topic Re: Allowing inside clients access to a static NAT translation d in Network Security

Allowing inside clients access to a static NAT translation device via the public IP

rm760 — Mon, 11 Mar 2019 17:28:31 GMT

Hello

I have a cable ISP connection with a dynamically provided public ip address. From outside the devices are reachable but from inside i cannot reach the external ip. I have an PIX 501 running 6.3.5 and PDM 3.0(4). How can i configure the PIX to let internal clients reach the external ip address and associated ports from inside? Also I am doing all of this via CLI because I can not get PDM to load past the second browser screen it opens detailing versions of OS, IE, Jave, etc. I can SSH or telnet via the inside IP network. Below is my current configuration THANKS IN ADVANCE.

: Saved

: Written by enable_15 at 11:09:45.577 pst Thu Apr 1 2010

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ???????????? encrypted

passwd ???????????? encrypted

hostname ZZZZ-CA-FW

domain-name XXXXX.com

clock timezone pst -8

clock summer-time PDT recurring

fixup protocol dns

no fixup protocol ftp 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

no fixup protocol http 80

no fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

no fixup protocol sqlnet 1521

no fixup protocol tftp 69

names

object-group service allowed_ports tcp

port-object range 7770 7782

access-list out2in permit icmp any any echo-reply

access-list out2in permit icmp any any time-exceeded

access-list out2in permit tcp any any object-group allowed_ports

pager lines 24

logging on

logging timestamp

logging console warnings

logging monitor warnings

logging buffered warnings

logging history warnings

logging facility 18

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.128.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.128.1 255.255.255.255 inside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.128.0 255.255.255.0 0 0

static (inside,outside) tcp interface 7781 192.168.128.21 7781 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7782 192.168.128.22 7782 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7779 192.168.128.19 7779 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7778 192.168.128.18 7778 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7776 192.168.128.16 7776 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7775 192.168.128.15 7775 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7774 192.168.128.14 7774 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7773 192.168.128.13 7773 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7772 192.168.128.12 7772 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7770 192.168.128.10 7770 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 7780 192.168.128.20 7780 netmask 255.255.255.255 0 0

access-group out2in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server 209.81.9.7 source outside

ntp server 204.152.184.72 source outside

http server enable

http 192.168.128.0 255.255.255.0 inside

snmp-server location garage

snmp-server contact hounds

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.128.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.128.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

dhcpd address 192.168.128.100-192.168.128.150 inside

dhcpd dns 208.67.222.222

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username admin password ??????????? encrypted privilege 15

terminal width 80

banner exec UNAUTHORIZED ACCESS WILL BE PROSECUTED

banner login UNAUTHORIZED ACCESS WILL BE PROSECUTED

banner motd UNAUTHORIZED ACCESS WILL BE PROSECUTED

: end

Re: Allowing inside clients access to a static NAT translation d

Kureli Sankar — Fri, 02 Apr 2010 01:02:59 GMT

How can I configure the PIX to let internal clients reach the external ip address and associated ports from inside?

I am not sure if I understand the above question.

The config looks correct.

enable buffered logging and see what the log says

conf t

loggging buffered 7

sh logg | i x.x.x.x

where x.x.x.x is the IP address of the client where you are testing the flow.

-KS

Re: Allowing inside clients access to a static NAT translation d

rm760 — Fri, 02 Apr 2010 01:58:20 GMT

Here is the log @ level 7

IP address 76.166.107.141 is my current dynamic IP address provided by my ISP. Below is the output of sh log. Please enlighten me as to what I am missing. Also any help getting PDM to work would be appreciated as well.

Syslog logging: enabled

Facility: 18

Timestamp logging: enabled

Standby logging: disabled

Console logging: level warnings, 344 messages logged

Monitor logging: level warnings, 0 messages logged

Buffer logging: level debugging, 459 messages logged

Trap logging: disabled

History logging: level warnings, 344 messages logged

Device ID: disabled

168.128.113/49653 (76.166.107.141/6276)

302016: Teardown UDP connection 22071 for outside:208.67.222.222/53 to inside:192.168.128.113/49653 duration 0:00:01 bytes 112

305011: Built dynamic TCP translation from inside:192.168.128.113/3120 to outside:76.166.107.141/16661

302013: Built outbound TCP connection 22072 for outside:76.166.107.141/7781 (76.166.107.141/7781) to inside:192.168.128.113/3120 (76.166.107.141/16661)

710005: UDP request discarded from 192.168.128.25/2190 to inside:192.168.128.255/2190

111009: User 'enable_15' executed cmd: show logging

710005: UDP request discarded from 192.168.128.113/138 to inside:192.168.128.255/netbios-dgm

710005: UDP request discarded from 192.168.128.113/137 to inside:192.168.128.255/netbios-ns

305012: Teardown dynamic UDP translation from inside:192.168.128.14/2588 to outside:76.166.107.141/6275 duration 0:00:31

305012: Teardown dynamic TCP translation from inside:192.168.128.14/2587 to outside:76.166.107.141/16660 duration 0:00:31

710005: UDP request discarded from 192.168.128.113/137 to inside:192.168.128.255/netbios-ns

302016: Teardown UDP connection 22049 for outside:208.54.4.1/500 to inside:192.168.128.112/500 duration 0:02:01 bytes 1457

305011: Built dynamic UDP translation from inside:192.168.128.113/63651 to outside:76.166.107.14 1/6277

302015: Built outbound UDP connection 22073 for outside:208.67.222.222/53 (208.67.222.222/53) to inside:192.168.128.113/63651 (76.166.107.141/6277)

302016: Teardown UDP connection 22073 for outside:208.67.222.222/53 to inside:192.168.128.113/63651 duration 0:00:01 bytes 96

305011: Built dynamic TCP translation from inside:192.168.128.113/3121 to outside:76.166.107.141/16662

302013: Built outbound TCP connection 22074 for outside:83.167.233.50/80 (83.167.233.50/80) to inside:192.168.128.113/3121 (76.166.107.141/16662)

305011: Built dynamic TCP translation from inside:192.168.128.113/3122 to outside:76.166.107.141/16663

302013: Built outbound TCP connection 22075 for outside:83.167.233.50/80 (83.167.233.50/80) to inside:192.168.128.113/3122 (76.166.107.141/16663)

305011: Built dynamic TCP translation from inside:192.168.128.113/3123 to outside:76.166.107.141/16664

302013: Built outbound TCP connection 22076 for outside:83.167.233.50/80 (83.167.233.50/80) to inside:192.168.128.113/3123 (76.166.107.141/16664)

305011: Built dynamic TCP translation from inside:192.168.128.113/3124 to outside:76.166.107.141/16665

302013: Built outbound TCP connection 22077 for outside:83.167.233.50/80 (83.167.233.50/80) to inside:192.168.128.113/3124 (76.166.107.141/16665)

305011: Built dynamic TCP translation from inside:192.168.128.113/3125 to outside:76.166.107.141/16666

302013: Built outbound TCP connection 22078 for outside:83.167.233.50/80 (83.167.233.50/80) to inside:192.168.128.113/3125 (76.166.107.141/16666)

305011: Built dynamic TCP translation from inside:192.168.128.113/3126 to outside:76.166.107.141/16667

302013: Built outbound TCP connection 22079 for outside:83.167.233.50/80 (83.167.233.50/80) to inside:192.168.128.113/3126 (76.166.107.141/16667)

302014: Teardown TCP connection 22074 for outside:83.167.233.50/80 to inside:192.168.128.113/3121 duration 0:00:01 bytes 19263 TCP FINs

305012: Teardown dynamic UDP translation from inside:192.168.128.112/500 to outside:76.166.107.141/29 duration 0:02:06

302014: Teardown TCP connection 22075 for outside:83.167.233.50/80 to inside:192.168.128.113/3122 duration 0:00:01 bytes 1759 TCP FINs

302014: Teardown TCP connection 22078 for outside:83.167.233.50/80 to inside:192.168.128.113/3125 duration 0:00:01 bytes 2271 TCP FINs

