cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1918
Views
9
Helpful
36
Replies

static PAT statements, need help...

dsingleterry
Level 1
Level 1

Hello all,

I am in the process of setting up an email server, for the time being for reasons I'd rather not explain, I cannot put it on the DMZ. So it is sitting on the inside of the 515e firewall interface.

I have the internal IP of that server as 192.168.50.13, and from inside the network I can send , receive, etc email on that server. It is a new server so I recently setup my A and MX records. When pinging the Domain entry the proper IP is now assigned to the Domain name. However I cannot see my email server from the outside world. When running a DNS query on the MX record I get no response.

The problem is at the PIX level. My static statements dont seem to be working.

One of my 4 static statements works, (for our Terminal Services server) but the other 3 entries do not.

They are as follows:

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask

255.255.255.255 0 0

(the last entry is just to test and see if I could even host a win2k standard telnet server from my local desktop and see it through the firewall, the test was unsuccessful, I can telnet in via the local IP, .201, but not via the outside IP, MainOffice.)

Since often other places in the PIX config seem to affect the issues I have :), I am including a full running-config listing below for those who would like to reference it. Thank you for your time,

One other strange thing of note, with this current config, I cannot ping my outside interface IP from either external IP's, or from internal IP's. I have my ICMP entries set and thought I should be able to see it, but cant. This isnt as important of an issue as the above issue.

Dave

::

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

hostname YRPCI

domain-name yrpci.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol http 8080

fixup protocol ftp 22

names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit ip host 192.168.50.10 any

access-list acl_outbound permit ip host 192.168.50.75 any

access-list acl_outbound permit ip host 192.168.50.201 any

access-list acl_outbound permit ip host 192.168.50.202 any

access-list acl_outbound permit tcp host 192.168.50.203 any

access-list acl_outbound permit tcp host 192.168.50.204 any

access-list acl_outbound permit tcp host 192.168.50.205 any

access-list acl_outbound permit tcp host 192.168.50.206 any

access-list acl_outbound permit tcp host 192.168.50.207 any

access-list acl_outbound permit tcp host 192.168.50.208 any

access-list acl_outbound permit tcp host 192.168.50.209 any

access-list acl_outbound permit tcp host 192.168.50.210 any

access-list acl_outbound permit tcp host 192.168.50.211 any

access-list acl_outbound permit tcp host 192.168.50.212 any

access-list acl_outbound permit tcp host 192.168.50.213 any

access-list acl_outbound permit tcp host 192.168.50.214 any

access-list acl_outbound permit tcp host 192.168.50.215 any

access-list acl_outbound permit tcp host 192.168.50.216 any

access-list acl_outbound permit tcp host 192.168.50.217 any

access-list acl_outbound permit tcp host 192.168.50.218 any

access-list acl_outbound permit tcp host 192.168.50.219 any

access-list acl_outbound permit tcp host 192.168.50.220 any

access-list acl_outbound permit tcp host 192.168.50.221 any

access-list acl_outbound permit tcp host 192.168.50.222 any

access-list acl_outbound permit tcp host 192.168.50.223 any

access-list acl_outbound permit tcp host 192.168.50.224 any

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.51.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.52.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.53.0

access-list acl_outbound permit ip host 192.168.50.51 any

access-list acl_outbound permit tcp host 192.168.50.11 any

access-list acl_outbound permit ip host 192.168.50.13 any

access-list acl_outbound permit tcp host 192.168.50.225 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any time-exceeded

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit ip host MainOffice any

access-list acl_inbound permit tcp any any eq ssh

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

access-list 103 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging console debugging

logging buffered warnings

logging trap warnings

logging history warnings

logging host inside 192.168.50.201

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit host MainOffice outside

icmp permit host ConstOffice outside

icmp permit any unreachable outside

icmp permit any echo-reply outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list 100

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 8:00:00

timeout conn 7:00:00 half-closed 6:00:00 udp 7:00:00 rpc 7:00:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 7:30:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address 102

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet ConstOffice 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.52.0 255.255.255.0 outside

telnet BftOffice 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 10

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.50.0 255.255.255.0 inside

ssh timeout 20

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname xxxxxxxxx

vpdn group pppoex ppp authentication pap

vpdn username xxxxxxxxxx password *********

terminal width 80

: end

36 Replies 36

Great, as long as email is working. I know most companies consider it the most important service.

that i will definitely buy! good deal...i am glad your moving forward. i love this forum stuff, we not only reinforce the knowledge everyone has but everyone continues to learn. :)

ok, now that we've gone through all of this... for the sheer heck of it I added all the other static lines back in....

you're gonna love this...

its all working now! What's with that?! haha.

I dont know why it wouldnt pick up but now it is on all ports.

I have the following in static now...

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

All of which work... (I had to come home to test all of them of course since its hard to do from within the network that the firewall is protecting.)

So, negate what we 'learned'... you can do inbound PAT on a one to many basis. But I still dont understand why it didnt work until I removed all the static lines and added them back in. (that seems to be what changed when it started working since i removed them all to add just one at a time)

So... I dunno, maybe its user error? ha, wouldnt surprise me, but it all works now.

Thanks guys,

Dave

well i'll be a son-of-b!*$@!!!! i have no idea what i am talking about then!!! HA HA.

i am just glad you are working, and maybe someone else watching the boards can help us understand.

Later.

I have seen some weird things the the static mappings on PIX's. I had one issue with a client when I could not get a one to one static map to one server work. I tried everything. After a while, I decided that I would try the mapping a different external address just to test, and it worked. I switched back to the other one and it stopped working. The first IP was in the middle of the range, so I know it wasn't a subnet issue. I ended up calling their ISP and changing their DNS records instead of using that other IP. To make matters worse, later they added a server that needed to be accessed from the internet and I had to use the other IP because it was the only one left in their range, and it worked when I used it with that server. I just chalked it up to one of those computer things I will never figure out.

Can you send me all your static statements AND all your NAT/Global statements (or maybe post your entire working config one last time), I want to check this cause you certainly can create multiple PAT statements to different ports, I've done it plenty of times.

Well, its all working fine now, but here they are anyway. :)

static (inside,outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice pop3 192.168.50.13 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp MainOffice smtp 192.168.50.13 smtp netmask 255.255.255.255 0 0

nat (inside) 0 access-list 100

nat (inside) 10 192.168.50.13 255.255.255.255 0 0

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

I dont think in need that nat 10 entry, so i'll be taking it out next time im at home and testing to make sure.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: