09-03-2003 12:26 PM - edited 03-09-2019 04:39 AM
I am attempting to do a port redirection on the outside interface of the Pix with the new commands that v6.0+ provides.
Any tcp traffic on port 3000 that comes to my outside interface is statically translated with the static(inside,outside)command and redirected to a server (same port, 3000)on the trusted/inside network.
Hey, if it worked I wouldn't be posting here would I?
The only difference I see in cisco's sample config is that they are using a separate PAT address whereas I am using the Pix's outside interface as my PAT address. Is that a problem?
Thanks
09-03-2003 12:35 PM
Hi,
Nope, should not be a problem. So, in other words you have something like this:
static (inside, outside) tcp interface 3000 10.1.1.1 3000 netmask 255.255.255.255 0 0
What is happening when you try conencting to port 3000 (or whatever)? Is the server on the inside listening on that port? What does a 'sh conn detail' show you when you try? Any chance you could post your config for review? Should work fine though.
Scott
09-03-2003 01:14 PM
Thanks for the reply Scott. Here's the part of the config in question, with some of the addresses changed to protect the innocent. As you can see, the PIX is getting it's outside address from DHCP (cable modem)but it hasn't changed in years, so I guess it's OK. I am also doing some PPTP VPN stuff which works fine with the DHCP address.
access-list 101 permit tcp any host (PIX OUTSIDE) eq 3000
access-list nonat permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 172.16.1.1-172.16.1.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3000 192.168.0.199 3000 netmask 255.25
5.255.255 0 0
access-group 101 in interface outside
SH CONN DETAIL doesn't appear to show any sort of connection or translation to 192.168.0.199. To access this port on the server, I just open a browser and hit http://(PIX outside address):3000, but it fails immediately. It works internally, with 192.168.0.199:3000 but not from outside.
09-03-2003 06:38 PM
Config looks fine and it also should be fine using a DHCP interface in the port static. Might be time to take a look at debug level syslogs to see what is going on. Before that, can you paste the output from a 'sh xlate
Scott
09-23-2003 01:05 PM
having a similar problem with 6.2 on a PIX515E
basically i am trying to PAT an internal network to the ip address of the outside interface, at the same time using a static to port redirect a connection to an inside host from the outside.
Same config as mentioned earlier but get error in debug saying "163>%PIX-3-305005: No translation group found for udp src outside:BrentsISDNRtr/56243 dst inside:172.16.0.1/25"
09-23-2003 01:36 PM
Hi all,
As a consultant I ran into similar problem. I found out that this customer did enter the command "no sysopt proxy-arp" at their PIX, and this was causing the problem. This customers case was slightly diferent from your case, cause there where two PIX´s connected back-to-back (two companies in one building communicating to eachother), but you could check it at your PIX ;-)
Kind regards,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide