PIX-501 NAT/ACL Problem

kooper390 · ‎02-03-2011

Hi all!

The Problem is, that in a remote location is a FAX-SIP-Adapter with his factory default address 192.168.2.1. I need to configure this device.

In the remote network has the address range 192.168.170.0/24.

Well, I tried to change the intern interface to the 192.168.2.0/24 network.

Ok everything is fine and I can ping the device.

Now I set some ACL and NAT rules

access-list WEB permit tcp any any
access-list WEB permit udp any any

access-group WEB in interface outside

static (inside,outside) tcp 170.230.30.18 www 192.168.2.1 www netmask 255.255.255.255 0 0

This is my config so far. But I get noch access to the webfrontend of the adapter.

If I used a SIP-Telefon webfrontend in the origin network (192.168.170.0/24), I get access from outside.

Is there any thing to consider?

I have here a PiX 501 with 6.3

Federico Coto Fajardo · ‎02-03-2011

Hi,

With the configuration that you mentioned you should be able to reach 192.168.2.1 on port 80 from outside by sending traffic to 170.230.30.18 on port 80.

You can confirm that the traffic is getting to the PIX by checking the hitcounts on the ACL show access-list WEB

If the IP 170.230.30.18 is not the outside IP of the PIX and is not being used anywhere else, you can change the static command for this one:

static (inside,outside) 170.230.30.18 192.168.2.1

Probably the problem is that you need to get traffic on other ports besides port 80 to the SIP device?

Federico.

kooper390 · ‎02-03-2011

Hi,

only for the initial configuration of the adapter I need access. Now I cannot test because they are working there.

Can I access the PIX further when I set static (inside,outside) 170.230.30.18 192.168.2.1

I can only access the PIX from outside.

kind regards

Federico Coto Fajardo · ‎02-03-2011

Gerit,

If you add static (inside,outside) 170.230.30.18 192.168.2.1 and 170.230.30.18 and 170.230.30.18 happens to be the outside IP of the PIX then you will lose access to the PIX. If the IP is used on other static rules, you might break those rules. Otherwise, there's no problem.

Federico.

kooper390 · ‎02-03-2011

Ok the ACL work

PIX# show access-list WEB
access-list WEB; 2 elements
access-list WEB line 1 permit tcp any any (hitcnt=10)
access-list WEB line 2 permit udp any any (hitcnt=0)

but I get no access to the web interface

Federico Coto Fajardo · ‎02-03-2011

Almost for sure the web traffic is being sent to the server.

Can you confirm the following:

1. If you log into the server, can you open a browser and get to the Internet?

I'm pretty sure that web traffic is being sent by the PIX to the server, so let's make sure the server is receiving it and replying back with the web page.

Federico.

kooper390 · ‎02-03-2011

hm and theres the problem.

In this net I have no other device for checking.

kooper390 · ‎02-03-2011

PIX#sh local-host

Interface inside: 5 active, 8 maximum active, 0 denied

.

local host: <192.168.2.1>,
    TCP connection count/limit = 1/unlimited
    TCP embryonic count = 1
    TCP intercept watermark = unlimited
    UDP connection count/limit = 0/unlimited
AAA:
Xlate(s):
    PAT Global (80) Local 192.168.2.1(80)
Conn(s):
    TCP out :18790 in 192.168.2.1:80 idle 0:00:55 Bytes 0 flags SaAB

Federico Coto Fajardo · ‎02-03-2011

Gerit,

Let's take it from here to try to fix the problem.

Please post the output of the ACL and static as you currently have it.

Federico.

kooper390 · ‎02-03-2011

PIX# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list WEB; 2 elements
access-list WEB line 1 permit tcp any any (hitcnt=23)
access-list WEB line 2 permit udp any any (hitcnt=578)
PIX# sh static
static (inside,outside) tcp www 192.168.2.1 www netmask 255.255.255.255 0 0

kooper390 · ‎02-03-2011

and when I scan the outside (nmap) I get only 22 as open

kooper390 · ‎02-04-2011

Hi Federico

The adapter have no default GW ... ahm ... embarrassing ... so it could never work

thanks for support!

gerit