Re: help w/ PAT overloading on PIX 501

garygrobe · ‎03-11-2005

I'm trying to have users on an outside LAN (10.1.1.x) browse or use telnet services via PAT to an inside LAN (192.168.1.x). So a user browsing 'http://10.1.1.5:50000' would reach the web server on port 80 at 192.168.1.50.

Here's the current rules. I've put in comments as the way I understand these rules to work.

--- PIC 501 V6.2(2) ---

# this is my outside LAN from which I'm trying to access

# specific host from using PAT overloading

ip address outside 10.1.1.5 255.255.255.0

# and this is the inside LAN

ip address inside 192.168.1.1 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

# I want users on the outside to browse host 192.168.1.5

# using a URI like http://10.1.1.5:50000

static (inside,outside) tcp interface 50000 192.168.1.50 www netmask 255.255.255.255 0 0

# ... and the same for telnet

static (inside,outside) tcp interface 50001 192.168.1.50 telnet netmask 255.255.255.255 0 0

# added this as told so that outside host 10.1.1.30

# could talk to the PIX 501, not really clear to me

# why though.

access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50000

access-group out2in in interface outside

--- Just more info ---

# show static

outside 10.1.1.0 255.255.255.0 10.1.1.5 1 CONNECT static

inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static

While trying to add either of these ...

access-list out2in permit tcp any interface outside eq 50000

results in "ERROR: invalid IP address interface"

access-list out2in permit tcp any outside eq 50000

results in "ERROR: invalid IP address outside"

Am I missing anything? Any help much appreciated.

scottmac · ‎03-11-2005

Just to be clear: Is the 10.1.1.0 network a fake value you put in for security, or is that the real address you're trying to use?

10.0.0.0 is a "Private" IP address range, and would be filtered (hopefully) by the first Internet / ISP edge switch it encountered.

If your intended users are on a 10.1.1.0/24 LAN, they are certainly going through a firewall or proxy device. You'd need to use their WAN address as the inbound source and pass that via static to your internal (192.168.1.0) device.

Also, PIX does ntot allow you to Telnet (TO the PIX, through is OK) from the outside. You CAN SSH, or connect via PDM ... neither are really advised. The PIX only supports SSH v1, which was broken a long time ago, and any access directly from the outside is generally considered a security risk.

Let us know ...

Scott

garygrobe · ‎03-14-2005

Yes, the 10.1.1.0 network is real and is the LAN where hosts machines reside to browse and telnet the hosts on the 192.168.1.0 LAN.

Internet<-->Firewall<-->10.1.1.0 (LAN)<-->Pix 501<-->192.168.1.0

So for example, 10.1.1.30 wants to browse the web server on 192.168.1.50 using the port 50000, so by entering http://10.1.1.5:5000 in the URI, 10.1.1.30 should see it. 10.1.1.5 is the IP of the Pix 501.

As far as the telnet goes, I'm not telnet'ing to the PIX, but to those same machines on the 192.168.1.x from the 10.1.1.x LAN.

Here's my current config ...

--- PIC 501 V6.2(2) ---

# this is my outside LAN from which I'm trying to access

# specific host from ... using PAT overloading

ip address outside 10.1.1.5 255.255.255.0

# and this is the inside LAN

ip address inside 192.168.1.1 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

# I want users on the outside to browse host 192.168.1.50

# using a URI like http://10.1.1.5:50000

static (inside,outside) tcp interface 50000 192.168.1.50 www netmask

255.255.255.255 0 0

# ... and the same for telnet

static (inside,outside) tcp interface 50001 192.168.1.50 telnet netmask

255.255.255.255 0 0

# Needed for outside host 10.1.1.30 to talk to the PIX 501

access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50000

access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50001

access-group out2in in interface outside

# not sure if needed, but I added this also, but no success

fixup protocol http 50000

---

The one thing I'm noticing is that each time I try to browse

'http://10.1.1.5:50000', or do the same with telnet on 50001, the

hitcount increments one like it's receiving the request for that

access-list item.

#show access-list

access-list out2in permit tcp host 10.1.1.11 host 10.1.1.5 eq 50000

(hitcnt=1)

---

Any help much appreciated.

timm.benkula · ‎03-12-2005

Make sure that your command:

access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq www

doesn't fall after your:

access-list out2in deny any any

command

garygrobe · ‎03-14-2005

I don't have anything that says access-list out2in deny any any. All I have in my list are as follows ...

# show access-list

access-list out2in; 2 elements

access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50000 (hitcnt=1)

access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50001 (hitcnt=0)

So whether this is before the other commands or after is dependent upon the order they were entered as commands? Or as shown in the list?

garygrobe · ‎03-16-2005

Anyone? (I need to keep this thread alive and going)

garygrobe · ‎03-28-2005

Am I supposed to add in the following line?

access-list out2in deny any any

... I did try this and it didn't take. I got a 'Usage' message.

Any suggestions?