Re: PIX 501 - How to use public (WAN) IP for Dynamic NAT to insi

bregimand · ‎10-29-2004

I've tried several forum suggestions, PDM & command line changes to no avail. I have 1 Small Business Server behind a PIX 501 & I need to forward 5-6 ports (web, smtp, pptp, ftp, termsvcs, dns)to the SBS (192.168.10.11). The 1 public IP is the WAN port of the PIX. Think of this as a DSL/Cable connection with a small bus. server behind it. I'm having a very hard time with both the PDM & command line configs. Please help!!!

PIX 6.3(3) - PDM 3.0(1)

As you can see, I've also tried an object-group with the needed ports.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.10.11 GeckoSBS

object-group service SBS tcp

port-object eq www

port-object eq pptp

port-object eq ftp-data

port-object eq pop3

port-object eq https

port-object eq ftp

port-object eq smtp

access-list outside_access_in permit tcp any host 10.20.30.2 eq www

access-list outside_access_in permit tcp any host 10.20.30.2 eq smtp

access-list outside_access_in permit tcp any host 10.20.30.2 eq pptp

access-list outside_access_in permit tcp any host 10.20.30.2 eq ftp

access-list outside_access_in permit tcp any host 10.20.30.2 eq 3389

access-list outside_access_in permit udp any host 10.20.30.2 eq tftp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 10.20.30.2 255.255.255.252

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.255 inside

pdm location GeckoSBS 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www GeckoSBS www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp GeckoSBS smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pptp GeckoSBS pptp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp GeckoSBS ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 GeckoSBS 3389 netmask 255.255.255.255 0 0

static (inside,outside) udp interface tftp GeckoSBS tftp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.20.30.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00

timeout uauth 0:05:00 absolute

ntp server 140.221.8.88 source outside

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

Patrick Iseli · ‎10-29-2004

Config looks good what does not work ?

access-list outside_access_in permit tcp any host 10.20.30.2 eq www

access-list outside_access_in permit tcp any host 10.20.30.2 eq smtp

access-list outside_access_in permit tcp any host 10.20.30.2 eq pptp

access-list outside_access_in permit tcp any host 10.20.30.2 eq ftp

access-list outside_access_in permit tcp any host 10.20.30.2 eq 3389

access-list outside_access_in permit udp any host 10.20.30.2 eq tftp

access-group outside_access_in in interface outside

static (inside,outside) tcp interface www GeckoSBS www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp GeckoSBS smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pptp GeckoSBS pptp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp GeckoSBS ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 GeckoSBS 3389 netmask 255.255.255.255 0 0

static (inside,outside) udp interface tftp GeckoSBS tftp netmask 255.255.255.255 0 0

have you done a " clear xlate " after you changed the static's ?

sincerely

Patrick

bregimand · ‎10-29-2004

Thanks for the quick response Patrick. I just did a clear xlate & I will test my inbound nat rules. But I cannot get outbound traffice to work now. I should have mentioned that earlier. Sorry.

Patrick Iseli · ‎10-29-2004

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 10.20.30.1 1

Your config is ok.

Does the whole Inside network as that problem or just GeckoSBS?

sincerely

Patrick

Patrick Iseli · ‎10-29-2004

I remember that I had once a problem with that config line:

global (outside) 1 interface

try instaed:

no global (outside) 1 interface

global (outside) 1 10.20.30.2

clear xlate

clear arp

and try again

sincerely

Patrick

bregimand · ‎10-30-2004

Thanks again. I'll try this option on Monday & post my results.

venusriraj · ‎11-02-2004

hi..

when you enable pat on the outside interface..you cant use the same public IP for static mapping also.so....give anothe public IP for static map.

bregimand · ‎11-03-2004

The problem is I don't have another public IP to assign static. I'm forced to use the outside interface & PAT. I have another client with an outside public range that I will use for 1-to-1 NAT & I'll be testing that option as well.

Thanks.

lr.moore · ‎10-30-2004

Your access-list can't reference the private IP. It should reverence the public ip, or "interface":

access-list outside_access_in permit tcp any interface outside eq www

access-list outside_access_in permit tcp any interface outside eq smtp

access-list outside_access_in permit tcp any interface outside eq pptp

access-list outside_access_in permit tcp any interface outside eq ftp

access-list outside_access_in permit tcp any interface outside eq 3389

access-list outside_access_in permit udp any interface outside eq tftp

re-apply the access-list to the interface any time you make a change:

access-group outside_access_in in interface outside

Your complete config may have cut off, but make sure you do NOT have "sysopt noproxyarp outside"

bregimand · ‎10-31-2004

The 10.20.30.2 address is my public in this instance. I put that IP in this posting for security reasons. Thank you for your input.

laje · ‎10-31-2004

Its about time you look (and uploading will be nice) at the contents of your syslog server as all seems fine with your config. The solution to your problem surely lies in what your logs tell us.

All the best.

bregimand · ‎11-02-2004

OK,

Inbound web, ftp, tftp, pop3, terminal services is all working fine. The clear xlate & clear arp helped. I also removed the remote management ability from the outside interface, which superseeded the http/https rule.

So, now I just need to allow GRE inbound for my Microsoft VPN (PPTP). I have port 1723 open & forwarding to my SBS, but I believe GRE is being blocked. (IP 47)

Any ideas? The PDM is not very friendly when I try to add the IP GRE protocol rule. I'd rather do it on the command line, but I don't know the command.

I'll be happy to post logs if needed, just let me know which ones.

Thanks all.

Ben

bregimand · ‎11-02-2004

Got the VPN to work! I added the fixup protocol pptp 1723 command & I got right in.

I have users telling me now that once in the VPN, they cannot access the internet. Sounds like I need to enable split-tunneling.

Any ideas?

lr.moore · ‎11-02-2004

If users are using Microsoft PPTP, you have no split-tunneling options. On the client end, they can check/uncheck the option to "use default gateway on remote network".

Your option would be to use a subset of the local LAN IP subnet for the PPTP pool.

bregimand · ‎11-02-2004

Got it. I made a change on the SBS RAS settings & we're all set.

Thank you all for your input and assistance. Much appreciated.

Ben

PIX 501 - How to use public (WAN) IP for Dynamic NAT to inside server?