04-03-2002 10:15 AM - edited 03-08-2019 10:13 PM
Hello and thanks for your time in advance.
I'm replacing a Watchguard firewall w/a 501 for a customer. We have only 1 public ip address(DSL). Using pat all clients can surf the web. There is a functional conduit into the firewall to an ftp server. The only problem is with the Novell server. It can reach the inside but cannot reach the outside int of the 501. It does fine with the firewall that's already there. I'm using the same ip for both firewalls (just switching them temporarily to test), clearing arp cache as I go,yet the server will not get through the 501. Any ideas PLEASE?
As a side note..if
"static (inside, outside) x.x.x.x 10.0.20.10 "(for incoming mail to the Novell box) is used all outbound traffic will cease through the 501 until the reload command is issued. Thanks again.
04-03-2002 10:47 AM
Hmmm.
Kinda sounds like a PAT global problem.
So you put in the PAT command and all clients can issue successful requests to the outside world? Including the Novell server ( I realize you can't exactly web browse from a novell box..) but can you ping an outside IP address from the Novell server before you put the static command in place? The ftp server is completely ok. Give more details if possible, we'll help get you there...
04-03-2002 10:59 AM
Here's the config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /F.u.pU7VSgK.2I3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name ted.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 205.25.2.115 255.255.255.252
ip address inside 10.0.20.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 5 interface
nat (inside) 5 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 205.25.2.115 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.20.83 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
All clients can get out with http or icmp. The novell server(unfortunately serves mail) cannot get out at all. The furthest the Novell box goes is the internal 501 int, even before the static command. The static command does not block all traffic when pointing to another internal host, only the Novell box.
I've since tried setting the internal ip(501) to 10.0.20.3 and then setting the default route in tcpcon on the Novell box to the same but w/no results. I'd love to blame the Novell server but the watchgaurd box lets it all through.
Thanks for the time.
04-03-2002 11:24 AM
I really hope that the IP Addresses and passwords listed are dummy ones that replaced the actual ones.
It's customary to use obviously invalid IPs, like 1.1.1.1 or 10.10.10.10, to ensure no one acquires knowledge of the network that is not for public consumption.
Same thing with passwords: Use obvious password replacements, like
Regarding the problem, can you tell if a translation slot was opened? Do a SH CONN LOCAL 1.1.1.1, where 1.1.1.1 is the inside Novell address. You can also enable some logging to a syslog server while you try to connect and search through to find the transactions between the PIX and Novell server to see what the deal is.
04-03-2002 11:45 AM
Yes, they are dummy ips and dns names. And thanks for the concern. I can use "debug icmp trace", then ping an external ip from a client and the console shows the traffic. Pinging the same ext. address from the server yields no result on the console. Pinging the internal interface from the server will show on the console. Does that help much? I keep finding articles about Novell IP not working well with NAT but mainly for client/server communications(login, file sharing, etc.). I just need smtp to and from this box.
Any suggestions are appreciated. Thanks again.
04-03-2002 11:39 AM
ip address outside 205.25.2.115 255.255.255.252
route outside 0.0.0.0 0.0.0.0 205.25.2.115 1
Shouldn't you be routing to the next hop in line. ie
route outside 0.0.0.0 0.0.0.0 205.25.2.114 or something like that?
ie the next hop to your ISP or something like that?
My config is completely different there.
I have ip address outside XXXXXX
and a "next hop" router in line to route all traffic to...
04-03-2002 11:51 AM
Yes. I apologize, my paranoia was not well thought out. The default route as well as the ips are different so I was reckless in the typing. It's as you guessed(let's say 205.25.2.114).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide