I have LAN 10.0.0.0 /24 that access the Internet through PIX 501 firewall. I use PAT on the PIX outside interface which is 61.90.x.x.255.255.248. I also have an internal mailserver 10.0.0.100. I tried to create a static NAT that maps public IP 61.x.x.243 to internal mail server (10.0.0.100) and allow inbound SMTP connections. When I created static mapping for the server I was no longer able to access Internet from the server, I couldn't ping, telnet or nslookup anything. I have no problems with other hosts on the LAN.
Here is a summary of my setup:
internal network: 10.0.0.0 255.255.255.0
external network: 61.x.x.x.255.255.248
PIX internal IP: 10.0.0.1
PIX external IP: 61.x.x.242
Static NAT IP 61.x.x.243
Internal server IP: 10.0.0.100
ip address outside 61.x.x.x.255.255.248
ip address inside 10.0.0.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 61.x.x.243 10.0.0.100 netmask 255.255.255.255 0 0
access-list acl_out permit tcp any host 184.108.40.206 eq smtp
access-group acl_out in interface outside
Any help would be much appreciated.
I think this problem is for access-list .
You add for ping and browse
access-list acl_out permit icmp any any
access-list acl_out permit ip any any
telnet 10.0.0.100 255.255.255.255 inside
----if success then permit for specific host----
Not an ACL problem. Did u clear xlate after adding the static NAT? Also, make sure that the IP is valid and not taken by any other machine on the public side. Static NAT should take precedence over PAT.
Let me know if this works,
I don't think it's an ACL problem either.
The two public IPs are valid, I checked it connecting laptop directly to the modem. I assigned those IPs in turn to the laptop and was able to access the Internet.
I didn't clear xlate after adding the static, could you tell me some more about that? Actually it doesn't work if I load the whole config to the PIX and put it on the network.
Could it be an issue with the Internet provider? How could I possibly test to prove their fault? We have several similar configs with other clients and they work.
Well, the default time out for a translation is 3 hours. Therefore, if you were having PAT entry in the trasnlation table for the server and then you add the static entry, the PAT entry will still be there. Therefore, it is better to issue the clear xlate which will clear the translation table. SHOW xlate will show you the PAT and NAT translations. Check to make sure you see the translation for the server.
I suggest using another IP such as 245 or 246 just to make sure that nobody has these IPs on the outside switch.
Other suggestion, start from scratch troubleshooting:
1- Ping the PIX from the Server
2- Traceroute from the server to the outside world
3- Make sure you don't have any ACL applied on the Internal interface.
Let me know how it goes,
Another thing to try:
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
Waiting for your feedback,
Thank you very much for the answers. I cannot try what you have advised just yet, it's a production environment. I have configured port redirection on an outside PIX interface, 220.127.116.11:25 -> 10.0.0.10:25, it works and the client is happy.
Just a bit more of theory.
Suppose I have a NAT on the interface, the server accesses the Internet, translation entry is created:
PAT Global 18.104.22.168(1378) Local 10.0.0.100(26721)
Now I add my static nat statement:
static(inside, outside) 22.214.171.124 10.0.0.100 netmask 255.255.255.255 0 0
I try to access the Internet from the server again, wouldn't the server be using interface PAT as it did before I added the static ? In other words, would the server be using interface PAT or static NAT when it initiated an outbound connection to the Internet?
Thank you very much for your help.
Well, the server will be using the PAT and if you have enabled access from outside to that particular server it won't be successfull.
I wish you could try the things I told you so that we know where was the problem.
Good to know that your customer is happy,
One thing to note for you is that since u did static NAT with port redirection, the server will be using the PAT from outgoing connections. You can check that by going to www.whatismyip.com on the server and you will see the PAT IP.
wouldn't the static entry take precedence over PAT?
I tried static NAT/PAT config in the lab, ran a network analizer on the PIX default gateway and the capture showed statically mapped IP as source address for packets going from inside network to the world.