Pix 506E Access problem

Hi all --

Have a weird problem that I can't seem to figure out. Any help on this greatly appreciated.

[I applied "clear xlate" of course after all changes]

I have three servers, with internal IPs of -63. They are protected by a Cisco Pix 506E.

Only the first one (.61) can route out to the internet (which is bad, since I need to update security patches and what-not).

I believe the problem is related to how my access lists are set up; if I power down .61 and start up one of the others with that address (.61) I can magically route out.

Sadly, the obvious work-around of :

static (inside,outside) netmask 0 0 static (inside,outside) netmask 0 0

Won't work because the Pix complains of a duplicate route ... sigh.

Other weird issue, I have to use the console (and Minicom); I can't SSH into the Pix even though I set it up. I *CAN* SSH into the box, and I can see my Webserver. That works. I'd like to be able to set it up so I can SSH into other boxes; and add another Webserver but that's not critical (and if I'm reading the documentation it conflicts with PAT, at least I infer that from the online guide).

My most important issue is to get the other servers (.62 and .63) able to see the internet (so I can install software / security updates remotely). I'm just running command line so that's all I need.

Complete configuration below:

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ________________ encrypted passwd ______________________ encrypted hostname pixfirewall domain-name somenett.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit tcp any host eq www access-list 101 permit tcp host host eq ssh access-list 101 permit tcp host host eq ssh pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside ip address inside ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0 0 static (inside,outside) netmask 0 0 access-group 101 in interface outside route outside 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authorization command LOCAL http server enable http inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh inside ssh timeout 10 console timeout 0 dhcpd address inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username ******* password _____________encrypted privilege 15 username ********* password _____________ encrypted privilege 15 privilege show level 0 command version privilege show level 0 command curpriv privilege show level 3 command pdm privilege show level 3 command blocks privilege show level 3 command ssh privilege configure level 3 command who privilege show level 3 command isakmp privilege show level 3 command ipsec privilege show level 3 command vpdn privilege show level 3 command local-host privilege show level 3 command interface privilege show level 3 command ip privilege configure level 3 command ping privilege show level 3 command uauth privilege configure level 5 mode enable command configure privilege show level 5 command running-config privilege show level 5 command privilege privilege show level 5 command clock privilege show level 5 command ntp privilege show level 5 mode configure command logging privilege show level 5 command fragment
Reply to
Loading thread data ...

okay - you have with the above line is forwarded everything to the inside host .61 AND you have NAT for inside hosts outbound on the same IP.

This sure will blow things up and over... Result = only .61 will work on the Net.

The subnet mask indicates that other IP are in the range that you have. Do you control the IP planning ? If so you can assign other IPs, unike IP, to each hosts. That would make it work.

Otherwise you are left with the only option to do PAT. i.e. port forwarding. this is doen with the following command instead of your present static : static (inside,outside) tcp interface 80 80 netmask this will forward web to .61 at your interface IP (i.e. as you might have guessed, you can only forward ONE port once. hence if you have multiple services you are in bad luck, and need to run it on non-standard ports. static (inside,outside) tcp interface 22 22 netmask will forward SSH to inside host .61 and the offcourse you need to start by deleting the static you have to start with...

HTH Martin Bilgrav

Reply to
Martin Bilgrav

Martin --

Dude you rock!

Configuration was applied in the freezing data center, I'd forgotten to bring my jacket. Hence the missing of the netmask to .240 instead of .0 . Well I guess that was my Homer Simpson moment.

Here's what I changed:

ip address outside

static (inside,outside) tcp interface www www netmask 0 0 static (inside,outside) tcp interface ssh ssh netmask 0 0

And now everything works.

My original settings were taken from an example off Cisco's website. Sigh.

My setup is that the ISP provides about 8 public IPs; I'd like to bind them to the outside interface (currently I have only the first one done so i.e. and set up static routes from the outside so I can directly SSH or whatever directly into the boxes from specific IPs. Or possibly set up another webserver later on in the cage (i.e. add a box and have it be internal IP 192.168.1.xx)

I'm told this is possible but I don't see an explanation of how this is done.

Anyone have any suggestions?

And Martin --- once again you rock. Thank you thank you thank you!

Mart> > global (outside) 1 interface

Reply to

Aerosmith rocks - I just sing-along ... but thx

Do what you started out with, just with other Ip than the outside interface: fx static (inside,outside) netmask

0 0 static (inside,outside) netmask 0 0

Will forward EVERYTHING your ACL allows onto the IP's in the static Still they have to be unike, i.e. only use one IP once, interface, static, or global So if you'd like SSH to .62 inside add this to your ACL on the outside interface: access-list 101 permit tcp host host eq ssh

And yes, you can run PAT at the same time as this Static NAT senario.


HTH Martin Bilgrav

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.