PIX 515 DMZ can't access Internet

To all PIX experts,

I have a PIX 515 running 6.3(3) software. Windows 2003 server (plan on using as FTP server) in the DMZ with private IP 192.168.17.100.

This private IP is statically nat to a public IP address 209.181.x.y. This public IP is different from the global public IP which is

209.181.a.b being use for NATing internal private-ip systems.

Related entries are below:

nameif ethernet0 outside security0 nameif ethernet2 dmz security20 global (outside) 1 209.181.a.b netmask 255.255.255.248 nat (dmz) 1 192.168.17.0 255.255.255.0 static (dmz,outside) 209.181.x.y 192.168.17.100 netmask

255.255.255.255 0 0

The issue is I cannot get outside (to the Internet) from this Windows

2003 server.

If I change the IP of this Win 2003 server to 192.168.17.101 (no static here,NAT with public global ip) then it will work.

Any idea what I am missing...

BV

Reply to
bavien
Loading thread data ...

Whatever the next hop is beyond your PIX: does it know to *route*

209.181.x.y to your PIX public IP 209.181.a.b ?

The PIX will proxy arp for 209.181.x.y, but proxy arp is often unreliable.

Reply to
Walter Roberson

Thanks Walter...

The PIX 515 is part of the DSL set up, behind a Cisco 837 DSL router. Range of 8 ip addresses (6 usable) from DSL provider.

Are you suggesting I need to look into the config of the Cisco 837? If you are, what am I looking for in particular?

Thanks again.

BV

Reply to
bavien

Just wondering if the x.y address is in the range of 6 represented by a.b? Don't you have to exclude the address used for the static translation from the pool?

John

Reply to
baynes10

No, static() overrides nat/global (except nat 0 access-list).

Reply to
Walter Roberson

6 usable? Or 5? Or 4?

.0 - base address .7 - broadcast address .something - 837's LAN address

That's the minimum usable setup if your IP address range is brought to you on a "carrier" IP range. But if your IP address range is direct, then you have

.something - 837's WAN address .somethingelse - ISP's WAN address

leaving only 4 usable IPs (unless you overload the 837's WAN addres sto forward to something internal.)

In any case, on the 837, you would put something like

route inside 290.181.x.0 0.0.0.7 host 209.181.a.b

replacing 290.181.x.0 with the base IP address of your range.

Reply to
Walter Roberson

In my Cisco 837 DSL router there is an entry relating to routing:

"ip route 0.0.0.0 0.0.0.0 Dialer0"

Dialer0 is "ip unnumbered Ethernet0" and Ethernet0 is assign the WAN IP, which is another IP address (different from both 209.181.x.y and

209.181.a.b)

The above ip route command should be sufficient... right?

BV

Reply to
bavien

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.