01-09-2003 12:56 PM - edited 03-09-2019 01:37 AM
I am trying to allow port 443 accessible to the outside to a machine on my internal network. we have a private ip subnet so I have nat working. here are the commands. (changed IPs per boss' request)
access-list outside_access_in permit tcp any host 207.1.1.45 eq 443
access-list outside_access_in permit icmp any host 207.1.1.45
static (inside,outside) 207.1.1.45 192.168.0.5 netmask 255.255.255.255 0 0
the internal network is 192.168.0.0/23 but it won't allow me to put 255.255.254.0
I can't get to this machine from the outside world.
What am i doing wrong?
Am I missing anything?
Thanks
Jenn
01-09-2003 01:13 PM
I never thought about that before, and I have never ran into it. It looks like you are using CLI, but now that I think about it when you create a rule thru the PDM is doesn't give any others except /0, /8, /16/ 24/ 32. But I would imagine that you could just enter /16 and that would supernet the above.
If there is another way to do this, I am not sure, and I would be curious to know myself, but I think that would work.
01-09-2003 01:20 PM
Is there anything I can do to test to see if NAT is actually working?
01-09-2003 01:24 PM
You can do a show xlate to see your translation table for all your connections.
01-09-2003 01:38 PM
Ok it says
global 207.1.1.45 local 192.168.0.5 static
that seems to be ok
if i ping the global, I do not get a response. could this be the problem?
01-09-2003 01:56 PM
That is showing that the static translation is working, and that is has been created in the xlate table. I might then suggest taking a look at the 192.168.0.5 system. Make sure the default route, and subnet mask are set properly. Make sure the pix interface that 192.168.0.5 hangs off of has a matching subnet mask /23. Is 192.168.0.5 supposed to be able to communicate with any other devices internally, make sure that it can still do that too.
Also, is 192.168.0.5 supposed to be able to get to the Internet? If so, I would suggest making sure that works.
01-09-2003 02:01 PM
the pix internal ip is 192.168.0.213/23
the host is 192.168.0.5/23
same subnet
i can ping the internal IP and the host can ping the pix box.
the host cannot get to the internet - we are using proxy for all web traffic.
01-09-2003 02:21 PM
Couple things. Do you have any other systems that are set up like this that you can ping from the outside? Reason I ask, is because I did a trace to your external address and I am getting drop beforehand. I am wondering if icmp is getting killed all together.
Also, is the website up? At least for testing. Maybe HTTP? Last thing, I might suggest turning on debug to make sure that it is actually something to do with the firewall. I suspect that it might be something else.
01-09-2003 01:47 PM
Ok it says
global 207.1.1.45 local 192.168.0.5 static
that seems to be ok
if i ping the global, I do not get a response. could this be the problem?
01-10-2003 07:48 AM
Ok I think it's how I have the network setup but I am not sure how to get around this problem.
we have two machines
192.168.0.5 and 61
192.168.0.61 is the proxy and can get out to the internet
we want all web traffic to go through this for reporting purposes.
the proxy has a router setting as 192.168.0.213 which is the pix.
the web server - 192.168.0.5 (also our exchagne server) has a router settig as 192.168.0.1 - so the wan users can access it but can't get to the internet unless it uses the proxy.
i did the debug and I can see the inbound - outside ->207.1.1.45->192.168.0.5 but i don't see the outbound traffic.
if i ping the proxy's outside address it works.
why isn't this setup working? if the original request looks like it came from the pix which is on the same subnet , shouldn't it return the reply to the pix and the pix knows what to do with it?
please put me straight :)
thanks
Jenn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide