08-24-2014 09:02 PM - edited 03-11-2019 09:40 PM
I have Cisco PIX (Version 6.2) which is running in our infrastructure. I have a server with Local IP (172.39.0.3) and I want to be access this server through internet (Real IP: 182.160.119.50). I just entered the command " static (inside,outside) 182.160.119.50 172.39.0.3 netmask 255.255.255.255 0 0 " in the OIX but i didn't access the server. Can You please help me how can i access this server throug real IP from internet in outside network.
Regards
Palash
08-24-2014 11:32 PM
You would also need to configure access-list on the outside interface to allow the inbound traffic.
I am assuming that you have security level of 100 for the inside interface, and 0 for the outside interface, right?
08-25-2014 01:51 AM
Jouni is right, the ACL that you applied to the outside interface only allows ICMP.
It seems to me that you have new IP Address (182.160.119.50), is this a new IP that has been assigned by your ISP to your company? That IP Address is not in the same subnet as your outside subnet, so need to ensure that the IP Address belongs to your company, and not assign to other company, and it is being routed to your PIX outside interface (182.160.119.26). You can run a packet capture on the PIX outside interface, and see if you are seeing any hitcount as you ping 182.160.119.50 from the Internet. If you see hitcount, that means it is being routed correctly. If you are not seeing any hitcount, it means either the IP Address isn't assigned to your company or it is being routed incorrectly. If you are seeing hitcount, you just have to configure ACL to allow access that you require inbound to that IP Address on the outside interface.
Hope that helps.
08-24-2014 11:35 PM
Hi,
Are you sure your internal IP address is 172.39.0.3? That seems to be a public IP address actually as the private IP address range is 172.16.0.0 - 172.32.255.255
Then again I guess it does not matter as long as the internal subnet is using that same address space as the host and NAT is being performed on the firewall.
Since you have configured the Static NAT for the host have you also configured the ACL to allow traffic to this host from the external network? You are running such an old software that I am not sure was this configured using the "conduit" or was it already "access-list".
Naturally you could share the configuration (edit any sensitive information away from the configuration before sharing) so we can take a look what might be the problem.
- Jouni
08-25-2014 01:05 AM
08-25-2014 01:14 AM
Hi,
I am not sure if you have changed the ACL configurations during this new configuration but the ACL configuration seems a bit strange
The following command tells you what ACL is attached to the "outside" interface to control inbound connections
access-group ping_acl in interface outside
If we look at the ACL it only permits ICMP
access-list ping_acl permit icmp any any
You also have the following ACL configuration on your PIX but its not in interface use at the moment
access-list outside_access_in permit tcp any host gw-outside eq 3389 access-list outside_access_in permit tcp any host gw-outside eq https access-list outside_access_in permit tcp any host gw-outside eq www access-list outside_access_in permit tcp any host gw-outside eq pop3 access-list outside_access_in permit tcp any host gw-outside eq smtp access-list outside_access_in permit icmp any any
The above ACL would look to me the ACL you should be using considering that you also have Static PAT (Port Forward) configured for those ports (Static PAT configuration below)
static (inside,outside) tcp interface www smtp-inside www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 smtp-inside pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp smtp-inside smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https smtp-inside https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 smtp-inside 3389 netmask 255.255.255.255 0 0
So if you want to change the above ACL to be used on your external interface then you need to issue this command
access-group outside_access_in in interface outside
You will also need to add rule for the new public static IP address you used in the Static NAT configuration.
To allow traffic to the new internal host you would have to add something like this. Notice that I only gave an example. You simply need to add statements for the ports/protocol that need to be allowed through the firewall to this internal host. I don't think you mentioned them in the original post so I don't know exactly what needs to be allowed.
access-list outside_access_in permit tcp any host 182.160.119.50 eq <port number> access-list outside_access_in permit udp any host 182.160.119.50 eq <port number>
Hope this helps :)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide