblem

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location admin 255.255.255.255 inside

pdm location admin 255.255.255.255 outside

pdm location 192.168.1.200 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) admin 192.168.1.200 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 outside

http Local 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:8d78fbf1e942e9a9854f6f30fe33019f

: end

[OK]

bdube · ‎02-09-2004

You need this one also

access-group inside_access_in in interface outside

Ben

moreauj · ‎02-09-2004

Thanks! That helped me to get started and on my way to understanding how to configure this PIX. I will use this solution as an example to configure the rest of the addresses on the PIX. I will also tighten the port access to only the needed ports for each IP.

Your responses are most appreciated! Thank you.