Solved

Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - limited outbound access

Posted on 2003-10-22
3
459 Views
Last Modified: 2013-11-16
Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - linited outbound access

Problem: Currently I can only obtain access beyond the PIX from the server at 192.168.1.10 with config file below.

I have been struggling with this off and on for 4 weeks (never configed PIX before :/ ), we have a network configuration as follows.

ISP fixed IP - 89-xxx-xxx-xx --- ADSL Modem --- Nat Internal to - 192.168.0.1
PIX501 connected to ADSL Modem - outside network is 192.168.0.2, inside network is 192.168.1.0/12
PIX Version 6.3

We need unfettered access for all internal PC/Macs through the PIX (ie. not to be routed through the server)
We need all external requests from the PIX to be routed to the server eg. POP/SMTP/FTP/SQLNET/HTTP/HTTPS/FilemakerServer
PDM + Console access to just one machine - 192.168.1.11
And finally we have one machine outside the PIX on a shared switch before the ADSL Modem which needs to be regarded as a Trusted address - 192.168.0.101

Any help with a functioning config file for the above would be appreciated, alas it is beyond me.

'A man has to know his limitations'

 ----snip----
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxxxx encrypted
> passwd xxxxx encrypted
> hostname pix
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> object-group network WORLD
> description The world
> network-object 0.0.0.0 0.0.0.0
> object-group network EXTERNAL
> network-object host 192.168.0.2
> object-group network INTERNAL
> description INSIDE
> network-object 192.168.1.0 255.255.255.0
> object-group service INBOUND-TCP tcp
> description Static Inbound Services
> port-object eq 110
> port-object eq smtp
> port-object eq 21
> port-object eq 80
> port-object eq 443
> port-object eq 53
> object-group service INBOUND-UDP udp
> description Static Inbound Services
> port-object eq 53
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-TCP
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-UDP
> access-list OUTSIDE permit icmp any any echo-reply
> access-list OUTSIDE permit icmp any any traceroute
> access-list OUTSIDE permit icmp any any time-exceeded
> access-list OUTSIDE permit icmp any any unreachable
> pager lines 24
> logging on
> logging buffered info
> ip address outside 192.168.0.2 255.255.255.0
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> http server enable
> http 192.168.1.11 255.255.255.255 inside
> global (outside) 1 interface
> nat (inside) 1 192.168.1.0 255.255.255.0
> static (inside,outside) 192.168.0.2 192.168.1.10
> access-group OUTSIDE in interface outside
> route outside 0.0.0.0 0.0.0.0 192.168.0.1
> telnet 192.168.1.11 255.255.255.255 inside
> ----snip----
0
Comment
Question by:Numptyboy
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9609212
>> static (inside,outside) 192.168.0.2 192.168.1.10
This is your culprit. You can create static PORT maps to this inside host, for example if you run a web server on it:
static (inside,outside) tcp interface 80 192.168.1.10 80

But since you've mapped all ports from the interface IP to the inside host, that is the only one that can go out.

Suggest removing the static, then "clear xlate" and try again..
0
 

Author Comment

by:Numptyboy
ID: 9617028
After switching of DHCP (defaulted to on when reset pix to factory default) and removing the static inside outside, bling first time. This resource is priceless, many many thanks to the 'watchover' known as lrmoore.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9617049
Glad to help..
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question