02-08-2004 12:27 PM - edited 03-09-2019 06:21 AM
I have a PIX 501 and would like to forward requests made to addresses on the public interface to internal servers. ...this is currently a lab but once I get it working will be moved to a live net.
Public interface is 192.168.0.2
Private interface is 192.168.1.1
Static NAT 192.168.0.200-->192.168.1.200
I have an ACL to allow Any from ..0.200 to the inside interface.
I am unable to ping 192.168.0.200 from the outside
...therefor no traffic is forwarding to 1.200.
Please advise what as to what I may have missed or done wrong. Thank you!
Jeff
02-08-2004 01:39 PM
Hi Jeff,
The ACL & ACG (Access group) should be applied to the outside interface, not the inside as indicated.
Ping from outside is, by default, blocked by the PIX.
If you need further help, it will be fine to post your config and by masking public IP addresses.
Regards,
Ben
02-08-2004 02:05 PM
Ben, you asked for it! :)
Below is my config file.
I changed the ACL to the outside, but still cannot ping the 192.168.0.200 address, or access the web page hosted by it.
Thanks for replying.
names
name 192.168.1.0 Local
name 192.168.0.200 Admin
access-list inside_access_in remark Allows response from inside IP to outside IP requests.
access-list inside_access_in permit tcp any host 192.168.1.200
access-list inside_access_in remark Allow ping reply from Public side to address 200.
access-list inside_access_in permit icmp any host 192.168.1.200
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.1 format emblem
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Admin 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 192.168.1.200 Admin netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 outside
http Local 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxxxxxxxx
: end
[OK]
02-08-2004 02:47 PM
i'm not too sure what you were trying to achieve with the existing access-list. anyway, if you tried to access the server from the outside:
access-l xxx permit ip any host Admin
access-g xxx in interface outside
depends on what sort of server you have there, you may want to restrict the access further:
access-l xxx permit tcp any host Admin eq www
access-g xxx in interface outside
02-08-2004 05:40 PM
access-list inside_access_in remark Allows response from inside IP to outside IP requests.
access-list inside_access_in permit tcp any host 192.168.1.200
*
* should be access-list inside_access_in permit tcp any host 192.168.0.200
*
access-list inside_access_in remark Allow ping reply from Public side to address 200.
access-list inside_access_in permit icmp any host 192.168.1.200
*
* should be access-list inside_access_in permit icmp any host 192.168.0.200
*
static (outside,inside) 192.168.1.200 Admin netmask 255.255.255.255 0 0
*
* should be static (inside,outside) Admin 192.168.1.200 netmask 255.255.255.255 0 0
*
access-group inside_access_in in interface inside
*
* should be access-group inside_access_in in interface outside
*
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
Ben
02-08-2004 08:41 PM
Thank you for your comments. I have been working on this in the meantime and you'll notice some changes. to the ACL list. I have been able to make some of the changes you suggest, but not to the ACL. Here is the current config. Would you mind taking another look and help identify which lines need attention? Thanks.
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name mylab.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.0 Local
name 192.168.0.200 admin
access-list inside_access_in permit tcp host 192.168.1.200 host admin
access-list inside_access_in remark Default allow any inside to any outside.
access-list inside_access_in permit tcp any any
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.1 format emblem
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location admin 255.255.255.255 inside
pdm location admin 255.255.255.255 outside
pdm location 192.168.1.200 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) admin 192.168.1.200 netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 outside
http Local 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxxxx
: end
[OK]
02-08-2004 08:55 PM
please follow carefully with what ben and myself were pointing out and modify the conf
02-09-2004 04:53 AM
Thank you for your response.
I spent hours trying to follow your recommendations using the PDM and was a complete failure. I found the CLI and cut/paste Ben's S/B lines to the CLI to come up with the current config. I regret that I do not understand your abbrev. I think I now have the the config exactly as Ben suggested, but from the outside I am unable to receive the web page on 192.168.1.200.
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.0 Local
name 192.168.0.200 admin
access-list inside_access_in permit tcp any host 192.168.0.200
access-list inside_access_in permit icmp any host 192.168.0.200
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.1 format emblem
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location admin 255.255.255.255 inside
pdm location admin 255.255.255.255 outside
pdm location 192.168.1.200 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) admin 192.168.1.200 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 outside
http Local 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:8d78fbf1e942e9a9854f6f30fe33019f
: end
[OK]
02-09-2004 03:54 PM
You need this one also
access-group inside_access_in in interface outside
Ben
02-09-2004 05:51 PM
Thanks! That helped me to get started and on my way to understanding how to configure this PIX. I will use this solution as an example to configure the rest of the addresses on the PIX. I will also tighten the port access to only the needed ports for each IP.
Your responses are most appreciated! Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide