Solved

Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - limited outbound access

Posted on 2003-10-22
3
453 Views
Last Modified: 2013-11-16
Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - linited outbound access

Problem: Currently I can only obtain access beyond the PIX from the server at 192.168.1.10 with config file below.

I have been struggling with this off and on for 4 weeks (never configed PIX before :/ ), we have a network configuration as follows.

ISP fixed IP - 89-xxx-xxx-xx --- ADSL Modem --- Nat Internal to - 192.168.0.1
PIX501 connected to ADSL Modem - outside network is 192.168.0.2, inside network is 192.168.1.0/12
PIX Version 6.3

We need unfettered access for all internal PC/Macs through the PIX (ie. not to be routed through the server)
We need all external requests from the PIX to be routed to the server eg. POP/SMTP/FTP/SQLNET/HTTP/HTTPS/FilemakerServer
PDM + Console access to just one machine - 192.168.1.11
And finally we have one machine outside the PIX on a shared switch before the ADSL Modem which needs to be regarded as a Trusted address - 192.168.0.101

Any help with a functioning config file for the above would be appreciated, alas it is beyond me.

'A man has to know his limitations'

 ----snip----
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxxxx encrypted
> passwd xxxxx encrypted
> hostname pix
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> object-group network WORLD
> description The world
> network-object 0.0.0.0 0.0.0.0
> object-group network EXTERNAL
> network-object host 192.168.0.2
> object-group network INTERNAL
> description INSIDE
> network-object 192.168.1.0 255.255.255.0
> object-group service INBOUND-TCP tcp
> description Static Inbound Services
> port-object eq 110
> port-object eq smtp
> port-object eq 21
> port-object eq 80
> port-object eq 443
> port-object eq 53
> object-group service INBOUND-UDP udp
> description Static Inbound Services
> port-object eq 53
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-TCP
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-UDP
> access-list OUTSIDE permit icmp any any echo-reply
> access-list OUTSIDE permit icmp any any traceroute
> access-list OUTSIDE permit icmp any any time-exceeded
> access-list OUTSIDE permit icmp any any unreachable
> pager lines 24
> logging on
> logging buffered info
> ip address outside 192.168.0.2 255.255.255.0
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> http server enable
> http 192.168.1.11 255.255.255.255 inside
> global (outside) 1 interface
> nat (inside) 1 192.168.1.0 255.255.255.0
> static (inside,outside) 192.168.0.2 192.168.1.10
> access-group OUTSIDE in interface outside
> route outside 0.0.0.0 0.0.0.0 192.168.0.1
> telnet 192.168.1.11 255.255.255.255 inside
> ----snip----
0
Comment
Question by:Numptyboy
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9609212
>> static (inside,outside) 192.168.0.2 192.168.1.10
This is your culprit. You can create static PORT maps to this inside host, for example if you run a web server on it:
static (inside,outside) tcp interface 80 192.168.1.10 80

But since you've mapped all ports from the interface IP to the inside host, that is the only one that can go out.

Suggest removing the static, then "clear xlate" and try again..
0
 

Author Comment

by:Numptyboy
ID: 9617028
After switching of DHCP (defaulted to on when reset pix to factory default) and removing the static inside outside, bling first time. This resource is priceless, many many thanks to the 'watchover' known as lrmoore.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9617049
Glad to help..
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now