Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
5
Helpful
7
Replies

static routes - PIX outside address

Go to solution
alan.morris
Level 1
Level 1

‎09-18-2003 01:12 AM - edited ‎02-20-2020 10:59 PM

I have been trying to get a a configuration (PIX501) allowing inside clients access to the outside and also allowing outside access to an internal smtp mail server. From what I have tried it seems that I cannot use the outside IP address of the pix for the static (inside,outside) command. If I do so then other client access to the outside world is denied.

So far I haven't been able to find any documentation about this. Can anyone point me in the right direction plse?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
l.mourits
Level 5
Level 5

‎09-19-2003 08:53 AM

Hi morris,

I don´t know what the other guys are talkin´about, but it seems to me they do not exactly understand your question, and thus providing you with the wrong information.

As I see it you want to translate all your inside source adresses to the outside interface adsress. This is correctly configured allready, as I saw at your config. These two commands are indeed correct:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

What is bothering you is that you want your mailserver to be reachable from the outside to the inside for SMTP. The command you tried is:

static (inside,outside) interface MyServer netmask 255.255.255.255

And this does not work.

The command you need is this:

static (inside,outside) tcp interface 25 MyServer 25 netmask 255.255.255.255

This static creates the translation for tcp-port 25 (smtp) outsides interface address to port 25 of your inside server.

I advice you to change the line "access-list outside_access_in permit tcp any any eq smtp" into "access-list outside_access_in permit tcp any host 209.164.3.5 eq smtp"

Putting it all togeher, all changes you need to perform:

no static (inside,outside) interface MyServer netmask 255.255.255.255

static (inside,outside) tcp interface 25 MyServer 25 netmask 255.255.255.255

no access-list outside_access_in permit tcp any any eq smtp

access-list outside_access_in permit tcp any host 209.164.3.5 eq smtp

Finally perform a clear xlate and it will work.

Kind regards and good luck,

Leo

View solution in original post

7 Replies 7

Go to solution
jmia
Level 7
Level 7

‎09-18-2003 02:01 AM

Hi Alan,

Can you post your PIX config please (remember to change passwords/real IPs etc), makesure to include the PIX version as well (PIX IOS). Also the following document shows accessing mail server on the inside. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

I think (without seeing the config) you'd need PAT running on your PIX for your situation (just a guess).

Thanks - Jay

0 Helpful

Go to solution
alan.morris
Level 1
Level 1
In response to jmia

‎09-19-2003 03:08 AM

Many thanks your responses, config enclosed

: Saved

: Written by enable_15 at 06:34:07.943 UTC Sat Sep 13 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ******* encrypted

passwd *******

hostname myFW

domain-name MyDomain

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.10.1 MyServer

name 192.168.2.254 ADSLRouter

access-list outside_access_in permit tcp any any eq smtp

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

pager lines 24

logging on

logging timestamp

logging trap warnings

logging host inside MyServer

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.1 255.255.255.0

ip address inside 192.168.10.254 255.255.255.0

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location MyServer 255.255.255.255 inside

pdm location ADSLRouter 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) interface MyServer netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ADSLRouter 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps

tftp-server inside MyServer /

floodguard enable

no sysopt route dnat

telnet MyServer 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxxxx

: end

0 Helpful

Go to solution
bdube
Level 2
Level 2
In response to alan.morris

‎09-19-2003 04:54 AM

Since, you use private IP address at outside, i assume you're NATting in front of PIX, you may replace the NAT/global statement simply by the "identity NAT": "NAT (inside) 0 192.168.10.0 255.255.255.0".

Regards,

Ben

0 Helpful

Go to solution
j-barrett
Level 1
Level 1

‎09-19-2003 02:15 AM

use the "global (outside) 1 interface" command.

Go here for more info...http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml. Near the end of this document it explains the use of this variation of the global command.

0 Helpful

Go to solution
l.mourits
Level 5
Level 5

‎09-19-2003 08:53 AM

Hi morris,

I don´t know what the other guys are talkin´about, but it seems to me they do not exactly understand your question, and thus providing you with the wrong information.

As I see it you want to translate all your inside source adresses to the outside interface adsress. This is correctly configured allready, as I saw at your config. These two commands are indeed correct:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

What is bothering you is that you want your mailserver to be reachable from the outside to the inside for SMTP. The command you tried is:

static (inside,outside) interface MyServer netmask 255.255.255.255

And this does not work.

The command you need is this:

static (inside,outside) tcp interface 25 MyServer 25 netmask 255.255.255.255

This static creates the translation for tcp-port 25 (smtp) outsides interface address to port 25 of your inside server.

I advice you to change the line "access-list outside_access_in permit tcp any any eq smtp" into "access-list outside_access_in permit tcp any host 209.164.3.5 eq smtp"

Putting it all togeher, all changes you need to perform:

no static (inside,outside) interface MyServer netmask 255.255.255.255

static (inside,outside) tcp interface 25 MyServer 25 netmask 255.255.255.255

no access-list outside_access_in permit tcp any any eq smtp

access-list outside_access_in permit tcp any host 209.164.3.5 eq smtp

Finally perform a clear xlate and it will work.

Kind regards and good luck,

Leo

Go to solution
alan.morris
Level 1
Level 1
In response to l.mourits

‎09-20-2003 06:04 AM

Leo,

Great - thanks this - has fixed it amd has demonstrated the cause of the problem - which I think is that the static rule was (using router IOS FWFS terminology) 'overloading' all ports rather than just 25. Hence any outbound connections built through NAT for other hosts on reply would be incorrectly routed back through the static - yes/no?

Many thanks,

Alan

0 Helpful

Go to solution
l.mourits
Level 5
Level 5
In response to alan.morris

‎09-21-2003 12:35 PM

No, they won´t, what the static command I gave you does is create a static port/address translation for packets destinated for your outside interface address on tcp port 25, and nothing else.

However, the nat and global command translate all traffic from inside traveling to the outside, using your outside interface address and creating random udp/tcp source ports for every new connection.

This way the PIX keeps track of every session and the session will not interfere with eachother. All translations are kept within the same xlate table, and all entries within the table have to be unique.

So, no worries, you´ll be fine this way.

Thanks for letting us know it works :-)

Kind regards,

Leo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card