cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

450
Views
9
Helpful
36
Replies
Beginner

Re: static PAT statements, need help...

oh i see,

Ok, i tried that and still no go... sorry.

I even tried to set it to

access-list test permit ip any any

just to make sure, and i still couldnt get through.

Participant

Re: static PAT statements, need help...

can you paste the current config file. This really does not make sense.

Beginner

Re: static PAT statements, need help...

certainly...

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

hostname YRPCI

domain-name yrpci.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol http 8080

fixup protocol ftp 22

fixup protocol smtp 25

names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit ip host 192.168.50.10 any

access-list acl_outbound permit ip host 192.168.50.75 any

access-list acl_outbound permit ip host 192.168.50.201 any

access-list acl_outbound permit ip host 192.168.50.202 any

access-list acl_outbound permit tcp host 192.168.50.203 any

access-list acl_outbound permit tcp host 192.168.50.204 any

...

access-list acl_outbound permit tcp host 192.168.50.225 any

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.51.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.52.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.53.0

access-list acl_outbound permit ip host 192.168.50.51 any

access-list acl_outbound permit tcp host 192.168.50.11 any

access-list acl_outbound permit ip host 192.168.50.13 any

access-list acl_outbound permit tcp host 192.168.50.225 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any time-exceeded

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit ip host MainOffice any

access-list acl_inbound permit tcp any any eq ssh

access-list acl_inbound permit tcp any host MainOffice eq pop3

access-list acl_inbound permit tcp any host MainOffice eq smtp

access-list acl_inbound permit tcp any host MainOffice eq telnet

access-list test permit ip any any

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

access-list 103 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging console debugging

logging buffered warnings

logging trap warnings

logging history warnings

logging host inside 192.168.50.201

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit host MainOffice outside

icmp permit host ConstOffice outside

icmp permit any unreachable outside

icmp permit any echo-reply outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list 100

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.2

55.255 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 8:00:00

timeout conn 7:00:00 half-closed 6:00:00 udp 7:00:00 rpc 7:00:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 7:30:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address 102

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet ConstOffice 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.52.0 255.255.255.0 outside

telnet BftOffice 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 10

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.50.0 255.255.255.0 inside

ssh timeout 20

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname xxxx

vpdn group pppoex ppp authentication pap

vpdn username xxxxx password *********

username cisco password BS/vQ9dzYT2I3rJy encrypted privilege 15

terminal width 80

: end

Participant

Re: static PAT statements, need help...

I noticed you are using PPPoE (ip address outside pppoe setroute). This is new, so I am going to look and see if there are any issues with the Static Mappings and PPPoE. I am going to see if there is any other protocols we need to allow with the ACL with PPPoE. The config looks good, except for on line in the access-list.

access-list acl_inbound permit ip host MainOffice any Should be

access-list acl_inbound permit ip any host MainOffice

Actually, you don't even need that line with the permit tcp statements later in the list.

Beginner

Re: static PAT statements, need help...

it seems that you are using the same external ip address to translate into multiple internal addresses. i would ask, if any of the other translations work inbound? do you have any other external ip addresses in the block you have been given to translate one-to-one with your email server?

instead of having all these statics:

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.2

55.255 0 0

use the same external, i would suggest getting additional external ip addresses to translate with or to.

i hope this helps.

Beginner

Re: static PAT statements, need help...

I wish I could get more external IP's, our dsl providers wont give us any more than one, they claim its some sort of hardware limitation on their part. :( (and living on Hilton Head Island limits my choices of ISP suppliers)

Yes as of 2 weeks ago the top static was working, port 3389, I dont have the stuff I need here at home to use it at the moment, but I will double check that it still is tomorrow.

According to what i've done in the past and seen done, (heck i even do it with my simple linksys router at home) is standard PAT and I could use as many computers as I want running through that one external as long as they all use different ports to jump through as that one IP.

Thanks,

Dave

Highlighted
Cisco Employee

Re: static PAT statements, need help...

OK, first of all, for your inability to ping the outside IP address of the firewall, do this:

> clear icmp

> icmp permit any echo outside

> icmp permit any unreachable outside

Note that you won't be able to ping the outside IP address from any inside host, the PIX doesn't allow that.

As for your port static's not working, try the following (keep the port static's in place):

> nat (inside) 10 192.168.50.13 255.255.255.255

> global (outside) 10 MainOffice

That should get your SMTP/POP3 connectivity going hopefully.

Beginner

Re: static PAT statements, need help...

I have everything in except that last global line, it gives me

"Start and end addresses overlap with outside interface address"

I wasnt aware I could have that global statement in with my existing one

"global (outside) 2 interface"

Am I missing something here? Thanks.

Dave

Beginner

Re: static PAT statements, need help...

i guess i misunderstood, i was under the impression that you were having difficulties with access your email server inbound, not outbound. with that being said, how are you able to PAT inbound to several different internal ip addresses. my assumption is that the only inbound translation that works is: static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

if you are having trouble with what i have said above, i don't believe you can do what you are doing. you will need additional NIC addresses to translate into your many internal addresses. you need to be doing a one-to-one translation with these servers, however, you are trying to complete this with a one-to-many premise inbound. this (i don't believe) will work inbound like this. yes PAT will work outbound in this senario, but i believe the PAT inbound is your problem. Try my theory out if your works: static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

Put your smtp or pop3 static at the top of the static statements and see what works then.

Unless i am not understanding (which is truly possible) i believe this is your problem.

Hope this helps explain a little more what i was saying before.

Beginner

Re: static PAT statements, need help...

Oh my goodness...

Well that worked, which amazes me. Why would it only limit me to one static inbound traffic entry?

Heck, on my SOHO linksys router I can do multiple PAT inbounds with a single IP!

So for every device host I have I'll need a seperate public IP. Wow, its a good thing I dont plan on hosting more than 2-3 diff things. I just hope I can get my ISP to work out their issues with supplying more than one IP to us.

Beginner

Re: static PAT statements, need help...

Well, I am glad it works. To be honest with you, I am not sure why it works at home. I don't know all, however, I truly thought that you could not do PAT like this inbound.

But, from what I know, yes, you will have to have one external address for every internal system you want to translate too.

Unless, someone else knows something I don't (that is absolutely possible) you will have to do this. And like you say, hopefully you can get yourself some more addresses.

Good luck, and I am glad at least this part of the issue is kind of resolved!

Participant

Re: static PAT statements, need help...

I am glad that it is working. I really thought you could configure it the way you were doing it also. I have not tried it that way before, but the configuration options are there, so I don't know why it wouldn't work.

Beginner

Re: static PAT statements, need help...

Thanks guys, I appreciate your help.

Until I get more IP's I can only host one service at a time, but thats the way the cookie crumbles...

Thanks again.

Participant

Re: static PAT statements, need help...

You can create the static mapping without using the port mappings. This will send all traffic to the server so you can use SMTP and POP3 to the mail server. This way you only use your RDP access.

static (inside,outside) MainOffice 192.168.50.13 netmask 255.255.255.255 0 0

Beginner

Re: static PAT statements, need help...

well, the PAT's are working as long as I direct it to the same IP, for example I have

static (inside,outside) MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0

and both work, but when I add

static (inside,outside) MainOffice telnet 192.168.50.201 telnet netmask 255.255.255.255 0 0

that doesnt work...

just thought you'd like to know that for future reference :)

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here