06-23-2004 02:22 PM - edited 03-09-2019 07:50 AM
I have a new PIX515E (ver 6.3.(1)) with two interfaces and, so far, all I have been able to do is get it to do PAT for all our workstations. Any attempts to do NAT for my three servers has been unsuccessful.
I have three servers: web, e-commerce and mail, each with their own registered external address. They worked fine before I put the PIX in.
I have tried to set up address translation and access to only the ports needed by following the PIX configuration guide but, as I said before, it doesn't work - the servers are effectively off the Net.
There is quite a bit of urgency to getting this fixed because our e-commerce site has been down for two days.
Do I need an additional interface for a DMZ? I didn't think I did. Any help would be greatly appreciated.
For reference, I am including the current config of the PIX. Right now it is only set up for PAT and NAT for one server.
----------------
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname PIX515
domain-name opalco.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit tcp any host 12.45.xxx.xxx eq https
access-list acl_out permit tcp any host 12.45.xxx.xxx eq www
access-list acl_out permit icmp any host 12.45.xxx.xxx
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 192.55.9.81
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 12.45.xxx.xxx 255.255.255.0
ip address inside 192.55.9.10 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.55.9.81 255.255.255.255 inside
pdm location 192.55.11.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 192.55.9.1 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 12.45.xxx.xxx 192.55.9.1 netmask 255.255.255.255 0 0
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 12.45.xxx.xxx 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 192.5.41.41 source outside
ntp server 131.107.1.10 source outside prefer
http server enable
http 192.55.9.0 255.255.255.0 inside
http 192.55.11.0 255.255.255.0 inside
snmp-server location (my location)
snmp-server contact (my name)
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.55.9.81 /pix_config
floodguard enable
telnet 192.55.9.0 255.255.255.0 inside
telnet 192.55.11.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 10
dhcprelay server 192.55.9.2 inside
username admin password xxx encrypted privilege 15
username user password xxx encrypted privilege 5
terminal width 80
Cryptochecksum:xxxx
: end
[OK]
06-23-2004 06:16 PM
Let's assume the following:
Web server: outside IP 12.45.1.1 inside IP 192.55.9.10
Ecommerce server: outside IP 12.45.1.2 inside IP 192.55.9.11
email server: outside IP 12.45.1.3 inside IP 192.55.9.12
So these 3 servers are currently sitting outside the PIX with the above 12.45.x.x IP addresses. To move them inside the PIX change the cabling over, and configure the PIX with the following:
static (inside,outside) 12.45.1.1 192.55.9.10 netmask 255.255.255.255
static (inside,outside) 12.45.1.2 192.55.9.11 netmask 255.255.255.255
static (inside,outside) 12.45.1.3 192.55.9.12 netmask 255.255.255.255
The above creates the NAT translations through the PIX from inside to outside. Then you need to allow the traffic in with an access-list (basically you have this already):
access-list acl_out permit tcp any host 12.45.1.1 eq https
access-list acl_out permit tcp any host 12.45.1.1 eq www
access-list acl_out permit tcp any host 12.45.1.2 eq nnn (whatever port(s) ecommerce uses)
access-list acl_out permit tcp any host 12.45.1.3 eq smtp
access-list acl_out permit icmp any any
access-group acl_out in interface outside
That should be it. Now, THE MOST IMPORTANT THING, is to clear the ARP table on your outside router.
People always run into this problem when they move a server from outside the PIX to inside. The outside router will have an entry for 12.45.1.1 pointing to the MAC address of the NIC in your web server. After you move the server inside the PIX, the outside router will continue to send traffic for 12.45.1.1 to this MAC address, which is no longer there and you lose all access to it. At this point people assume the PIX config is screwed up, but it is the outside router. It will only do an ARP query after its ARP entry clears out, which could be up to 3 hours later. Clearing out the ARP table forces the outside router to do an ARP query, which the PIX will now respond to (because it has a static configured for that address), and from that point on the router will forward packets for 12.45.1.1 to the PIX, and everything will work.
If you don't have access to this router to clear the ARP table, then rebooting it will also work, but you have to do something to clear the ARP table on it before you'll be able to get access to these servers from the outside.
06-24-2004 09:34 AM
Thank you very much for your help. Your directions worked perfectly.
Brian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide