Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
2
Replies

Cisco PIX is giving me Hell Please Help

Go to solution
avnishvyas1976
Level 1
Level 1

‎04-09-2015 02:27 AM - edited ‎03-11-2019 10:45 PM

Hello People

When I accepted a new assignment I had no Idea these guys still housed a CISCO PIX 6.3(5) which I havent played with for years
All im trying to do is mimic existing configuration albeit changing IP address

The request is simple but Im not having any joy from the end client who cant connect.

Create a NAT between 172.16.48.X and 194.78.166.82 in the Belgium PIX.
Open the ports 80 and 443.
The connections will be accepted ONLY from the following IPs:
-              aa.bb.cc.195 (client X)
-              aa.bb.cc.184 (client Y)

Have only the Client X and Y connect to the IP 172.16.48.X which is Natted to 194.78.166.82

I created the NAT as per below

static (inside,outside) 194.78.166.82 172.16.48.50 netmask 255.255.255.255 0 0

and permitted ACLS for Client X and Y

access-list Outside_access_in permit tcp host aa.bb.cc.195 host 172.16.48.50 eq www
access-list Outside_access_in permit tcp host aa.bb.cc.195 host 172.16.48.50 eq https
access-list Outside_access_in permit tcp host aa.bb.cc.184 host 172.16.48.50 eq www
access-list Outside_access_in permit tcp host aa.bb.cc.184 host 172.16.48.50 eq https

I have a default route on the PIX for
outside 0.0.0.0 0.0.0.0 81.246.53.xx 1 OTHER static

 

I have simply copied existing configurations but im getting no joy from the remote client. Do i need anything else to configure? PLEASE HELP ME

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-09-2015 04:50 AM

Have only the Client X and Y connect to the IP 172.16.48.X which is Natted to 194.78.166.82

Do you mean the above or do you mean the clients are meant to connect to 194.78.166.82 and then that is translated to 172.16.48.50 ?

I ask because your static is from inside to outside and your acl is applied to the outside interface so I assume you mean the clients connect from outside and you translate the IP to 172.16.48.x which is on the inside ?

If so your acl is wrong.

You need to use the public IP in the acl not the private IP of the server.

If I have misunderstood please clarify.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-09-2015 04:50 AM

Have only the Client X and Y connect to the IP 172.16.48.X which is Natted to 194.78.166.82

Do you mean the above or do you mean the clients are meant to connect to 194.78.166.82 and then that is translated to 172.16.48.50 ?

I ask because your static is from inside to outside and your acl is applied to the outside interface so I assume you mean the clients connect from outside and you translate the IP to 172.16.48.x which is on the inside ?

If so your acl is wrong.

You need to use the public IP in the acl not the private IP of the server.

If I have misunderstood please clarify.

Jon

0 Helpful

Go to solution
avnishvyas1976
Level 1
Level 1
In response to Jon Marshall

‎04-09-2015 06:00 AM

Hi Jon Marshall

 

Thanks for your input and yes you are correct. I had to change the ACL to use the public IP instead of the private, that has got me a few times with NAT on different platforms but really appreciate your input.

Thanks

AV

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card