1. Home
  2. Cisco Systems
  3. PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 3)

PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 3)

Hello,

I have this strange problem and i can't seem to understand it. I have the following situation, i have been posting here before under the same name and subject. So you can read back. Though probably that is not needed.

Internet (Zyxel P660HW) WAN : Public IP (natted) LAN : 192.168.168.1 subnet 255.255.255.252

Cisco Pix 506e WAN : 192.168.168.2 subnet 255.255.255.252 (natted) LAN : 192.168.68.8 subnet 255.255.255.0

Internal PC LAN 192.168.68.1 subnet 255.255.255.0

Now what i want is to run several services on my PC (server) DNS, HTTP, HTTPS, RDP, VPN, FTP, SMTP, POP3. Below is the config and it is not working properly. When i want to connect from the internet wan side to my public ip address everything is dead/denied. Stealth firewalled... so nothing is responding. What i have tested and wich worked perfect, was instead of the internet router a normal pc with an webserver and ftp server running ip

192.168.168.1 subnet 255.255.255.252. From my lan i am able to open the website on the webserver and also ftp is ok. When i connect with that pc to the 192.168.168.2 on the ports like ftp, http, etc. it is connecting fine! No problems at all. I am sure it is not the Zyxel router what seems to be wrong, but when i put in place of the cisco pix a normal cable router with the same configuration it is working.

Anyone any idea...??? Or do i need to bridge the connection to give the PIX a public IP...? I prefer not to do that, because of the more network/unlogic configuration...

Sincerely, Michiel

Config : Building configuration... : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ************passwd ************ encrypted hostname firewall domain-name test.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.68.1 PC1 access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in remark UDP - DNS access-list outside_access_in permit udp any any eq domain access-list outside_access_in remark TCP - DNS access-list outside_access_in permit tcp any any eq domain access-list outside_access_in remark TCP - FTP Data access-list outside_access_in permit tcp any any eq ftp-data access-list outside_access_in remark TCP - FTP access-list outside_access_in permit tcp any any eq ftp access-list outside_access_in remark TCP - HTTP access-list outside_access_in permit tcp any any eq www access-list outside_access_in remark TCP - HTTPS access-list outside_access_in permit tcp any any eq https access-list outside_access_in remark TCP - SMTP access-list outside_access_in permit tcp any any eq smtp access-list outside_access_in remark TCP - RDP access-list outside_access_in permit tcp any any eq 3389 access-list outside_access_in remark TCP - Webbased / Remote Admin access-list outside_access_in permit tcp any any range 7698 7704 access-list outside_access_in remark IP - GRE access-list outside_access_in permit tcp any any eq pptp access-list outside_access_in remark TCP - PPTP access-list outside_access_in permit gre any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 192.168.168.2 255.255.255.252 ip address inside 192.168.68.8 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location PC1 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.68.0 255.255.255.0 0 0 static (inside,outside) tcp interface pptp PC1 pptp netmask 255.255.255.255

0 0 static (inside,outside) tcp interface 7700 PC1 7700 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 7701 PC1 7701 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 7699 PC1 7699 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp PC1 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www PC1 www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface domain PC1 domain netmask 255.255.255.255 0 0 static (inside,outside) udp interface domain PC1 domain netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp PC1 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp-data PC1 ftp-data netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https PC1 https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 PC1 3389 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.168.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.68.0 255.255.255.0 inside floodguard enable telnet 192.168.68.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 : end [OK]
Reply to
Michiel
Loading thread data ...

One thing more... When i connect to the internet from lan to pix to zyxel it is also working fine! Only the traffic from the internet to the local network is not working.

Thanks, Michiel

"Michiel" schreef in bericht news:44ec05a5$0$16259$ snipped-for-privacy@dreader25.news.xs4all.nl...

Reply to
Michiel

You can't use the Static commands Interface keyword in this way.

The Interface keyword is used for PAT only i.e. for users from the inside going to the outside. PAT on the PIX can be done in two ways:-

global (outside) 1 interface nat (inside) 1 192.168.68.0 255.255.255.0 0 0

Like you have done, or like this:-

static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0

To do what you need to do create a translation on your Modem to another IP - you can't use the PIX's outside interface address for this.

James

Reply to
James

James skrev:

Actually you can and looking over the config I think this should work. Didn't you successfully do this with smtp and http in a previous post?

I have several setups using the outside address for the pix as a PATed address. Or you could just set up the pix to NAT the inside host as

192.168.168.3 but then you'd need to change the netmask on the pix and the router as well.

-SAto

Reply to
SAto

Really?

OK :-)

Reply to
James

Yes i tested it in a previous post, but there was instead of the zyxel router a normal computer running a webserver and ftpserver. That had as gateway the WAN ip of the PIX, and that worked fine, but now changing the situation to zyxel... it is not...

What i think in logical thins...

Internet --> Zyxel WAN --> Zyxel LAN --> PIX WAN --> PIX LAN Public IP NATTED --> Zyxel LAN 192.168.168.1 --> PIX WAN 192.168.168.2 NATTED --> LAN 192.168.68.0 my network

I am right to see it like this right...? Or am i wrong...?

