cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
554
Views
0
Helpful
2
Replies

PIX 501- Stopped routing to the outside

moshiri
Level 1
Level 1

I have a PIX501 configured with static command to provide access from outside to an internal server. This works flawlessly, nevertheless as soon as I applied the static command my internal network can not browse the Internet all of a sudden! Any ideas? The following is a highligh of some of the configuration:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

route outside 0.0.0.0 0.0.0.0 x.x.x.97 1

;

;

;

static (inside, outside) x.x.x.122 192.168..3.11

access-list 101 permit tcp x.x.x.122 255.255.255.0 any eq www

access-group 101 in interface outside

is it possible that I am using the same NAT pool? My outside interface address is x.x.x.122 and is being utilized via PAT in the global cammand. I know that when using PAT you can not share the same IP address.

Will this problem be fixed by applying a different IP address as my Global, such as:

Global (outside) 1 x.x.x.123

I appreciate your input.

Thanks

2 Replies 2

earancibia
Level 1
Level 1

I kind of ran into the same problem not to long ago. I still manage to use the same IP address (outside).

For your static command try using port redirection, I hope this helps.

static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.208 telnet 10.1.1.4 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp interface telnet 10.1.1.5 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.1.1.5 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.208 8080 10.1.1.7 www netmask 255.255.255.255 0 0

Go to this link for further information: http://www.cisco.com/warp/public/707/28.html#topic9

Eduardo

tvanginneken
Level 4
Level 4

Hi,

try to change the access-list. It should be like this:

access-list 101 permit tcp any host x.x.x.122 eq www

(from any host on the internet to the global address of the internal webserver)

If this still doesn't work also change the static command:

static (inside, outside) interface 192.168.3.11

(translate 192.168.3.11 to the outside interface address)

Kind Regards,

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: