06-30-2005 02:36 PM - edited 02-21-2020 12:14 AM
I am trying to make a static route from xxx.242.139.164 to 192.168.1.13 and open ports 25 and 443. I am at a loss for what I missed to make this happen. I would also like to have ICMP traffic open or at least echo-reply so I can test the IPs and that doesn't seem to work either.
PIX config attached as .txt file.
Thanks for any help!
Solved! Go to Solution.
07-01-2005 01:02 AM
Hi Comoms,
This is your problem:
1) Here you say do not NAT this traffic.
nat (inside) 0 access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl permit ip any xxx.242.139.160 255.255.255.224
2)Then you use this for static nat.
static (inside,outside) xxx.242.139.164 192.168.1.13 dns netmask 255.255.255.255 0 0
3)This is totally wrong,first u say do not NAT this traffic then you try to NAT it.How will it work?
4)Even if uou allow with ACL it will not work.
5)Please check your NAT,STATIC NAT,ACL n Routes again.
HTH
MAR
06-30-2005 08:30 PM
my first glance looks like your static statemnet has DNS in the line---> "static (inside,outside) xxx.242.139.164 192.168.1.13 dns netmask 255.255.255.255 0 0" you might want to remove "dns".
Next, looks like you do not have an access-list setup that is assigned to the outside interface. To do this you need to define the access list and then use the "access-group" command to assign to the outside interface. You do have some access-list statements in the config but are assigned to "100". You need to create and access-list for Internet traffic coming into inside network. My below acl example uses "outside_inbound" as the acl name, this can be whatever you want, but this follows the same logic as your other acl's.
So here is what I think needs to happen:
static (inside,outside) xxx.242.139.164 192.168.1.13 netmask 255.255.255.255 0 0
access-list outside_inbound permit tcp any host xxx.242.139.164 eq https
access-list outside_inbound tcp any host xxx.242.139.164 eq smtp
access-list outside_inbound permit icmp any host xxx.242.139.164 echo-reply
access-group outside_inbound in interface outside
I hope this helps
MK
06-30-2005 11:07 PM
07-01-2005 09:42 AM
The inside host machine will respond to the ping, not the PIX. So make sure the inside host has no firewall enabled that will drop ICMP.
Ping is a useful tool and often used to troubleshoot internet connectivity etc. I would suggest adding this line to your outside ACL
acess-l outside permit icmp any any echo-reply
This will allow pings from the inside network to go to the net and come back.
If you are trying to ping the IP you are mapping to the inside host from the net your ACL does not permit this. You would need the following.
access-l outside permit icmp any host x.x.x.x echo
Are the other services that are permitted in the ACL working?
Daniel
07-01-2005 01:02 AM
Hi Comoms,
This is your problem:
1) Here you say do not NAT this traffic.
nat (inside) 0 access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl permit ip any xxx.242.139.160 255.255.255.224
2)Then you use this for static nat.
static (inside,outside) xxx.242.139.164 192.168.1.13 dns netmask 255.255.255.255 0 0
3)This is totally wrong,first u say do not NAT this traffic then you try to NAT it.How will it work?
4)Even if uou allow with ACL it will not work.
5)Please check your NAT,STATIC NAT,ACL n Routes again.
HTH
MAR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide