Solved: PIX 501 NAT and PAT with one IP

axoft_group · ‎05-15-2006

Using the following configuration, on my first PIX 501, I am unable to provide a Mail server to the outside world and allowing inside clients to browse the Internet.:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxx

hostname fw-sam-01

domain-name SAM

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside permit tcp any host 62.x.x.109 eq smtp

access-list inside permit tcp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 62.177.x.x.x.255.248

ip address inside 192.168.45.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.45.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 62.177.x.x.x.45.2 netmask 255.255.255.255 0 0

access-group outside in interface outside

access-group inside in interface inside

route outside 0.0.0.0 0.x.x.x.177.208.105 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.45.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.45.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

: end

Is it I'am using the access-list and groups incorrectly or am I mistaken in the PAT/NAT configuration.

Please advise...

arunsing · ‎05-17-2006

Hi,

I have gone through the discussion going on. The pix configuration should be fine by now as per the suggestions. The problems seems to be on the server. If this is a new windows setup then there is an option of not accepting the requests which are not from the local area network.

If you want to check if pix is allowing connections then when you telnet to port 25 from outside, just run check the xlates .

sh xlate and this should show you a translation for the inside host. More over a quick test if pix is allowing the traffic is to check "sho access-list outside" and see if the counters are increasing.

I hope this should help you.

Arun S.

View solution in original post

gkeel · ‎05-15-2006

Hi,

your static command is doing a static translation for all. use this static instead:

static (inside,outside) tcp 62.177.208.109 25 192.168.45.2 25 netmask 255.255.255.255 0 0

That will do a static translation but only for TCP Port 25 (SMTP.

Gene

axoft_group · ‎05-15-2006

Thanks Gene,

This makes sense, only translating port 25, but even after adjusting my own typo:

access-list outside permit tcp any host 62.177.209.109 eq smtp

to:

access-list outside permit tcp any host 62.177.208.109 eq smtp

and a complete reload the following configuration lets me ping correctly from the PIX to any outside and inside host, but SMTP to internal host from the outside is still unreachable, and any inside host is unable to get to the outside world.

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

no fixup protocol smtp 25

access-list inside permit tcp any any

access-list outside permit tcp any host 62.177.208.109 eq smtp

mtu outside 1500

mtu inside 1500

ip address outside 62.177.208.109 255.255.255.248

ip address inside 192.168.45.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.45.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 62.177.208.109 smtp 192.168.45.2 smtp netmask 255.255.255.255 0 0

access-group outside in interface outside

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 62.177.208.105 1

What do I miss in using the access-list, are they to strict?

Fernando_Meza · ‎05-15-2006

Hi your static should say.

For SMTP access using your PIX interface address you need :

static (inside,outside) tcp interface 25 192.168.45.2 25 netmask 255.255.255.255

I hope it helps ... please rate it if it does !!!

Fernando_Meza · ‎05-15-2006

Also ... make sure the internal users are using your PIX's internal interface as their default gateway ..

they need to be able to go out by the PIX internal interface.

jmia · ‎05-15-2006

Just add the following, you don't need ACL on the inside unless you are filtering services on the inside interface!

Make sure to save with: write mem and also issue: clear xlate

As the other post suggests, make sure that your internal hosts defult gateway points to the inside IP address of your PIX interface, unless you have a internal router.

Check that the MX record for your mail service is correctly setup i.e. your mail MX record should be pointing to IP 62.177.209.109 (as indicated below).

To test your mail service - telnet from an external source to 62.177.209.109 on port 25 and see if you get a response from internal mail server!!

access-list outside permit tcp any host 62.177.209.109 eq smtp

access-group outside in interface outside

static (inside,outside) tcp 62.177.208.109 smtp 192.168.45.2 smtp netmask 255.255.255.255 0 0

ip address outside 62.177.208.109 255.255.255.248

ip address inside 192.168.45.1 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 62.177.208.105 1

Hope this helps and please rate post if it does.

Jay

jmia · ‎05-15-2006

Ooops.. forgot to add you can also use keyword interface on your static if you only got the one public IP and it's being used on your outside interface i.e.

access-list outside permit tcp any host 62.177.209.109 eq smtp

access-group outside in interface outside

static (inside,outside) tcp interface smtp 192.168.45.2 smtp netmask 255.255.255.255 0 0

All the rest as same as my previous post, again make sure to save with: wr m and also issue: clear xlate

Jay

axoft_group · ‎05-17-2006

Thanks for all response.

Deleting the access-group and access-list for the inside interface enables me to get access to the outside world from the inside network.

Adjusting the static route configuration to include smtp does not resolve my outside to inside issue.

I'am still unable to use smtp from outside to inside.

If I add www for the same internal server bij adding the following configurations:

ccess-list outside permit tcp any host 62.177.208.109 eq www

static (inside,outside) tcp 62.177.208.109 www 192.168.45.2 www netmask 255.255.255.255 0 0

I do not get a positive reply when tested from an outside address.

The internal server is configured with a gateway pointing to the PIX ip number 192.168.45.1

A telnet to port 25 does not seem to get any reply.

A traceroute from the outside to the external IP of the PIX gets resolved correctly.

Is there any debugging command I could use to see if the external telnet to port 25 get bounced or even does not get it through to the PIX ?

jmia · ‎05-17-2006

Hi,

Sorry for the delay in responding. As asked before, have you varified that your MX record for your domain is pointing to the correct IP, i.e. 62.177.208.109 ??

You can check this from an internal host by typing (in cmd mode)

nslookup

set q=mx

i.e. mydomain.com

Verify that the MX record is correctly setup i.e. correct IP address!!

Ofcourse make sure that you have the correct ACL and static setup on your PIX i.e

access-list smtp permit tcp any host 62.177.208.109 eq smtp

access-group smtp in interface outside

static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

*Note* the keyword 'interface' is being used on the static because I'm assuming that you only have one public IP address avliable and this is also being used on the outside interface of your PIX.

Save with: write mem and also issue: clear xlate

Hope this helps, pls rate post if it does.

Jay

axoft_group · ‎05-17-2006

Jay,

MX record is not jet set because it is still in test environment. I used telnet 62.177.208.109 25 to see if I get any response and get connected to the internal mailserver.

Bas

Fernando_Meza · ‎05-17-2006

Can you please enabled smtp on your PIX

fixup protocol smtp 25

arunsing · ‎05-17-2006

Hi,

I have gone through the discussion going on. The pix configuration should be fine by now as per the suggestions. The problems seems to be on the server. If this is a new windows setup then there is an option of not accepting the requests which are not from the local area network.

If you want to check if pix is allowing connections then when you telnet to port 25 from outside, just run check the xlates .

sh xlate and this should show you a translation for the inside host. More over a quick test if pix is allowing the traffic is to check "sho access-list outside" and see if the counters are increasing.

I hope this should help you.

Arun S.

axoft_group · ‎05-18-2006

Arun,

Yout right, using sh xlate and sh access-list outside show the translation is correct and request are passed through to my test machine. Little did I know that nowadays Windows XP machine do not answer request from outside networks on smtp and www. Replacing my inside machine with a Windows 2003 server showed it wotked all like a charm.

Thank for all support, I am a happy PIX user now with more knowledge and understanding of the PIX concepts