04-29-2007 12:11 PM - edited 03-11-2019 03:06 AM
Dear All,
I want to integrate the ISA server to the pix firewall.
The pix firewall inside directly connected to the
ISA server outside inetrface (ISA-172.16.1.1, Pix inside 172.16.1.2)
There are 5 servers in the inside ISA server network (192.168.100.0)
192.168.100.1 80,443
192.168.100.2 801,
192.168.100.3 25
192.168.100.4 80
192.168.100.4 3101
PIX config as below
nat (inside) 1 172.16.1.1 255.255.255.255 # only ISA outside goes for internet and client use
the ISA as proxy to access the internet
global (outside) 1 interface
int eth0
ip add 85.85.100.1 255.255.255.248
no sh
int eth1
ip add 172.16.1.2 255.255.255.0
no sh
static (inside,outside) 85.85.100.2 172.16.1.1 netmask 255.255.255.255
accesss-list 101 permit ip any host 85.85.100.2
access-group 101 in interface outside
After the config the internet access in stoped.
If i check the show xlate it shows 85.85.100.2 translated to 172.16.1.1
not the global cmd ip 85.85.100.1. So the internet is stoped.
how can i configured both inbound and outbound thro the PIX as per the above design.
Ur reply is appreciated.
Thanks
swami
04-29-2007 01:43 PM
I recommend you do:
1 NAT to inside hosts
2 Static NAT if you have a block of IP's or do a Static PAT if you only have one IP
3 Open the servers for the NAT with an access-list just like you tried to do on the ex above
then clear the xlate to make it affective
------------------
nat (inside) 1 172.16.1.1 255.255.255.255
static (inside,outside) 85.85.100.2 172.16.1.1 netmask 255.255.255.255
????? why you did that ?
nat (inside) 1 172.16.1.0 255.255.255.255
global (outside) 1 interface
then you configure the statics
static (inside,outside) tcp interface ftp 172.16.1.1 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ssh 172.16.1.1 ssh netmask 255.255.255.255
( I used the ftp and ssh as example you change to whatever you need )
now you need an access list to open the static servers
access-list OUTSIDE_TO_INSIDE remark Access-list for static allow trafic
access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ssh
access-list OUTSIDE_TO_INSIDE extended permit tcp any interface outside eq ftp
then apply it
access-group OUTSIDE_TO_INSIDE in interface outside
05-01-2007 11:30 PM
Dear ,
Thanks lot.
Let me go the customer place to re-config again.
Also quick question.
I can ping the mpls switch ip add 192.168.100.1 from 192.168.100.2 of pix outside int.
If i change the pix outside ip to 192.168.100.3 or any number i can not ping the switch .Tell me why since both in same subnet it has to reply for the changed IP also as it gives for the old one 192.168.100.2.
I called the local ISP to check their switch (batelco provide and keep the switch config confident)they told that it will work even change the IP for the pix outside interface since it is directly connected to the switch MPLS
SWAMI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide