Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
10
Replies

Need helping allowing trafic from outside to inside interface.

xitianllc
Level 1
Level 1

‎05-22-2003 09:29 PM - edited ‎03-09-2019 03:23 AM

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

I am trying to set up a pix 501 in front of a few colocated web servers. So far I can see out to the internet with no problems but can not get traffic to come in even after creating my access rules. The software I am running on my web servers require that my servers use the same static IP's that our on the outside interface. My ISP created a subnet for this configuration. Any help is very much appreciated.

EXAMPLE ROUTE NOT WORKING:

outside inside

nn.nnn.7.244 255.255.255.0 ---> nn.nnn.7.244 255.255.255.240

MY NETWORK CONFIG:

Outside IP: nn.nnn.n.222

Outside GW: nn.nnn.n.1

Outside NM: 255.255.255.0

Inside IP: nn.nnn.7.241 - 255

Inside GW: nn.nnn.7.241

Inside NM: 255.255.255.240

PIX CONFIG:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ********** encrypted

passwd ********** encrypted

hostname firewall

domain-name --moderator edit--

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any eq ftp-data any

access-list outside_access_in permit tcp any eq ftp any

access-list outside_access_in permit tcp any eq smtp any

access-list outside_access_in permit tcp any eq domain any

access-list outside_access_in permit tcp any eq www any

access-list outside_access_in permit tcp any eq pop3 any

access-list outside_access_in permit tcp any eq imap4 any

access-list outside_access_in permit tcp any eq https any

access-list outside_access_in permit tcp any eq 19638 any

access-list outside_access_in permit tcp any eq 19640 any

access-list outside_access_in permit udp any eq 445 any

access-list outside_access_in permit tcp nn.nnn.0.0 255.255.0.0 eq 5800 any

access-list outside_access_in permit tcp nn.nnn.0.0 255.255.0.0 eq 5900 any

access-list inside_outbound_nat0_acl permit ip any nn.nnn.7.252 255.255.255.252

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside nn.nnn.n.222 255.255.255.0

ip address inside nn.nnn.7.241 255.255.255.240

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn nn.nnn.7.252-nn.nnn.7.254

pdm location nn.nnn.7.0 255.255.255.0 inside

pdm location nn.nnn.0.0 255.255.0.0 outside

pdm location nn.nnn.7.252 255.255.255.252 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 nn.nnn.n.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authorization command LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

telnet timeout 5

ssh timeout 5

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40

vpdn group PPTP-VPDN-GROUP client configuration address local vpn

vpdn group PPTP-VPDN-GROUP client configuration dns nn.nnn.n.2 nn.nnn.n.3

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username --moderator edit-- password *********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username --moderator edit-- password ********** encrypted privilege 15

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

terminal width 80

Labels:
0 Helpful
10 Replies 10

mcrichard
Level 1
Level 1

‎05-22-2003 09:41 PM

I think you need change your acl

from

"access-list outside_access_in permit tcp any eq ftp-data any "

to

access-list outside_access_in permit tcp any any eq ftp-data

0 Helpful

xitianllc
Level 1
Level 1
In response to mcrichard

‎05-22-2003 09:56 PM

I'm afraid that did not work but thanks for your help.

0 Helpful

mcrichard
Level 1
Level 1
In response to xitianllc

‎05-22-2003 10:01 PM

it can work but don't use permit any any,

and you need use "permit any host xxx.xxx.xxx.xxx eq port"

0 Helpful

xitianllc
Level 1
Level 1
In response to mcrichard

‎05-22-2003 10:14 PM

Hmm, cant enter just a single server IP becuase it does not like the subnet (255.255.255.240) I did try to enter my subnet range (66.129.7.240 -255) but that also did not seem to work.

0 Helpful

xitianllc
Level 1
Level 1

‎05-23-2003 07:15 AM

Anyone else have an idea?

0 Helpful

mostiguy
Level 6
Level 6
In response to xitianllc

‎05-23-2003 07:31 AM

So you need to redirect ports from the outside ip address of 66.129.1.222 to internal servers? Which server?

The problem is that you are not using NAT. I am fairly certain that if you want to redirect ports using the PIX's outside IP address, you will need to be using NAT.

I think the best idea is to try to find a way to not need to use 66.129.1.222 for any of your servers. Otherwise, you will need to NAT things. You could keep the existing IP addresses, and nat them, but also use them externally in a global pool, but this will be outrageously confusing - re ip addressing all the internal servers with RFC 1918 addresses would be much easier for future troubleshooting.

0 Helpful

jmia
Level 7
Level 7
In response to xitianllc

‎05-23-2003 08:09 AM

Hi -

Please read the following cisco document:

http://www.cisco.com/warp/public/707/28.html

Hope this explains it --

0 Helpful

mhoda
Level 5
Level 5
In response to jmia

‎05-26-2003 12:41 PM

Hi,

The problem is not with the static, provided that you have a web server that has ip add of either .253 or .254. Because with the following config, you are turning off the NAT engine on PIX for traffic from outside to .253-.254 addresses.

access-list inside_outbound_nat0_acl permit ip any nn.nnn.7.252 255.255.255.252

nat (inside) 0 access-list inside_outbound_nat0_acl

Problem is ACL defined wrong order of the ports. Please change:

access-list outside_access_in permit tcp any eq www any

to

access-list outside_access_in permit tcp any any eq www

Please make chnages to all the ACL lines, then execute "clear xlate".

I hope this ressolves the issue. If not, then please collect the syslog on the buffer (if you don't have syslog server).

logging on

logging buffered debug

show logging

Thanks,

Mynul

0 Helpful

xitianllc
Level 1
Level 1
In response to mhoda

‎05-26-2003 03:27 PM

MyNul,

Thanks for the info, I will try that out. I have one questions for you though. The 66.129.7.253- .254 addresses where set up to be used for VPN. I'm running my server's on 66.129.7.244 - .252. Does the problem you see have to do with that range as well and will making the modifications you suggested work with that range. I would prefer to not use NAT at all and just use the Pix to block ports and for VPN.

Thanks,

Jack

0 Helpful

mhoda
Level 5
Level 5
In response to xitianllc

‎05-26-2003 04:01 PM

Jack,

In that case, please make the following changes and it will work:

access-list inside_outbound_nat0_acl permit ip any nn.nnn.7.240 255.255.255.240

no access-list inside_outbound_nat0_acl permit ip any nn.nnn.7.252 255.255.255.252

In that way, you are including the web servers under the no translation rules. Please make sure to execute "clear xlate". Thanks,

Mynul

0 Helpful
Customers Also Viewed These Support Documents