topic So the clients are meant to in Network Security

Cisco PIX is giving me Hell Please Help

avnishvyas1976 — Tue, 12 Mar 2019 05:45:12 GMT

Hello People

When I accepted a new assignment I had no Idea these guys still housed a CISCO PIX 6.3(5) which I havent played with for years
All im trying to do is mimic existing configuration albeit changing IP address

The request is simple but Im not having any joy from the end client who cant connect.

Create a NAT between 172.16.48.X and 194.78.166.82 in the Belgium PIX.
Open the ports 80 and 443.
The connections will be accepted ONLY from the following IPs:
- aa.bb.cc.195 (client X)
- aa.bb.cc.184 (client Y)

Have only the Client X and Y connect to the IP 172.16.48.X which is Natted to 194.78.166.82

I created the NAT as per below

static (inside,outside) 194.78.166.82 172.16.48.50 netmask 255.255.255.255 0 0

and permitted ACLS for Client X and Y

access-list Outside_access_in permit tcp host aa.bb.cc.195 host 172.16.48.50 eq www
access-list Outside_access_in permit tcp host aa.bb.cc.195 host 172.16.48.50 eq https
access-list Outside_access_in permit tcp host aa.bb.cc.184 host 172.16.48.50 eq www
access-list Outside_access_in permit tcp host aa.bb.cc.184 host 172.16.48.50 eq https

I have a default route on the PIX for
outside 0.0.0.0 0.0.0.0 81.246.53.xx 1 OTHER static

I have simply copied existing configurations but im getting no joy from the remote client. Do i need anything else to configure? PLEASE HELP ME

So the clients are meant to

Jon Marshall — Thu, 09 Apr 2015 11:50:40 GMT

Have only the Client X and Y connect to the IP 172.16.48.X which is Natted to 194.78.166.82

Do you mean the above or do you mean the clients are meant to connect to 194.78.166.82 and then that is translated to 172.16.48.50 ?

I ask because your static is from inside to outside and your acl is applied to the outside interface so I assume you mean the clients connect from outside and you translate the IP to 172.16.48.x which is on the inside ?

If so your acl is wrong.

You need to use the public IP in the acl not the private IP of the server.

If I have misunderstood please clarify.

Jon

Hi Jon Marshall Thanks for

avnishvyas1976 — Thu, 09 Apr 2015 13:00:49 GMT

Hi Jon Marshall

Thanks for your input and yes you are correct. I had to change the ACL to use the public IP instead of the private, that has got me a few times with NAT on different platforms but really appreciate your input.

Thanks