03-11-2005 02:18 PM - edited 03-05-2019 11:28 AM
I'm trying to have users on an outside LAN (10.1.1.x) browse or use telnet services via PAT to an inside LAN (192.168.1.x). So a user browsing 'http://10.1.1.5:50000' would reach the web server on port 80 at 192.168.1.50.
Here's the current rules. I've put in comments as the way I understand these rules to work.
--- PIC 501 V6.2(2) ---
# this is my outside LAN from which I'm trying to access
# specific host from using PAT overloading
ip address outside 10.1.1.5 255.255.255.0
# and this is the inside LAN
ip address inside 192.168.1.1 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
# I want users on the outside to browse host 192.168.1.5
# using a URI like http://10.1.1.5:50000
static (inside,outside) tcp interface 50000 192.168.1.50 www netmask 255.255.255.255 0 0
# ... and the same for telnet
static (inside,outside) tcp interface 50001 192.168.1.50 telnet netmask 255.255.255.255 0 0
# added this as told so that outside host 10.1.1.30
# could talk to the PIX 501, not really clear to me
# why though.
access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50000
access-group out2in in interface outside
--- Just more info ---
# show static
outside 10.1.1.0 255.255.255.0 10.1.1.5 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
While trying to add either of these ...
access-list out2in permit tcp any interface outside eq 50000
results in "ERROR: invalid IP address interface"
access-list out2in permit tcp any outside eq 50000
results in "ERROR: invalid IP address outside"
Am I missing anything? Any help much appreciated.
03-11-2005 04:57 PM
Just to be clear: Is the 10.1.1.0 network a fake value you put in for security, or is that the real address you're trying to use?
10.0.0.0 is a "Private" IP address range, and would be filtered (hopefully) by the first Internet / ISP edge switch it encountered.
If your intended users are on a 10.1.1.0/24 LAN, they are certainly going through a firewall or proxy device. You'd need to use their WAN address as the inbound source and pass that via static to your internal (192.168.1.0) device.
Also, PIX does ntot allow you to Telnet (TO the PIX, through is OK) from the outside. You CAN SSH, or connect via PDM ... neither are really advised. The PIX only supports SSH v1, which was broken a long time ago, and any access directly from the outside is generally considered a security risk.
Let us know ...
Scott
03-14-2005 08:59 AM
Yes, the 10.1.1.0 network is real and is the LAN where hosts machines reside to browse and telnet the hosts on the 192.168.1.0 LAN.
Internet<-->Firewall<-->10.1.1.0 (LAN)<-->Pix 501<-->192.168.1.0
So for example, 10.1.1.30 wants to browse the web server on 192.168.1.50 using the port 50000, so by entering http://10.1.1.5:5000 in the URI, 10.1.1.30 should see it. 10.1.1.5 is the IP of the Pix 501.
As far as the telnet goes, I'm not telnet'ing to the PIX, but to those same machines on the 192.168.1.x from the 10.1.1.x LAN.
Here's my current config ...
--- PIC 501 V6.2(2) ---
# this is my outside LAN from which I'm trying to access
# specific host from ... using PAT overloading
ip address outside 10.1.1.5 255.255.255.0
# and this is the inside LAN
ip address inside 192.168.1.1 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
# I want users on the outside to browse host 192.168.1.50
# using a URI like http://10.1.1.5:50000
static (inside,outside) tcp interface 50000 192.168.1.50 www netmask
255.255.255.255 0 0
# ... and the same for telnet
static (inside,outside) tcp interface 50001 192.168.1.50 telnet netmask
255.255.255.255 0 0
# Needed for outside host 10.1.1.30 to talk to the PIX 501
access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50000
access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50001
access-group out2in in interface outside
# not sure if needed, but I added this also, but no success
fixup protocol http 50000
---
The one thing I'm noticing is that each time I try to browse
'http://10.1.1.5:50000', or do the same with telnet on 50001, the
hitcount increments one like it's receiving the request for that
access-list item.
#show access-list
access-list out2in permit tcp host 10.1.1.11 host 10.1.1.5 eq 50000
(hitcnt=1)
---
Any help much appreciated.
03-12-2005 06:31 PM
Make sure that your command:
access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq www
doesn't fall after your:
access-list out2in deny any any
command
03-14-2005 09:05 AM
I don't have anything that says access-list out2in deny any any. All I have in my list are as follows ...
# show access-list
access-list out2in; 2 elements
access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50000 (hitcnt=1)
access-list out2in permit tcp host 10.1.1.30 host 10.1.1.5 eq 50001 (hitcnt=0)
So whether this is before the other commands or after is dependent upon the order they were entered as commands? Or as shown in the list?
03-16-2005 07:28 AM
Anyone? (I need to keep this thread alive and going)
03-28-2005 09:21 AM
Am I supposed to add in the following line?
access-list out2in deny any any
... I did try this and it didn't take. I got a 'Usage' message.
Any suggestions?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide