Can't NAT from outside with PIX 515


I have a this testing environment:

outside security 0 - public range /26 inside security 100 - 192.168.10/24 dmz security 75 - 192.168.0/24

there is an "permit ip any any" applied in all interfaces.

then I have

static (inside, dmz) netmask static (dmz, outside) netmask

my computer is in inside, a web server is configured at in dmz.

From inside, I can connect to my web server as it should.

>From outside I can ping my web server, but cannot connect to anything,

http, ssh, telnet. It always gives me a connection timeout.

This same web server works perfectly with public when I use a cisco

1605 with nat like this:

ip nat inside source static tcp 80 80

Any tips?

Reply to
Loading thread data ...

And I forget to include this: It uses software version 6.3(4).

Reply to

Did you happen to use the -same- access-list name for each of the access-group statements? If so, that could explain the situation.

You only need the static (inside,dmz) if you need the dmz to be able to initiate connections to the inside, or if for some reason you need your inside computer to be recorded distinctly as on the dmz (e.g., for authentication reasons.)

Otherwise, if you do not need to be able to initiate to inside, you could

nat (inside) 2 global (dmz) 2

Also, -typically- if you want an inside host to appear as a unique IP address to the dmz (e.g., logging purposes), you would static the IP to itself, or use nat 0 access-list to do much the same thing.

static (inside,dmz) netmask

That behaviour would not surprise me if you have used the same access-list for all three access-group .

Reply to
Walter Roberson

As I said, this is a test setup to solve the problem. It's not our real network layout.

The static (inside, dmz) is proposital, and it's not a problem at all. The problem is that I cannot open a page in the web server from outside with nat and no restriction.

About the ACLs, they are not the same. There are 3 distinct acls with "permit ip any any", one for each interface.

open an connection from an lower security interface to a higher security interface using static and ACL.

But the same thing doesn't happen with connections coming from outside to dmz, although it's exactly the same setup.

I suspect this PIX have a hardware problem... did anyone have the same problem?

Reply to

[PIX 6.3(4)]

Is the exactly the IP address of the outside interface? If it is, then replace it with the word "interface" and use PAT:

static (dmz,outside) tcp interface www www netmask static (dmz,outside) tcp interface telnet telnet netmask static (dmz,outside) tcp interface 22 22 netmask
Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.