Because your thing about chaning inside to NAt as 192.168.168.3 is what i don't understand... could you explain me more...?

Sincerely, Michiel

"SAto" schreef in bericht news: snipped-for-privacy@b28g2000cwb.googlegroups.com...

Reply to
Michiel

Is the Public IP natted to the PIX outside IP on the Zyxel?

James

Michiel wrote:

Reply to
James

I am not sure about this...

I don't understand the part

What do you mean with that...?

Sincerely, Michiel

"James" schreef in bericht news: snipped-for-privacy@i42g2000cwa.googlegroups.com...

Reply to
Michiel

The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host entered to forward all ports to the WAN of the PIX.. This is what you mean right...?

Sincerely, Michiel

"James" schreef in bericht news: snipped-for-privacy@i42g2000cwa.googlegroups.com...

Reply to
Michiel

Is it not like this that the PIX is only accepting incomming connections from network 192.168.168.0/255.255.255.252...? and not from outside that network...? I mean something default in the accesslist of the PIX...? This is the first time i've ben working with an PIX of cisco... I used to be working with Zyxel's Zywall's... wich are pretty much working fine, though i wanted to try Cisco... ;)...

"James" schreef in bericht news: snipped-for-privacy@i42g2000cwa.googlegroups.com...

Reply to
Michiel

I don't know the Zyxel device at all however if it was a Cisco device I would NAT the Public IP to the PIX's Outside Interface IP.

Reply to
James

Yes i understand you, that is what i have done... so you are sure that the PIX is configured correctly...? Because then i really have to get in hard discussion with Valadis/Zyxel Netherlands, because of the not good working DMZ (NAT) function in combination of an PIX... because the strange thing is here, that when i have an cable router in the network instead of the PIX then it is working good... so my logic was it is the PIX not functioning good.

I will post again when i have more info... wich will probably later on the day... ;)...

Thanks for your time!

Suncerely, Michiel

"James" schreef in bericht news: snipped-for-privacy@p79g2000cwp.googlegroups.com...

Reply to
Michiel

Can you connect a hub or switch between the Zyxel and PIX and use Ethereal or similar to see if traffic is even arriving at the PIX? If you use a switch remember that you will have to use the Span / Port Mirror feature.

Alternatively, the PIX has some sort of packet capture feature which can be used:-

formatting link
I haven't tried it though.

Also enable logging to the PIX's internal buffer, you may get a message indicating the problem.

James

Michiel wrote:

Reply to
James

Michiel skrev:

You could change the network between the pix and the zyxel to be a /29 network instead of a /30 that way you could static nat a new ip address for the server, instead of pat'ing the pix outside address. that way the only thing you'd have to worry about would be access rules working and not the pating.

-SAto

Reply to
SAto

Ok! Thanks!

I just called Zyxel, and they have another option wich is to not use the DMZ but simply forward the portrange of 1 to 65535. So i will try that first... ;) then i will try your option using packet sniffer to see if in deed the data is getting to the PIX...

Thanks!... ;)

Sincerely, Michiel

"James" schreef in bericht news: snipped-for-privacy@m73g2000cwd.googlegroups.com...

formatting link

Reply to
Michiel

I forgot to tell something very important in the situation...

I said that no traffic is comming through nat at the server... only 1 thing is working good VPN... VPN is no problem... i forgot this because another server was already connected through VPN without me testing it, because the other things like WEB SMTP etc. were not working...

That is also the reason why i still have the feeling the problem should be in the PIX...

Anyone knows a logic explenation for this...? ;)...

Sincerely, Michiel

"James" schreef in bericht news: snipped-for-privacy@m73g2000cwd.googlegroups.com...

formatting link

Reply to
Michiel

Strange....

Have you turned on the PIX's logging? If so do a show log and paste the results here.

Try "clear xlate" and see if that helps at all. Cisco recommend that you do a clear xlate after every change to the PIX config.

Failing that if you let me know the Public IP I can run some tests from here.

James

Michiel wrote:

formatting link
>

Reply to
James

Ok right now i am not able to change cables phisical, so later on the day i could change the things... i am able to connect to turn on the logging.

Wich logging should i enable...? because i am mostly configuring it from PDM... wich seems to be very simple and straight... though some things i change through the console...

Sincerely, Michiel

"James" schreef in bericht news: snipped-for-privacy@i3g2000cwc.googlegroups.com...

formatting link
> >

Reply to
Michiel

logging on logging timestamp logging buffered notifications

should do it. If it is a translation problem then the PIX should log it.

Michiel wrote:

formatting link
>> >

Reply to
James

Hello James and everyone...

I finally managed to get the PIX to work with the Zyxel... the problem was in the Zyxel, somehow with some answerring IP's it is not forwarding the ports but stealths them...

I am glad that the Zyxel will be replaced by an Cisco 876... ;)...

Thanks and many Thanks for all the good input!

Michiel

formatting link
> >> >

Reply to
Michiel

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.