02-22-2004 08:54 PM - edited 02-20-2020 11:15 PM
I have been looking for a definite answer to whether there is a bug that will not allow my PIX 501 with 6.3(1) to use dynamic and static PAT at the same time. The problem I have is this: I'm setting up a PIX on a PPPoE dsl connection with a web server behind it. I can get dynamic PAT to work to allow all inside hosts to access the internet. I can get static PAT to allow outside access to the web server. I cannot get both to work at the same time. I am a MCSE but am new to Cisco/PIX.
In reading some posts, I saw a reference to a bug that affects this. I have seen other posts that seem to indicate I should be able to do this sucessfully. When I had it set up, I could access the web server from the outside, but only the web server could access the internet. Any suggestions? I have been using the quick start instructions that came with the PIX.
02-22-2004 09:52 PM
Should work fine, you should have the following:
nat (inside) 1 0.0.0.0
global (outside) 1 interface
static (inside,outside) tcp interface 80
access-list inbound permit tcp any interface outside eq www
access-group inbound in interface outside
02-24-2004 02:06 PM
I have the exact commands in my pix and I have the exact problem. My Mail Server can recieve port 25 coming inbound but cannot get outbound at all.
02-25-2004 06:32 AM
Sounds to me like a common config issue seen when doing port redirection. Can you share your config with us for review? Remember to change public IP addresses (to something consistent please) and blank your passwords.
Scott
02-25-2004 07:11 AM
Here is the config I was testing with. Basically the 10.0.0.2 Mail server is the one that cannot get out to the internet in this config but all other machines can.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXX encrypted
passwd XXX encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list inbound permit tcp any interface outside eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.252
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
02-25-2004 07:51 AM
Hi,
Have you got any syslog messages that you can post to us please. If haven't then do the following (in config mode):
logging on
logging buffer debug
sh log
Please post the results, thanks.
Jay
02-25-2004 08:49 AM
Well the wierd thing is I was booting all my test gear up to get the logs and it looks like everything is working now. Not sure if it needed a good reboot or clear xlate but I am able to access the internet from the mail server as well as recieve inbound ports......hmmmm
02-25-2004 10:28 AM
Cool. I was out of the office for a while but I did look at the config and you should be fine. Most people don't realize that a port static only works for packets *sourced* from that port. So, when trying to open a web browser on the mail server where you have a port static configured will not work becuase the packets from the mail server (in this case) are not *sourced* from port 25. You need to have a corresponding nat and global statement for the web browsing to work. Not sure how clear this is but your config is fine. I am guessing you may have been running into a known issue regarding statics and arp in the 6.3 code. Glad you got it fixed.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide