Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
0
Helpful
5
Replies

PIX 501 on Verizon DSL

cdonner64
Level 1
Level 1

‎09-07-2004 06:51 AM - edited ‎02-20-2020 11:37 PM

I have been messing with this problem for some time now, without really making much progress. Here is my problem (see attached network diagram for details):

I have a Westell DSL router that gets the dynamic external IP from Verizon. Its internal IP is 10.10.2.1. It is configured for static NAT to 10.10.2.2, which is the Pix's outside interface.

The Pix's inside interface is 10.10.1.101. I have Web server at 10.10.1.109.

I want to access the Web server from the Web with my public dynamic IP address. I figured that the Westell router would NAT all incoming traffic, replace the external IP with 10.10.2.2 and forward them to the Pix. A static translation rule (10.10.2.2. to 10.10.1.109) should then take care of the rest. I can't it to work. I can detect the request packet on the outside interface, but they don't make it through the firewall.

While playing around with this, to simplify things, I added a workstation into the 10.10.2.x network and tried to get access to the web server from there, eliminating the router as a potential source of error. The behavior is the same. The firewall seems to be blocking.

Any help is appreciated.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname pixfirewall

domain-name

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit tcp any host 10.10.2.2 eq 8081

access-list 101 permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 10.10.2.2 255.255.255.0

ip address inside 10.10.1.101 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.10.1.109 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 10.10.2.2 8081 10.10.1.109 www netmask

255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.2.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.10.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.10.1.0 255.255.255.0 inside

telnet timeout 50

ssh 0.0.0.0 0.0.0.0 outside

ssh 10.10.1.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

dhcpd address 10.10.1.170-10.10.1.199 inside

dhcpd dns 10.10.2.1 10.10.2.1

dhcpd lease 36000

dhcpd ping_timeout 750

dhcpd domain

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:: end

Preview file
30 KB
0 Helpful
5 Replies 5

jmia
Level 7
Level 7

‎09-07-2004 07:15 AM

Just had a quick look at this and one thing comes to mind, shouldn't your static be the following:

static (inside,outside) tcp 10.10.2.2 8081 10.10.1.109 8081 netmask 255.255.255.255 0 0

**instead of**

static (inside,outside) tcp 10.10.2.2 8081 10.10.1.109 www netmask

255.255.255.255 0 0

As that www corresponds to port 80 and not port 8081 ??

If you turn on logging on the pix this will provide you with more info and maybe you can post the output here as well.

Jay

0 Helpful

cdonner64
Level 1
Level 1
In response to jmia

‎09-07-2004 07:29 AM

My provider blocks port 80, so I have to get in on another port. The idea is for the translation rule to also take care of the port mapping.

0 Helpful

cdonner64
Level 1
Level 1
In response to jmia

‎09-07-2004 07:33 AM

I captured the following at the outside interface last night. Nothing appeared on the inside interface (10.10.2.199 is my workstation that I added to to 10.10.1.x subnet for testing purposes)

17:56:07.311446 arp reply 10.10.2.2 is-at 0:11:bb:e3:fc:41

17:56:07.311690 10.10.2.199.1802 > 10.10.1.109.8081: S 247213797:247213797(0) win 65535

17:56:10.312636 10.10.2.199.1802 > 10.10.1.109.8081: S 247213797:247213797(0) win 65535

0 Helpful

kagodfrey
Level 3
Level 3
In response to cdonner64

‎09-08-2004 02:36 AM

Hi

As you are using the outside interface address, try this as your static:

static (inside,outside) tcp interface 8081 10.10.1.109 www netmask 255.255.255.255 0 0

HTH

Kev

0 Helpful

cdonner64
Level 1
Level 1
In response to kagodfrey

‎09-08-2004 05:11 AM

I had already tried this and it indeed did the trick.

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card