Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
5
Replies

Access Server from Real IP

sarifulcisco
Level 1
Level 1

‎08-24-2014 09:02 PM - edited ‎03-11-2019 09:40 PM

I have Cisco PIX (Version 6.2) which is running in our infrastructure. I have a server with Local IP (172.39.0.3) and I want to be access this server through internet (Real IP: 182.160.119.50).  I just entered the command " static (inside,outside) 182.160.119.50 172.39.0.3 netmask 255.255.255.255 0 0 " in the OIX but i didn't access the server. Can You please help me how can i access this server throug real IP from internet in outside network.

 

Regards

Palash

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎08-24-2014 11:32 PM

You would also need to configure access-list on the outside interface to allow the inbound traffic.

I am assuming that you have security level of 100 for the inside interface, and 0 for the outside interface, right?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎08-25-2014 01:51 AM

Jouni is right, the ACL that you applied to the outside interface only allows ICMP.

It seems to me that you have new IP Address (182.160.119.50), is this a new IP that has been assigned by your ISP to your company? That IP Address is not in the same subnet as your outside subnet, so need to ensure that the IP Address belongs to your company, and not assign to other company, and it is being routed to your PIX outside interface (182.160.119.26). You can run a packet capture on the PIX outside interface, and see if you are seeing any hitcount as you ping 182.160.119.50 from the Internet. If you see hitcount, that means it is being routed correctly. If you are not seeing any hitcount, it means either the IP Address isn't assigned to your company or it is being routed incorrectly. If you are seeing hitcount, you just have to configure ACL to allow access that you require inbound to that IP Address on the outside interface.

 

Hope that helps.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎08-24-2014 11:35 PM

Hi,

 

Are you sure your internal IP address is 172.39.0.3? That seems to be a public IP address actually as the private IP address range is 172.16.0.0 - 172.32.255.255

 

Then again I guess it does not matter as long as the internal subnet is using that same address space as the host and NAT is being performed on the firewall.

 

Since you have configured the Static NAT for the host have you also configured the ACL to allow traffic to this host from the external network? You are running such an old software that I am not sure was this configured using the "conduit" or was it already "access-list".

 

Naturally you could share the configuration (edit any sensitive information away from the configuration before sharing) so we can take a look what might be the problem.

 

- Jouni

0 Helpful

sarifulcisco
Level 1
Level 1
In response to Jouni Forss

‎08-25-2014 01:05 AM

Hi,

Please find the attached latest configuration.

 

Can You please mentioned configuration /command which i included in our pix.

 

Reagards

Palash

Preview file
5 KB
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to sarifulcisco

‎08-25-2014 01:14 AM

Hi,

 

I am not sure if you have changed the ACL configurations during this new configuration but the ACL configuration seems a bit strange

 

The following command tells you what ACL is attached to the "outside" interface to control inbound connections

 

access-group ping_acl in interface outside

 

If we look at the ACL it only permits ICMP

access-list ping_acl permit icmp any any

 

You also have the following ACL configuration on your PIX but its not in interface use at the moment

 

access-list outside_access_in permit tcp any host gw-outside eq 3389
access-list outside_access_in permit tcp any host gw-outside eq https
access-list outside_access_in permit tcp any host gw-outside eq www
access-list outside_access_in permit tcp any host gw-outside eq pop3
access-list outside_access_in permit tcp any host gw-outside eq smtp
access-list outside_access_in permit icmp any any

 

The above ACL would look to me the ACL you should be using considering that you also have Static PAT (Port Forward) configured for those ports (Static PAT configuration below)

 

static (inside,outside) tcp interface www smtp-inside www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 smtp-inside pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp smtp-inside smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https smtp-inside https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 smtp-inside 3389 netmask 255.255.255.255 0 0

 

So if you want to change the above ACL to be used on your external interface then you need to issue this command

 

access-group outside_access_in in interface outside

 

You will also need to add rule for the new public static IP address you used in the Static NAT configuration.

 

To allow traffic to the new internal host you would have to add something like this. Notice that I only gave an example. You simply need to add statements for the ports/protocol that need to be allowed through the firewall to this internal host. I don't think you mentioned them in the original post so I don't know exactly what needs to be allowed.

 

access-list outside_access_in permit tcp any host 182.160.119.50 eq <port number>
access-list outside_access_in permit udp any host 182.160.119.50 eq <port number>

 

Hope this helps :)

 

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card