Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - limited outbound access

Posted on 2003-10-22
3
Medium Priority
?
470 Views
Last Modified: 2013-11-16
Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - linited outbound access

Problem: Currently I can only obtain access beyond the PIX from the server at 192.168.1.10 with config file below.

I have been struggling with this off and on for 4 weeks (never configed PIX before :/ ), we have a network configuration as follows.

ISP fixed IP - 89-xxx-xxx-xx --- ADSL Modem --- Nat Internal to - 192.168.0.1
PIX501 connected to ADSL Modem - outside network is 192.168.0.2, inside network is 192.168.1.0/12
PIX Version 6.3

We need unfettered access for all internal PC/Macs through the PIX (ie. not to be routed through the server)
We need all external requests from the PIX to be routed to the server eg. POP/SMTP/FTP/SQLNET/HTTP/HTTPS/FilemakerServer
PDM + Console access to just one machine - 192.168.1.11
And finally we have one machine outside the PIX on a shared switch before the ADSL Modem which needs to be regarded as a Trusted address - 192.168.0.101

Any help with a functioning config file for the above would be appreciated, alas it is beyond me.

'A man has to know his limitations'

 ----snip----
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxxxx encrypted
> passwd xxxxx encrypted
> hostname pix
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> object-group network WORLD
> description The world
> network-object 0.0.0.0 0.0.0.0
> object-group network EXTERNAL
> network-object host 192.168.0.2
> object-group network INTERNAL
> description INSIDE
> network-object 192.168.1.0 255.255.255.0
> object-group service INBOUND-TCP tcp
> description Static Inbound Services
> port-object eq 110
> port-object eq smtp
> port-object eq 21
> port-object eq 80
> port-object eq 443
> port-object eq 53
> object-group service INBOUND-UDP udp
> description Static Inbound Services
> port-object eq 53
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-TCP
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-UDP
> access-list OUTSIDE permit icmp any any echo-reply
> access-list OUTSIDE permit icmp any any traceroute
> access-list OUTSIDE permit icmp any any time-exceeded
> access-list OUTSIDE permit icmp any any unreachable
> pager lines 24
> logging on
> logging buffered info
> ip address outside 192.168.0.2 255.255.255.0
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> http server enable
> http 192.168.1.11 255.255.255.255 inside
> global (outside) 1 interface
> nat (inside) 1 192.168.1.0 255.255.255.0
> static (inside,outside) 192.168.0.2 192.168.1.10
> access-group OUTSIDE in interface outside
> route outside 0.0.0.0 0.0.0.0 192.168.0.1
> telnet 192.168.1.11 255.255.255.255 inside
> ----snip----
0
Comment
Question by:Numptyboy
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 9609212
>> static (inside,outside) 192.168.0.2 192.168.1.10
This is your culprit. You can create static PORT maps to this inside host, for example if you run a web server on it:
static (inside,outside) tcp interface 80 192.168.1.10 80

But since you've mapped all ports from the interface IP to the inside host, that is the only one that can go out.

Suggest removing the static, then "clear xlate" and try again..
0
 

Author Comment

by:Numptyboy
ID: 9617028
After switching of DHCP (defaulted to on when reset pix to factory default) and removing the static inside outside, bling first time. This resource is priceless, many many thanks to the 'watchover' known as lrmoore.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9617049
Glad to help..
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question