Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix 501 PPPOE outside

Hi

I have a pix 501.

It obtains its IP from the ISP via PPPOE.

If I have a mail server on the inside can I still NAT mail to that device.

I have done NAT before to mail servers where I have an allocation of IP's from the ISP.

In this scenario I only have 1 IP (it does not change) outside.

Can I allow other services in also even if I have 1 IP

John

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Pix 501 PPPOE outside

The config is OK, but it might be better to replace the fixed IP address in the access-list and the staic with a dynamic one.

1 - You have configured:

access-list outside_access_in permit tcp any host XX.XX.XXX.XXX eq ftp

access-group outside_access_in in interface outside

static (inside,outside) tcp XX.XX.XXX.XXX ftp ftpserver ftp netmask 255.255.255.255 0 0

2. - I would replace this with:

access-list outside_access_in permit tcp any interface outside eq ftp

access-group outside_access_in in interface outside

static (inside,outside) tcp interface ftp ftpserver ftp netmask 255.255.255.255 0 0

The advantage of this setup is that if ever the IP changes the NAT and access-list will change automticly too.

3.- You need to to a CLEAR XLATE after you have changed the NAT settings.

clear xlate

Note that this will reset all connections.

4.- Use a dyndns or no-ip client so when you connect from the Internet you just have to know the DNS name and if the IP changes the client will update the DynDNS server.

See:http://www.no-ip.com/downloads.php

5.- Are you sure that your ISP Internet Service Provider is allowing ftp, smtp and http ? A lot of providers block this ports for non commercial DSL connections !!

sincerely

Patrick

6 REPLIES

Re: Pix 501 PPPOE outside

I think thats possible by putting a static command an ACl to permit SMTP.

Re: Pix 501 PPPOE outside

Yes you can do this with a port forward command in a the static command.

Here is an example:

ip address inside 192.168.1.1 255.255.255.0

access-list acl_out permit tcp any interface outside eq smtp

access-group acl_out in interface outside

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 Gateway 1

sincerley

Patrick

New Member

Re: Pix 501 PPPOE outside

Hi I tried that and i did not work any other ideas

New Member

Re: Pix 501 PPPOE outside

Hi

Here is a my current config. For ease of testing I tried to allow ftp in to connect to an ftpserver on the inside.

Can someone tell me what I am doing wrong

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password *******************

passwd ****************** encrypted

hostname pixfirewall

domain-name ***************

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.100 ftpserver

access-list inside_outbound_nat0_acl permit ip any 10.200.200.192 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 10.200.200.192 255.255.255.224

access-list outside_access_in permit tcp any host XX.XX.XXX.XXX eq ftp (X= the IP assigned by ISP via PPPOE)

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool RasIP 10.200.200.200-10.200.200.210

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm location ftpserver 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp XX.XX.XXX.XXX ftp ftpserver ftp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup ras address-pool RasIP

vpngroup ras dns-server 159.134.237.6 192.111.39.1

vpngroup ras default-domain ************

vpngroup ras idle-time 1800

vpngroup ras password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 5

management-access inside

console timeout 0

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname eircom

vpdn group pppoe_group ppp authentication chap

vpdn username eircom password ********* store-local

dhcpd address House1-192.168.1.120 inside

dhcpd dns 159.134.237.6 159.134.248.17

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username name*** password xxx privilege 15

username name2**** password xxx privilege 15

terminal width 80

Thanks

john

Re: Pix 501 PPPOE outside

The config is OK, but it might be better to replace the fixed IP address in the access-list and the staic with a dynamic one.

1 - You have configured:

access-list outside_access_in permit tcp any host XX.XX.XXX.XXX eq ftp

access-group outside_access_in in interface outside

static (inside,outside) tcp XX.XX.XXX.XXX ftp ftpserver ftp netmask 255.255.255.255 0 0

2. - I would replace this with:

access-list outside_access_in permit tcp any interface outside eq ftp

access-group outside_access_in in interface outside

static (inside,outside) tcp interface ftp ftpserver ftp netmask 255.255.255.255 0 0

The advantage of this setup is that if ever the IP changes the NAT and access-list will change automticly too.

3.- You need to to a CLEAR XLATE after you have changed the NAT settings.

clear xlate

Note that this will reset all connections.

4.- Use a dyndns or no-ip client so when you connect from the Internet you just have to know the DNS name and if the IP changes the client will update the DynDNS server.

See:http://www.no-ip.com/downloads.php

5.- Are you sure that your ISP Internet Service Provider is allowing ftp, smtp and http ? A lot of providers block this ports for non commercial DSL connections !!

sincerely

Patrick

New Member

Re: Pix 501 PPPOE outside

works perfectly when you do it through command line.

does work if you set it up through PDM. PDM wants you to configure nat for the host inside

299
Views
4
Helpful
6
Replies
CreatePlease to create content