Re: Need help with firewall configuration

rbinc · ‎01-09-2003

I am trying to allow port 443 accessible to the outside to a machine on my internal network. we have a private ip subnet so I have nat working. here are the commands. (changed IPs per boss' request)

access-list outside_access_in permit tcp any host 207.1.1.45 eq 443

access-list outside_access_in permit icmp any host 207.1.1.45

static (inside,outside) 207.1.1.45 192.168.0.5 netmask 255.255.255.255 0 0

the internal network is 192.168.0.0/23 but it won't allow me to put 255.255.254.0

I can't get to this machine from the outside world.

What am i doing wrong?

Am I missing anything?

Thanks

Jenn

b-pelphrey · ‎01-09-2003

I never thought about that before, and I have never ran into it. It looks like you are using CLI, but now that I think about it when you create a rule thru the PDM is doesn't give any others except /0, /8, /16/ 24/ 32. But I would imagine that you could just enter /16 and that would supernet the above.

If there is another way to do this, I am not sure, and I would be curious to know myself, but I think that would work.

rbinc · ‎01-09-2003

Is there anything I can do to test to see if NAT is actually working?

b-pelphrey · ‎01-09-2003

You can do a show xlate to see your translation table for all your connections.

rbinc · ‎01-09-2003

Ok it says

global 207.1.1.45 local 192.168.0.5 static

that seems to be ok

if i ping the global, I do not get a response. could this be the problem?

b-pelphrey · ‎01-09-2003

That is showing that the static translation is working, and that is has been created in the xlate table. I might then suggest taking a look at the 192.168.0.5 system. Make sure the default route, and subnet mask are set properly. Make sure the pix interface that 192.168.0.5 hangs off of has a matching subnet mask /23. Is 192.168.0.5 supposed to be able to communicate with any other devices internally, make sure that it can still do that too.

Also, is 192.168.0.5 supposed to be able to get to the Internet? If so, I would suggest making sure that works.

rbinc · ‎01-09-2003

the pix internal ip is 192.168.0.213/23

the host is 192.168.0.5/23

same subnet

i can ping the internal IP and the host can ping the pix box.

the host cannot get to the internet - we are using proxy for all web traffic.

b-pelphrey · ‎01-09-2003

Couple things. Do you have any other systems that are set up like this that you can ping from the outside? Reason I ask, is because I did a trace to your external address and I am getting drop beforehand. I am wondering if icmp is getting killed all together.

Also, is the website up? At least for testing. Maybe HTTP? Last thing, I might suggest turning on debug to make sure that it is actually something to do with the firewall. I suspect that it might be something else.

rbinc · ‎01-09-2003

Ok it says

global 207.1.1.45 local 192.168.0.5 static

that seems to be ok

if i ping the global, I do not get a response. could this be the problem?

rbinc · ‎01-10-2003

Ok I think it's how I have the network setup but I am not sure how to get around this problem.

we have two machines

192.168.0.5 and 61

192.168.0.61 is the proxy and can get out to the internet

we want all web traffic to go through this for reporting purposes.

the proxy has a router setting as 192.168.0.213 which is the pix.

the web server - 192.168.0.5 (also our exchagne server) has a router settig as 192.168.0.1 - so the wan users can access it but can't get to the internet unless it uses the proxy.

i did the debug and I can see the inbound - outside ->207.1.1.45->192.168.0.5 but i don't see the outbound traffic.

if i ping the proxy's outside address it works.

why isn't this setup working? if the original request looks like it came from the pix which is on the same subnet , shouldn't it return the reply to the pix and the pix knows what to do with it?

please put me straight :)

thanks

Jenn