cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
535
Views
0
Helpful
11
Replies

pix pat and static

a.diot
Level 1
Level 1

Hi all,

I have a pix connecting my network to internet performing pat.(only one public address)

I would like to install a mail server on my private network.

do i need a second ip public address or can i perform a static with port 25 on the same ip add than my nat global ?

Thanks in advance

1 Accepted Solution

Accepted Solutions

scoclayton
Level 7
Level 7

Hi,

You do not need another public address for the internal mail server. You can just create a port static using the PAT address as the global address for the static. For instance, something like this should work fine:

static (inside, outside) tcp host 25 host 25

Hope this helps.

Scott

View solution in original post

11 Replies 11

scoclayton
Level 7
Level 7

Hi,

You do not need another public address for the internal mail server. You can just create a port static using the PAT address as the global address for the static. For instance, something like this should work fine:

static (inside, outside) tcp host 25 host 25

Hope this helps.

Scott

Scott,

I have the same problem with trying to get PAT to work with a single external address AND using a static to gain access for internet users to the website behind the PIX firewall.

The static command line I have is...

static (inside,outside) netmask 255.255.255.255 0 0

If I enter this command, PAT stop working for the clients but now external access works. Verified with the sh xlate. Remove it and PAT works again for clients.

Can you show me the problem?

Phil

Phil,

No problem. Are you using the same address for and the address listed in the "global (outside) 1

" command on your PIX? If so, this is not allowed. Try making your static look like this instead:

static (inside,outside) tcp 80 90 netmask 255.255.255.255

Hope this helps.

Scott

Scott...thanks for the fast response.

I am still not sure that I understand this tricky command...here are the global, nat and static commands I am using:

global (outside) 1 interface

nat (inside) 1 255.255.255.0 0 0

static (inside,outside) netmask 255.255.255.255 0 0

So is my global also wrong? I see that 80 is being used on the outside but how will the web service on the inside server being looking for port 90??? I am confused! I also have this same issue with the Exchange service hosted on the same server. Does another static command used?

Phil

D'oh! That is what I get for using my laptop while watching Monday Night Football. I had a typo in my suggested static. My suggestion should read:

static (inside,outside) tcp 80 80 netmask 255.255.255.255

Your global looks fine to me. My question (and assumption) is that "interface" above equals . Is this correct? In other words, are you using the same address in both places? If so, then you are going to need to create your static as I stated above. This command tells the PIX that anything coming in to the outside IP address on port 80 needs to be sent to the inside IP address on port 80. You have to do it this way since you are using the same address as your PAT address which means that each time an internal user opens up a connection outbound, the PIX changes the source address of the original packet to this address so it is routable. Not sure how well I am explaining this so let me know if not clear.

Scott

Scott,

I made today the static changes to enable PAT on the 501 firewall....now seems to work "almost". I say this because 4 or the 6 users that had connected using the SBS 2000 proxy can now connect without it. The other two W2K client IE 5.5 browers will not workout the old proxy setting pointing at the server. I can run the xlate to look at port translation and there is plenty occuring. As soon as I reconfigure back to proxy, the web browers start working. Very weird....any suggestions?

Here is the complete listing less the security info

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXX encrypted

passwd XXXX encrypted

hostname pixfirewall

domain-name XXX.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host eq www

access-list 100 permit tcp any host eq smtp

access-list 100 permit tcp any host eq ftp

access-list 100 permit tcp any host eq 3389

access-list 100 permit tcp any host eq pop3

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 255.255.255.0

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.1 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.255.0 0 0

static (inside,outside) tcp smtp 10.0.0.9 smtp netmask 255.255.255.

255 0 0

static (inside,outside) tcp www 10.0.0.9 www netmask 255.255.255.25

5 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 10.0.0.9 //dcaserver/c:/cisco_pix

no floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 10.0.0.10-10.0.0.41 inside

dhcpd dns 206.26.36.34 10.0.0.9

dhcpd wins 10.0.0.9

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain XXX.com

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:XXX

pixfirewall(config)#

Since this is a 501, I wonder if we aren't running up against the 10 user license (assuming this is what you do have)? Can you try that change again and issue a 'sh local-host' command. See how many entries the PIX has built. Also, try setting up a syslog server and configuring the PIX to debug level logging and see if we get any good info from this. Your config is fine from the quick glance I just took.

Scott

Scott,

Yes this is a 501 as I stated in the last message. Next time I am there will try your suggestions to debug...they only have 6 users so don't suspect licenses to be the issue.

I also haven a ACL for port 3389 to allow me to connect inside via terminal services...that is not working now. Web server and Exchange server are fine. Does it take yet another static to allow 3389 traffic back out the firewall?

I feel that Cisco has done a poor job of documenting the configuration for a 501 configuration that only has a typical single IP address and hence must use PAT. Cisco book by Chapman does not even document the static command to cover the working solution.

Hi,

This is not the same but I wonder whether someone can help me out.

We got a secure server on our internal LAN. I've configured static NAT and policy so we can https to them from the Internet. The thing is if we try to connect to them from an Internal address it doesn't work. I've PAT configured for the internal address to use the PIX external interface.

Below are not my actually addresses. I thought it might help with illustrating the problem.

Range is 194.111.143.64/29

PIX address is 194.111.143.71/29

Secure server static NAT is 194.111.143.72

Secure server internal address is 172.19.22.157

Internal network is 192.168.1.0/24

PIX is configured to do PAT for 192.168.1.0/24

Static NAT is configured to change 172.19.22.157 to 194.111.143.72.

Policy is configured to allow anything to access 194.111.143.72 using https.

Thanks,

Dino

Forgot to put extra details here. Did some debugging and it looks like the PIX is not forwarding any of the packets to the internal server. At first I thought you can't do this. However, we used to have a similar setup using NetScreen firewall and it worked fine. I didn't have access to full config of the netscreen as it was managed by another company. But looking of a partial configuration of it I couldn't see anything special about the config.

Thanks,

Dino

Didn't need to worry about this at the end. Also, I think I could use the alias command to work around this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: