2 static NATs work. 3rd static NAT doesn't.|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by on September 22, 2007, 2:24 am
Please log in for more thread options
I have spent a lot of time on this and seem to be missing something. Any technical knowledge and help will be greatly appreciated. I have pasted our PIX config below. You see three static NATs configured. The first two work great. The 3rd static NAT is new, and the config below isn't working right, and actually causes the internal host to lose Internet connectivity. The new static NAT is the one for global IP 216.xxx.xxx.243. What is wrong? PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password o6XhYX4TSmjifHY0 encrypted passwd o6XhYX4TSmjifHY0 encrypted hostname PIX domain-name xxx fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 no fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.2.2 server access-list inetACL permit tcp any host 66.xxx.xxx.150 eq smtp access-list inetACL permit tcp any host 66.xxx.xxx.150 eq 3389 access-list inetACL permit tcp any host 66.xxx.xxx.150 eq pop3 access-list inetACL permit tcp any host 66.xxx.xxx.150 eq www access-list inetACL permit udp any host 66.xxx.xxx.150 eq domain access-list inetACL permit tcp any host 66.xxx.xxx.150 eq domain access-list inetACL permit icmp any host 66.xxx.xxx.150 access-list inetACL permit tcp any host 66.xxx.xxx.187 eq 3389 access-list inetACL permit tcp any host 66.xxx.xxx.150 eq https access-list inetACL permit tcp any host 216.xxx.xxx.243 eq 3389 access-list inetACL permit icmp any host 216.xxx.xxx.243 pager lines 24 logging on logging buffered informational logging trap debugging logging facility 16 logging device-id hostname logging host inside server 17/1025 format emblem mtu outside 1500 mtu inside 1500 ip address outside 66.xxx.xxx.186 255.255.255.0 ip address inside 192.168.2.253 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location server 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 66.xxx.xxx.150 server netmask 255.255.255.255 0 0 static (inside,outside) 66.xxx.xxx.187 192.168.2.9 netmask 255.255.255.255 0 0 static (inside,outside) 216.xxx.xxx.243 192.168.2.7 netmask 255.255.255.255 0 0 access-group inetACL in interface outside route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.193 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 192.168.2.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 | ||||||||||
|
Posted by Brian V on September 22, 2007, 6:58 am
Please log in for more thread options Where are you getting the 216.X..243 address from? Did your ISP just give it to you? If they just gave it to you are you routing it on your internet router to the Pix? There is nothing wrong with the Pix config IF that is your address and is being routed properly to the Pix. | ||||||||||
| Similar Threads | Posted |
| 2 static NATs work. 3rd static NAT doesn't. | September 22, 2007, 2:24 am |
| how static(dmz,ouside) work? | June 13, 2005, 2:20 am |
| Help! Static NAT failed to work -- NAT overload issue? | July 7, 2006, 2:02 pm |
| Cisco PIX 501 - Port forwarded to an internal host via Static NAT doesn't work from internal host | January 19, 2006, 4:46 pm |
| Multiple NATs PIX 515 | August 23, 2005, 3:04 pm |
| PAT and Static NAT on a PIX 501 | February 8, 2005, 8:24 am |
| static web key | August 7, 2005, 3:03 pm |
| static vs nat 0 | April 16, 2008, 8:54 am |
| PIX - Static NAT | March 11, 2005, 3:57 pm |
| pix to pix dhcp to static vpn | July 22, 2005, 9:10 am |
| Static NAT is not working | August 12, 2005, 6:21 am |
| Static NAT, a bit confused | September 17, 2005, 8:34 am |
| PIX 520 - Static issue | October 27, 2005, 12:48 am |
| static vpn tunnel | December 28, 2005, 8:16 am |
| static nat not working | January 4, 2006, 10:53 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>
> I have spent a lot of time on this and seem to be missing something.
> Any technical knowledge and help will be greatly appreciated.
>
> I have pasted our PIX config below. You see three static NATs
> configured. The first two work great. The 3rd static NAT is new, and
> the config below isn't working right, and actually causes the internal
> host to lose Internet connectivity. The new static NAT is the one for
> global IP 216.xxx.xxx.243. What is wrong?
>
>
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password o6XhYX4TSmjifHY0 encrypted
> passwd o6XhYX4TSmjifHY0 encrypted
> hostname PIX
> domain-name xxx
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> no fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 192.168.2.2 server
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq smtp
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq 3389
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq pop3
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq www
> access-list inetACL permit udp any host 66.xxx.xxx.150 eq domain
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq domain
> access-list inetACL permit icmp any host 66.xxx.xxx.150
> access-list inetACL permit tcp any host 66.xxx.xxx.187 eq 3389
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq https
> access-list inetACL permit tcp any host 216.xxx.xxx.243 eq 3389
> access-list inetACL permit icmp any host 216.xxx.xxx.243
> pager lines 24
> logging on
> logging buffered informational
> logging trap debugging
> logging facility 16
> logging device-id hostname
> logging host inside server 17/1025 format emblem
> mtu outside 1500
> mtu inside 1500
> ip address outside 66.xxx.xxx.186 255.255.255.0
> ip address inside 192.168.2.253 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm location server 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) 66.xxx.xxx.150 server netmask 255.255.255.255
> 0 0
> static (inside,outside) 66.xxx.xxx.187 192.168.2.9 netmask
> 255.255.255.255 0 0
> static (inside,outside) 216.xxx.xxx.243 192.168.2.7 netmask
> 255.255.255.255 0 0
> access-group inetACL in interface outside
> route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.193 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.2.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet 192.168.2.0 255.255.255.0 inside
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> terminal width 80
>