302014: Teardown TCP connection 22077 for outside:83.167.233.50/80 to inside:192.168.128.113/3124 duration 0:00:01 bytes 1982 TCP FINs

302014: Teardown TCP connection 22076 for outside:83.167.233.50/80 to inside:192.168.128.113/3123 duration 0:00:01 bytes 3819 TCP FINs

302014: Teardown TCP connection 22079 for outside:83.167.233.50/80 to inside:192.168.128.113/3126 duration 0:00:01 bytes 3861 TCP FINs

Re: Allowing inside clients access to a static NAT translation d

Kureli Sankar — Fri, 02 Apr 2010 02:37:00 GMT

What is breaking or not working? Inside hosts are unable to go out to the internet? What flow did you test?

What is the source IP address? Is it this 192.168.128.113?

What is the destination address that you tried to reach on the internet? Is it this 83.167.233.50?

The inside host 128.113 was translated to 76.166.107.141 as expected correct?

-KS

Re: Allowing inside clients access to a static NAT translation d

rm760 — Fri, 02 Apr 2010 03:25:33 GMT

Inside hosts can can browse the internet no problem. The problem is when inside host 192.168.128.113 trys to access http://76.166.107.141:7781 which is actually a device on the inside network that is NAT'd to the outside.

Re: Allowing inside clients access to a static NAT translation d

Kureli Sankar — Fri, 02 Apr 2010 03:48:58 GMT

Inside hosts should access the inside hosts only using the inside IP addresses and not the translated addresses.

This is not possible.

-KS

Re: Allowing inside clients access to a static NAT translation d

rm760 — Fri, 02 Apr 2010 03:52:40 GMT

Is this not possible due to a limitation in the PIX? This used to work when I was using a linksys RV016 as my firewall / switch via port forwarding. Am I not forwarding correctly in the PIX?

Re: Allowing inside clients access to a static NAT translation d

Kureli Sankar — Fri, 02 Apr 2010 03:55:48 GMT

Correct. If you were running 7.x code or above may be we can do some destination NAT and same security intra interface and make this work but, not with the code that you are running.

Besides, the right way is to access the inside hosts by the inside IP addresses and not using the translated addresses.

-KS

Re: Allowing inside clients access to a static NAT translation d

rm760 — Fri, 02 Apr 2010 04:01:34 GMT

We have a webmaster who likes to check and confirm that the devices translated work via the outside interface. Thank you for the effort and responses

Re: Allowing inside clients access to a static NAT translation d

Rodrigo Gurriti — Fri, 02 Apr 2010 23:10:00 GMT

I had this type of problem before... I tricked the clients inside thru the DNS that pointed to the inside network and they never had to come out the outside interface to come back around. lol worked but was a pain

Re: Allowing inside clients access to a static NAT translation d

rm760 — Sat, 03 Apr 2010 03:08:45 GMT

Thank you but tried this method. Our webmaster actually uses the public IP address to check on the sites.

Re: Allowing inside clients access to a static NAT translation d

adam — Tue, 06 Apr 2010 21:16:33 GMT

To access PDM on PIX 501 you must install Java 1.3.x

I think it's available now on Sun website in archive wersions (It was NOT for a long time... and I was always keeping that old JRE 1.3 on my memory stick:-)

I'm glad that ASA can be accessed with latest Java.

Regards,

Re: Allowing inside clients access to a static NAT translation d

Collin Clark — Tue, 06 Apr 2010 21:24:17 GMT

You can do it in 6.x code with DNS Doctoring-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

In 7.x code you do it with bi-directional NAT-

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

Re: Allowing inside clients access to a static NAT translation d

rm760 — Tue, 06 Apr 2010 21:30:18 GMT

Collin;

Thanks for DNS doctoring thought. I thought of this as well but my webadmin tests via the public facing IP address so this is out of the question.

Re: Allowing inside clients access to a static NAT translation d

rm760 — Tue, 06 Apr 2010 21:31:40 GMT

Alan;

Thanks for the insight.