Re: cant connect to server thru pix

tsrader · ‎11-21-2007

PIX 501 - unable to connect to / from server behind PIX 501 firewall.

inside 172.25.188.4

outside 10.25.188.4

server 10.25.188.5

traffic from 172.25.188.x needs to access server.

config:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxxx

hostname POWfgMUSsal03dv

domain-name nowhere.it

no fixup protocol dns

no fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

no fixup protocol tftp 69

names

name 172.25.188.5 msvst

name 172.25.194.138 proxy

name 172.25.193.158 domain_controller

object-group network server

network-object msvst 255.255.255.255

object-group network clients

network-object 172.176.0 255.255.255.0

network-object 172.25.180.0 255.255.255.255

network-object 172.25.182.0 255.255.255.255

network-object 172.29.0.0 255.255.224.0

object-group network proxy

network-object proxy 255.255.255.255

object-group service msvst_tcp tcp

port-object eq 8080

port-object eq www

port-object eq https

port-object eq 1433

port-object eq 3389

object-group icmp-type icmp_allowed

icmp-object echo

icmp-object time-exceeded

icmp-object echo-reply

object-group service DCPorts tcp-udp

port-object eq 137

port-object eq 138

port-object eq 139

object-group network mgmt_access

network-object 172.25.176.0 255.255.255.0

network-object 172.29.0.0 255.255.224.0

object-group service mgmt_prots tcp

port-object eq ssh

port-object eq telnet

object-group service SMBPorts tcp-udp

port-object range 135 139

port-object eq 389

port-object eq 445

access-list inside_access_in permit icmp object-group clients object-group server object-group icmp_allowed

access-list inside_access_in permit tcp object-group mgmt_access any object-group mgmt_prots

access-list inside_access_in permit tcp any object-group server object-group msvst_tcp

access-list inside_access_in permit tcp object-group clients object-group server object-group SMBPorts

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any object-group icmp_allowed

access-list outside_access_in permit tcp object-group server object-group proxy eq www

access-list outside_access_in permit icmp object-group server any object-group icmp_allowed

access-list outside-access_in permit tcp object-group server host domain_controller object-group DCPorts

pager lines 24

logging on

logging timestamp

logging facility 7

mtu outside 1500

mtu inside 1500

ip address outside 10.25.188.4 255.255.255.0

ip address inside 172.25.188.4 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 1 172.25.188.0 255.255.255.0 0 0

static (inside,outside) msvst msvst netmask 255.255.255.255 0 0

static (inside,outside) proxy proxy netmask 255.255.255.255 0 0

static (inside,outside) domain_controller domain_controller netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

Jon Marshall · ‎11-21-2007

Hi

The most obvious thing that stands out is that you have no global statement that ties up with the "nat (inside) 1 172.25.188.0 255.255.255.0 0.0" statement.

Assuming you want to Nat all your hosts to the IP address attached to the outside interface of your pix

global (outside) 1 interface

HTH

Jon