https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172731#M629802 <HTML><HEAD></HEAD><BODY><P>Wolfrikk,</P><P>I 'll try that. Will let u know the result. thank.</P></BODY></HTML> Wed, 26 Feb 2003 01:33:36 GMT chuachenhui 2003-02-26T01:33:36Z https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172726#M629797 <P>I have a Pix with 2 VPN connection plus 1 remote client connection.</P><P>Meanwhile, I would like to allow my vendor to access one of my file server (internal IP 192.168.0.2). I tried to do a static bind with 202.174.143.45. And modify access-list accordingly. But still my vendor can't access the file server neither the server can go out to internet. What could be wrong?</P><P></P><P>PIX Version 6.2(2)</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password KX/2yDvEiODIteF/ encrypted</P><P>passwd ggXVcePzJwQfhvVL encrypted</P><P>hostname Mitsui</P><P>domain-name Mitsuisoko.com</P><P>clock timezone MYT 8</P><P>fixup protocol ftp 21</P><P>fixup protocol http 80</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol ils 389</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol sip 5060</P><P>fixup protocol skinny 2000</P><P>names</P><P>object-group service Internet_access tcp</P><P> port-object eq ftp</P><P> port-object eq pop3</P><P> port-object eq ftp-data</P><P> port-object eq https</P><P> port-object eq www</P><P> port-object eq smtp</P><P> port-object eq uucp</P><P> port-object eq pcanywhere-data</P><P> port-object range 1433 1433</P><P> port-object range 9000 9002</P><P>object-group network VPN_users</P><P> description This group included all the addresses of remote VPN site as well a</P><P>s VPN dial-up clients. 192.168.1.0 (Pasir Gudang), 192.168.2.0 (Melaka), 192.168</P><P>.3.0 (Dial-up VPN clients)</P><P> network-object 192.168.1.0 255.255.255.0</P><P> network-object 192.168.2.0 255.255.255.0</P><P> network-object 192.168.3.0 255.255.255.0</P><P>object-group network Servers</P><P> network-object 192.168.0.1 255.255.255.255</P><P> network-object 192.168.0.100 255.255.255.255</P><P> network-object 192.168.0.33 255.255.255.255</P><P>access-list inside_access_in permit ip host 192.168.0.2 any</P><P>access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq domain</P><P></P><P>access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq domain</P><P></P><P>access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any object-group Internet_access</P><P>access-list inside_access_in permit icmp any any</P><P>access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0</P><P>access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0</P><P>access-list outside_cryptomap_60 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0</P><P>access-list outside_access_in permit ip any host 202.174.143.45</P><P>access-list outside_access_in permit icmp any any</P><P>access-list split permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0</P><P></P><P>pager lines 24</P><P>logging on</P><P>logging timestamp</P><P>logging monitor errors</P><P>logging trap debugging</P><P>logging host inside 192.168.0.2</P><P>interface ethernet0 auto</P><P>interface ethernet1 auto</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>ip address outside 202.174.143.42 255.255.255.248</P><P>ip address inside 192.168.0.25 255.255.255.0</P><P>ip verify reverse-path interface outside</P><P>ip audit name Custom_attack attack action alarm drop reset</P><P>ip audit name Custom_infor info action alarm</P><P>ip audit info action alarm</P><P>ip audit attack action alarm drop reset</P><P>ip local pool msoko_client 192.168.3.1-192.168.3.254</P><P>pdm location 192.168.0.2 255.255.255.255 inside</P><P>pdm location 202.187.49.106 255.255.255.255 outside</P><P>pdm location 192.168.0.100 255.255.255.255 inside</P><P>pdm location 192.168.0.249 255.255.255.255 inside</P><P>pdm location 192.168.0.248 255.255.255.248 outside</P><P>pdm location 192.168.2.0 255.255.255.0 outside</P><P>pdm location 192.168.1.0 255.255.255.0 outside</P><P>pdm location 192.168.0.1 255.255.255.255 inside</P><P>pdm location 202.9.101.56 255.255.255.255 outside</P><P>pdm location 192.168.0.33 255.255.255.255 inside</P><P>pdm location 219.93.68.178 255.255.255.255 outside</P><P>pdm location 219.93.68.130 255.255.255.255 outside</P><P>pdm location 192.168.3.1 255.255.255.255 outside</P><P>pdm location 192.168.3.1 255.255.255.255 inside</P><P>pdm location 192.168.0.0 255.255.255.248 inside</P><P>pdm location 202.174.143.44 255.255.255.255 outside</P><P>pdm location 202.174.143.45 255.255.255.255 outside</P><P>pdm group VPN_users outside</P><P>pdm group Servers inside</P><P>pdm logging informational 100</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 10 interface</P><P>nat (inside) 0 access-list inside_outbound_nat0_acl</P><P>nat (inside) 10 192.168.0.0 255.255.255.0 0 0</P><P>static (outside,inside) 192.168.0.2 202.174.143.45 netmask 255.255.255.255 0 0</P><P>static (inside,outside) 202.174.143.45 192.168.0.2 netmask 255.255.255.255 0 0</P><P>access-group outside_access_in in interface outside</P><P>access-group inside_access_in in interface inside</P><P>route outside 0.0.0.0 0.0.0.0 202.174.143.41 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si</P><P>p 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http 202.187.49.106 255.255.255.255 outside</P><P>http 192.168.0.2 255.255.255.255 inside</P><P>http 192.168.0.100 255.255.255.255 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-ipsec</P><P>sysopt noproxyarp outside</P><P>sysopt noproxyarp inside</P><P>no sysopt route dnat</P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto dynamic-map dymanic 10 set transform-set ESP-DES-MD5</P><P>crypto map outside_map 40 ipsec-isakmp</P><P>crypto map outside_map 40 match address outside_cryptomap_40</P><P>crypto map outside_map 40 set peer 219.93.68.178</P><P>crypto map outside_map 40 set transform-set ESP-DES-MD5</P><P>crypto map outside_map 40 set security-association lifetime seconds 3600 kilobytes 4608000</P><P>crypto map outside_map 60 ipsec-isakmp</P><P>crypto map outside_map 60 match address outside_cryptomap_60</P><P>crypto map outside_map 60 set peer 219.93.68.130</P><P>crypto map outside_map 60 set transform-set ESP-DES-MD5</P><P>crypto map outside_map 60 set security-association lifetime seconds 3600 kilobytes 4608000</P><P>crypto map outside_map 80 ipsec-isakmp dynamic dymanic</P><P>crypto map outside_map client configuration address initiate</P><P>crypto map outside_map client configuration address respond</P><P>crypto map outside_map interface outside</P><P>isakmp enable outside</P><P>isakmp key ******** address 219.93.68.178 netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp key ******** address 219.93.68.130 netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp key ******** address 0.0.0.0 netmask 0.0.0.0</P><P>isakmp identity address</P><P>isakmp client configuration address-pool local msoko_client outside</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption des</P><P>isakmp policy 20 hash md5</P><P>isakmp policy 20 group 2</P><P>isakmp policy 20 lifetime 600</P><P>isakmp policy 30 authentication pre-share</P><P>isakmp policy 30 encryption des</P><P>isakmp policy 30 hash md5</P><P>isakmp policy 30 group 1</P><P>isakmp policy 30 lifetime 600</P><P>vpngroup msoko address-pool msoko_client</P><P>vpngroup msoko wins-server 192.168.1.1 192.168.1.2</P><P>vpngroup msoko default-domain mitsuisoko</P><P>vpngroup msoko idle-time 1800</P><P>vpngroup msoko password ********</P><P>telnet 192.168.0.2 255.255.255.255 inside</P><P>telnet 192.168.0.100 255.255.255.255 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>terminal width 80</P><P></P> Fri, 21 Feb 2020 06:33:53 GMT https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172726#M629797 chuachenhui 2020-02-21T06:33:53Z https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172727#M629798 <HTML><HEAD></HEAD><BODY><P>I am not sure, but just checkout by increasing the telnet timeout from 5 seconds to 10 or 15.</P><P></P></BODY></HTML> Mon, 24 Feb 2003 19:26:30 GMT https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172727#M629798 beth-martin 2003-02-24T19:26:30Z https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172728#M629799 <HTML><HEAD></HEAD><BODY><P>You do not need to create a static mapping for both directions. I would remove the "static (outside,inside) 192.168.0.2 202.174.143.45 netmask 255.255.255.255 0 0" line and keep the other static mapping. They are both doing the same thing and may be confusing things. The ACL's look okay.</P></BODY></HTML> Mon, 24 Feb 2003 19:31:28 GMT https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172728#M629799 wolfrikk 2003-02-24T19:31:28Z https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172729#M629800 <HTML><HEAD></HEAD><BODY><P>Thank for your advice. Now think getting more weird. Even with the following config I still suffering the same issue. Wondering anything to do after I establish the site-to-site VPN or VPN client. What do you think? </P><P></P><P>I did a show xlate and the static map is there. However, the server that hold static map can't even surf the net! <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P><P></P><P>PIX Version 6.2(2)</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password KX/2yDvEiODIteF/ encrypted</P><P>passwd ggXVcePzJwQfhvVL encrypted</P><P>hostname Mitsui</P><P>domain-name Mitsuisoko.com</P><P>clock timezone MYT 8</P><P>fixup protocol ftp 21</P><P>fixup protocol http 80</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol ils 389</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol sip 5060</P><P>fixup protocol skinny 2000</P><P>names</P><P>object-group service Internet_access tcp</P><P> port-object eq ftp</P><P> port-object eq pop3</P><P> port-object eq ftp-data</P><P> port-object eq https</P><P> port-object eq www</P><P> port-object eq smtp</P><P> port-object eq uucp</P><P> port-object eq pcanywhere-data</P><P> port-object range 1433 1433</P><P> port-object range 9000 9002</P><P>object-group network VPN_users</P><P> description This group included all the addresses of remote VPN site as well a</P><P>s VPN dial-up clients. 192.168.1.0 (Pasir Gudang), 192.168.2.0 (Melaka), 192.168</P><P>.3.0 (Dial-up VPN clients)</P><P> network-object 192.168.1.0 255.255.255.0</P><P> network-object 192.168.2.0 255.255.255.0</P><P> network-object 192.168.3.0 255.255.255.0</P><P>object-group network Servers</P><P> network-object 192.168.0.1 255.255.255.255</P><P> network-object 192.168.0.100 255.255.255.255</P><P> network-object 192.168.0.33 255.255.255.255</P><P>access-list inside_access_in permit ip host 192.168.0.2 any</P><P>access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq domain</P><P></P><P>access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq domain</P><P></P><P>access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any object-group Internet_access</P><P>access-list inside_access_in permit icmp any any</P><P>access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0</P><P>access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0</P><P>access-list outside_cryptomap_60 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0</P><P>access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0</P><P>access-list outside_access_in permit ip any host 202.174.143.45</P><P>access-list outside_access_in permit icmp any any</P><P>access-list split permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0</P><P></P><P>pager lines 24</P><P>logging on</P><P>logging timestamp</P><P>logging monitor errors</P><P>logging trap debugging</P><P>logging host inside 192.168.0.2</P><P>interface ethernet0 auto</P><P>interface ethernet1 auto</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>ip address outside 202.174.143.42 255.255.255.248</P><P>ip address inside 192.168.0.25 255.255.255.0</P><P>ip verify reverse-path interface outside</P><P>ip audit name Custom_attack attack action alarm drop reset</P><P>ip audit name Custom_infor info action alarm</P><P>ip audit info action alarm</P><P>ip audit attack action alarm drop reset</P><P>ip local pool msoko_client 192.168.3.1-192.168.3.254</P><P>pdm location 192.168.0.2 255.255.255.255 inside</P><P>pdm location 202.187.49.106 255.255.255.255 outside</P><P>pdm location 192.168.0.100 255.255.255.255 inside</P><P>pdm location 192.168.0.249 255.255.255.255 inside</P><P>pdm location 192.168.0.248 255.255.255.248 outside</P><P>pdm location 192.168.2.0 255.255.255.0 outside</P><P>pdm location 192.168.1.0 255.255.255.0 outside</P><P>pdm location 192.168.0.1 255.255.255.255 inside</P><P>pdm location 202.9.101.56 255.255.255.255 outside</P><P>pdm location 192.168.0.33 255.255.255.255 inside</P><P>pdm location 219.93.68.178 255.255.255.255 outside</P><P>pdm location 219.93.68.130 255.255.255.255 outside</P><P>pdm location 192.168.3.1 255.255.255.255 outside</P><P>pdm location 192.168.3.1 255.255.255.255 inside</P><P>pdm location 192.168.0.0 255.255.255.248 inside</P><P>pdm location 202.174.143.44 255.255.255.255 outside</P><P>pdm location 202.174.143.45 255.255.255.255 outside</P><P>pdm group VPN_users outside</P><P>pdm group Servers inside</P><P>pdm logging informational 100</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 10 interface</P><P>nat (inside) 0 access-list inside_outbound_nat0_acl</P><P>nat (inside) 10 192.168.0.0 255.255.255.0 0 0</P><P>static (inside,outside) 202.174.143.45 192.168.0.2 netmask 255.255.255.255 0 0</P><P>access-group outside_access_in in interface outside</P><P>access-group inside_access_in in interface inside</P><P>route outside 0.0.0.0 0.0.0.0 202.174.143.41 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si</P><P>p 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http 202.187.49.106 255.255.255.255 outside</P><P>http 192.168.0.2 255.255.255.255 inside</P><P>http 192.168.0.100 255.255.255.255 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-ipsec</P><P>sysopt noproxyarp outside</P><P>sysopt noproxyarp inside</P><P>no sysopt route dnat</P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto dynamic-map dymanic 10 set transform-set ESP-DES-MD5</P><P>crypto map outside_map 40 ipsec-isakmp</P><P>crypto map outside_map 40 match address outside_cryptomap_40</P><P>crypto map outside_map 40 set peer 219.93.68.178</P><P>crypto map outside_map 40 set transform-set ESP-DES-MD5</P><P>crypto map outside_map 40 set security-association lifetime seconds 3600 kilobytes 4608000</P><P>crypto map outside_map 60 ipsec-isakmp</P><P>crypto map outside_map 60 match address outside_cryptomap_60</P><P>crypto map outside_map 60 set peer 219.93.68.130</P><P>crypto map outside_map 60 set transform-set ESP-DES-MD5</P><P>crypto map outside_map 60 set security-association lifetime seconds 3600 kilobytes 4608000</P><P>crypto map outside_map 80 ipsec-isakmp dynamic dymanic</P><P>crypto map outside_map client configuration address initiate</P><P>crypto map outside_map client configuration address respond</P><P>crypto map outside_map interface outside</P><P>isakmp enable outside</P><P>isakmp key ******** address 219.93.68.178 netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp key ******** address 219.93.68.130 netmask 255.255.255.255 no-xauth no-config-mode</P><P>isakmp key ******** address 0.0.0.0 netmask 0.0.0.0</P><P>isakmp identity address</P><P>isakmp client configuration address-pool local msoko_client outside</P><P>isakmp policy 20 authentication pre-share</P><P>isakmp policy 20 encryption des</P><P>isakmp policy 20 hash md5</P><P>isakmp policy 20 group 2</P><P>isakmp policy 20 lifetime 600</P><P>isakmp policy 30 authentication pre-share</P><P>isakmp policy 30 encryption des</P><P>isakmp policy 30 hash md5</P><P>isakmp policy 30 group 1</P><P>isakmp policy 30 lifetime 600</P><P>vpngroup msoko address-pool msoko_client</P><P>vpngroup msoko wins-server 192.168.1.1 192.168.1.2</P><P>vpngroup msoko default-domain mitsuisoko</P><P>vpngroup msoko idle-time 1800</P><P>vpngroup msoko password ********</P><P>telnet 192.168.0.2 255.255.255.255 inside</P><P>telnet 192.168.0.100 255.255.255.255 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>terminal width 80</P><P></P></BODY></HTML> Tue, 25 Feb 2003 01:43:38 GMT https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172729#M629800 chuachenhui 2003-02-25T01:43:38Z https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172730#M629801 <HTML><HEAD></HEAD><BODY><P>I have run into this a few times with PIX Static mappings. What I have ended up doing in the past is reboot the PIX and the ISP router at the same time. I think it has something to do with the MAC Address mappings on the ISP router. Rebooting the PIX may not be necessary, but I figure it won't hurt while the ISP router is reloading. If you have a DMZ, you may just want to enter clear xlate as the ISP router reloads.</P></BODY></HTML> Tue, 25 Feb 2003 12:07:23 GMT https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172730#M629801 wolfrikk 2003-02-25T12:07:23Z https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172731#M629802 <HTML><HEAD></HEAD><BODY><P>Wolfrikk,</P><P>I 'll try that. Will let u know the result. thank.</P></BODY></HTML> Wed, 26 Feb 2003 01:33:36 GMT https://community.cisco.com/t5/network-security/unable-to-access-server-behind-pix-from-internet/m-p/172731#M629802 chuachenhui 2003-02-26T01:33:36Z