Solved: Re: PIX - static NAT troubles

comoms_dot_com · ‎06-30-2005

I am trying to make a static route from xxx.242.139.164 to 192.168.1.13 and open ports 25 and 443. I am at a loss for what I missed to make this happen. I would also like to have ICMP traffic open or at least echo-reply so I can test the IPs and that doesn't seem to work either.

PIX config attached as .txt file.

Thanks for any help!

mrarahman · ‎07-01-2005

Hi Comoms,

This is your problem:

1) Here you say do not NAT this traffic.

nat (inside) 0 access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_acl permit ip any xxx.242.139.160 255.255.255.224

2)Then you use this for static nat.

static (inside,outside) xxx.242.139.164 192.168.1.13 dns netmask 255.255.255.255 0 0

3)This is totally wrong,first u say do not NAT this traffic then you try to NAT it.How will it work?

4)Even if uou allow with ACL it will not work.

5)Please check your NAT,STATIC NAT,ACL n Routes again.

HTH

MAR

View solution in original post

mkirbyii · ‎06-30-2005

my first glance looks like your static statemnet has DNS in the line---> "static (inside,outside) xxx.242.139.164 192.168.1.13 dns netmask 255.255.255.255 0 0" you might want to remove "dns".

Next, looks like you do not have an access-list setup that is assigned to the outside interface. To do this you need to define the access list and then use the "access-group" command to assign to the outside interface. You do have some access-list statements in the config but are assigned to "100". You need to create and access-list for Internet traffic coming into inside network. My below acl example uses "outside_inbound" as the acl name, this can be whatever you want, but this follows the same logic as your other acl's.

So here is what I think needs to happen:

static (inside,outside) xxx.242.139.164 192.168.1.13 netmask 255.255.255.255 0 0

access-list outside_inbound permit tcp any host xxx.242.139.164 eq https

access-list outside_inbound tcp any host xxx.242.139.164 eq smtp

access-list outside_inbound permit icmp any host xxx.242.139.164 echo-reply

access-group outside_inbound in interface outside

I hope this helps

MK

comoms_dot_com · ‎06-30-2005

Thanks for the reply!

I have completed the commands and am still not having luck sending pings to the IP.

I have attached my current config at pix_config_1.txt for review.

Thank you again, I truly appreciate the help.

dbellaze · ‎07-01-2005

The inside host machine will respond to the ping, not the PIX. So make sure the inside host has no firewall enabled that will drop ICMP.

Ping is a useful tool and often used to troubleshoot internet connectivity etc. I would suggest adding this line to your outside ACL

acess-l outside permit icmp any any echo-reply

This will allow pings from the inside network to go to the net and come back.

If you are trying to ping the IP you are mapping to the inside host from the net your ACL does not permit this. You would need the following.

access-l outside permit icmp any host x.x.x.x echo

Are the other services that are permitted in the ACL working?

Daniel

mrarahman · ‎07-01-2005