[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details

515E PIX one-to-one NAT

Asked by mthomas4 in Enterprise Firewalls, Networking Hardware Firewalls, Network Routers

Hi Experts,

I'm getting very frustrated trying to configure what I thought was supposed to be a relatively straight-forward task.

I recently got a /29 point-to-point connection from my ISP, and have configured my outside interface accordingly (216.16.243.178 255.255.255.248).  It's my understanding that I should be able to specify a NAT static (inside,outside) type rule to map public IPs to specific machines on my inside interface.

I've inherited this PIX config, and I have a feeling I'm missing something.  Everything I've read says I should able to do what I'm trying to do.  I can't seem to get any traffic to reach the servers unless I use 216.16.243.178 as my public IP in DNS, AND if I specify that IP in my rule (instead of 'interface IP') it no longer works.

What the heck is going on?  I've attached the config as I have a feeling something is conflicting or I need another access-rule or something.  I'm hoping a trained eye can spot something amiss.

Thanks. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:

: Saved
:
PIX Version 7.2(2) 
!
hostname eei-pix
domain-name eei.com
enable password xxxx encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 216.16.243.178 255.255.255.248 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.30.30.10 255.255.255.0 
!
passwd xxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name eei.com
access-list outside_access_in remark Providing Public HTTP access to the DMZ Web Server
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq pop3 
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 4443 
access-list outside_access_in extended permit tcp any interface outside eq 81 
access-list outside_access_in extended permit tcp any interface outside eq 8080 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list eeiPIX_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 
access-list dmz_to_inside extended permit ip any any 
access-list nonatdmz extended permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list split extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list split extended permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0 
pager lines 24
logging enable
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool eeivpnpool 10.10.10.1-10.10.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 200 interface
global (inside) 1 192.168.1.199 netmask 255.255.255.255
global (dmz) 200 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 200 192.168.1.0 255.255.255.0
nat (dmz) 0 access-list nonatdmz
nat (dmz) 200 10.30.30.30 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.200 pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface 444 192.168.1.200 444 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.199 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 81 192.168.1.200 81 netmask 255.255.255.255 
static (inside,outside) tcp interface smtp 192.168.1.200 smtp netmask 255.255.255.255 
static (dmz,outside) tcp interface 8443 10.30.30.30 8443 netmask 255.255.255.255 
static (dmz,outside) tcp interface https 10.30.30.30 https netmask 255.255.255.255 
static (dmz,outside) tcp interface 8081 10.30.30.30 8081 netmask 255.255.255.255 
static (dmz,outside) tcp interface 8080 10.30.30.30 8080 netmask 255.255.255.255 
static (dmz,outside) tcp interface 4443 10.30.30.30 4443 netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.1.198 www netmask 255.255.255.255 
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 
access-group outside_access_in in interface outside
access-group dmz_to_inside in interface dmz
route outside 0.0.0.0 0.0.0.0 216.16.243.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy eeiPIX internal
group-policy eeiPIX attributes
 wins-server value 192.168.1.200 192.168.1.199
 dns-server value 192.168.1.200 63.208.196.92
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value eeiPIX_splitTunnelAcl
 default-domain value eei.com
group-policy eeiPIX! internal
group-policy eeiPIX! attributes
 wins-server value 192.168.1.200 192.168.1.199
 dns-server value 192.168.1.200 63.208.196.92
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value eei.com
username eeipix password xxxx encrypted privilege 15
username eeivpn password xxxx encrypted privilege 0
username eeivpn attributes
 vpn-group-policy eeiPIX!
http server enable
http 192.168.1.10 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group eeiPIX type ipsec-ra
tunnel-group eeiPIX general-attributes
 address-pool eeivpnpool
 default-group-policy eeiPIX!
tunnel-group eeiPIX ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:xxxx
: end
asdm image flash:/asdm
no asdm history enable
[+][-]11/03/09 07:01 AM, ID: 25729550Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/03/09 07:48 AM, ID: 25730076Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/03/09 07:50 AM, ID: 25730103Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/03/09 07:57 AM, ID: 25730205Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/03/09 08:13 AM, ID: 25730430Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/03/09 08:45 AM, ID: 25730824Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/03/09 08:46 AM, ID: 25730846Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/03/09 10:01 AM, ID: 25731656Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/03/09 11:14 AM, ID: 25732394Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/03/09 11:42 AM, ID: 25732687Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/03/09 11:46 AM, ID: 25732729Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/03/09 11:49 AM, ID: 25732766Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/03/09 11:58 AM, ID: 25732886Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/03/09 03:04 PM, ID: 25734880Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625