09-18-2003 01:12 AM - edited 02-20-2020 10:59 PM
I have been trying to get a a configuration (PIX501) allowing inside clients access to the outside and also allowing outside access to an internal smtp mail server. From what I have tried it seems that I cannot use the outside IP address of the pix for the static (inside,outside) command. If I do so then other client access to the outside world is denied.
So far I haven't been able to find any documentation about this. Can anyone point me in the right direction plse?
Solved! Go to Solution.
09-19-2003 08:53 AM
Hi morris,
I don´t know what the other guys are talkin´about, but it seems to me they do not exactly understand your question, and thus providing you with the wrong information.
As I see it you want to translate all your inside source adresses to the outside interface adsress. This is correctly configured allready, as I saw at your config. These two commands are indeed correct:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
What is bothering you is that you want your mailserver to be reachable from the outside to the inside for SMTP. The command you tried is:
static (inside,outside) interface MyServer netmask 255.255.255.255
And this does not work.
The command you need is this:
static (inside,outside) tcp interface 25 MyServer 25 netmask 255.255.255.255
This static creates the translation for tcp-port 25 (smtp) outsides interface address to port 25 of your inside server.
I advice you to change the line "access-list outside_access_in permit tcp any any eq smtp" into "access-list outside_access_in permit tcp any host 209.164.3.5 eq smtp"
Putting it all togeher, all changes you need to perform:
no static (inside,outside) interface MyServer netmask 255.255.255.255
static (inside,outside) tcp interface 25 MyServer 25 netmask 255.255.255.255
no access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any host 209.164.3.5 eq smtp
Finally perform a clear xlate and it will work.
Kind regards and good luck,
Leo
09-18-2003 02:01 AM
Hi Alan,
Can you post your PIX config please (remember to change passwords/real IPs etc), makesure to include the PIX version as well (PIX IOS). Also the following document shows accessing mail server on the inside. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml
I think (without seeing the config) you'd need PAT running on your PIX for your situation (just a guess).
Thanks - Jay
09-19-2003 03:08 AM
Many thanks your responses, config enclosed
: Saved
: Written by enable_15 at 06:34:07.943 UTC Sat Sep 13 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd *******
hostname myFW
domain-name MyDomain
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.10.1 MyServer
name 192.168.2.254 ADSLRouter
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside MyServer
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.1 255.255.255.0
ip address inside 192.168.10.254 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location MyServer 255.255.255.255 inside
pdm location ADSLRouter 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) interface MyServer netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ADSLRouter 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
tftp-server inside MyServer /
floodguard enable
no sysopt route dnat
telnet MyServer 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxxxxx
: end
09-19-2003 04:54 AM
Since, you use private IP address at outside, i assume you're NATting in front of PIX, you may replace the NAT/global statement simply by the "identity NAT": "NAT (inside) 0 192.168.10.0 255.255.255.0".
Regards,
Ben
09-19-2003 02:15 AM
use the "global (outside) 1 interface" command.
Go here for more info...http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml. Near the end of this document it explains the use of this variation of the global command.
09-19-2003 08:53 AM
Hi morris,
I don´t know what the other guys are talkin´about, but it seems to me they do not exactly understand your question, and thus providing you with the wrong information.
As I see it you want to translate all your inside source adresses to the outside interface adsress. This is correctly configured allready, as I saw at your config. These two commands are indeed correct:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
What is bothering you is that you want your mailserver to be reachable from the outside to the inside for SMTP. The command you tried is:
static (inside,outside) interface MyServer netmask 255.255.255.255
And this does not work.
The command you need is this:
static (inside,outside) tcp interface 25 MyServer 25 netmask 255.255.255.255
This static creates the translation for tcp-port 25 (smtp) outsides interface address to port 25 of your inside server.
I advice you to change the line "access-list outside_access_in permit tcp any any eq smtp" into "access-list outside_access_in permit tcp any host 209.164.3.5 eq smtp"
Putting it all togeher, all changes you need to perform:
no static (inside,outside) interface MyServer netmask 255.255.255.255
static (inside,outside) tcp interface 25 MyServer 25 netmask 255.255.255.255
no access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any host 209.164.3.5 eq smtp
Finally perform a clear xlate and it will work.
Kind regards and good luck,
Leo
09-20-2003 06:04 AM
Leo,
Great - thanks this - has fixed it amd has demonstrated the cause of the problem - which I think is that the static rule was (using router IOS FWFS terminology) 'overloading' all ports rather than just 25. Hence any outbound connections built through NAT for other hosts on reply would be incorrectly routed back through the static - yes/no?
Many thanks,
Alan
09-21-2003 12:35 PM
No, they won´t, what the static command I gave you does is create a static port/address translation for packets destinated for your outside interface address on tcp port 25, and nothing else.
However, the nat and global command translate all traffic from inside traveling to the outside, using your outside interface address and creating random udp/tcp source ports for every new connection.
This way the PIX keeps track of every session and the session will not interfere with eachother. All translations are kept within the same xlate table, and all entries within the table have to be unique.
So, no worries, you´ll be fine this way.
Thanks for letting us know it works :-)
Kind regards,
Leo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: