Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
5
Replies

Pix 525 static proxied computers cannot go out

edugger
Level 1
Level 1

‎10-12-2004 09:27 PM - edited ‎02-20-2020 11:40 PM

Im using the "static (inside,outside).." command to create incomming proxies to webservers and a mailserver. I can access to the webservers, but the webservers that are proxied to cannot go out to the internet. Mail doesn't work in either direction. All other clients can get to all other resources.

Is there any special acl's or commands that need to be done to allow for the proxied PCs to access the internet? I thought they would fall under the ACL of any any from that interfaces subnet but its not working.

0 Helpful
5 Replies 5

k.subramaniam
Level 1
Level 1

‎10-12-2004 10:07 PM

Hi,

I also have faced the same problem some time ago.

I had PIX OS 6.3.3 on PIX 515UR.

I had 2 webservers and 1 mailserver behind it.

The static proxied mail server would not go out to the internet after the static entry, however the web servers coould go out.

I then read somewhere that this might be a IOS bug, so i uploaded 6.3.4.

with this IOS, all servers could not reach out to the internet.

I then uploaded 6.3.3 from the cisco site, not the original one, again all servers not being able to go outside.

Finally, we give up and the case is under observation.

Someone having a clue please help both of us.

Regards.

0 Helpful

jimwelsh
Level 1
Level 1

‎10-12-2004 10:15 PM

The static(inside,outside) command does two things: 1) it creates a mapping of global IP Address to local IP Address for the inside servers, and 2) it permits traffic to flow from the lower-security to the higher-security interface. You also need to create an access-list and apply it to the outside interface with the access-group command to permit traffic on specific ports to come into the interface to the inside servers.

SMTP traffic can be thwarted by the "fixup protocol smtp" command. Depending on what SMTP servers are in use, I find that I often need to disable this command in order for SMTP traffic to flow.

As long as you have an appropriate nat and global command set to allow outbound access, you shoud be OK.

Can you post your config for examination?

0 Helpful

k.subramaniam
Level 1
Level 1
In response to jimwelsh

‎10-13-2004 09:07 PM

Hey JimWelsh,

I was talking in reference to any server, not a mail server or a web server particularly.

The actual problem is once the static command is given, the local pc which is mapped cannot reach out to the internet.

This is a strange problem.

Regards.

0 Helpful

bvanniekerk
Level 1
Level 1

‎10-13-2004 01:36 AM

Hi

With each static (inside,outside) mapping, you will need an accompanying acl entry, thus:

acces-list ccc permit tcp any host outside_int eq smtp

should do the trick

Fixup allows for only 5 commands, so for testing purposes I suggest you disable it and then, when testing complete, re-activate and test again.

HTH

byron

0 Helpful

edugger
Level 1
Level 1
In response to bvanniekerk

‎10-13-2004 06:37 AM

Here is my config. Its too big to post so its a txt attachment.

Thanks for your help.

Preview file
7 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card