Link to home
Start Free TrialLog in
Avatar of Numptyboy
Numptyboy

asked on

Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - limited outbound access

Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - linited outbound access

Problem: Currently I can only obtain access beyond the PIX from the server at 192.168.1.10 with config file below.

I have been struggling with this off and on for 4 weeks (never configed PIX before :/ ), we have a network configuration as follows.

ISP fixed IP - 89-xxx-xxx-xx --- ADSL Modem --- Nat Internal to - 192.168.0.1
PIX501 connected to ADSL Modem - outside network is 192.168.0.2, inside network is 192.168.1.0/12
PIX Version 6.3

We need unfettered access for all internal PC/Macs through the PIX (ie. not to be routed through the server)
We need all external requests from the PIX to be routed to the server eg. POP/SMTP/FTP/SQLNET/HTTP/HTTPS/FilemakerServer
PDM + Console access to just one machine - 192.168.1.11
And finally we have one machine outside the PIX on a shared switch before the ADSL Modem which needs to be regarded as a Trusted address - 192.168.0.101

Any help with a functioning config file for the above would be appreciated, alas it is beyond me.

'A man has to know his limitations'

 ----snip----
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxxxx encrypted
> passwd xxxxx encrypted
> hostname pix
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> object-group network WORLD
> description The world
> network-object 0.0.0.0 0.0.0.0
> object-group network EXTERNAL
> network-object host 192.168.0.2
> object-group network INTERNAL
> description INSIDE
> network-object 192.168.1.0 255.255.255.0
> object-group service INBOUND-TCP tcp
> description Static Inbound Services
> port-object eq 110
> port-object eq smtp
> port-object eq 21
> port-object eq 80
> port-object eq 443
> port-object eq 53
> object-group service INBOUND-UDP udp
> description Static Inbound Services
> port-object eq 53
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-TCP
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-UDP
> access-list OUTSIDE permit icmp any any echo-reply
> access-list OUTSIDE permit icmp any any traceroute
> access-list OUTSIDE permit icmp any any time-exceeded
> access-list OUTSIDE permit icmp any any unreachable
> pager lines 24
> logging on
> logging buffered info
> ip address outside 192.168.0.2 255.255.255.0
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> http server enable
> http 192.168.1.11 255.255.255.255 inside
> global (outside) 1 interface
> nat (inside) 1 192.168.1.0 255.255.255.0
> static (inside,outside) 192.168.0.2 192.168.1.10
> access-group OUTSIDE in interface outside
> route outside 0.0.0.0 0.0.0.0 192.168.0.1
> telnet 192.168.1.11 255.255.255.255 inside
> ----snip----
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Numptyboy
Numptyboy

ASKER

After switching of DHCP (defaulted to on when reset pix to factory default) and removing the static inside outside, bling first time. This resource is priceless, many many thanks to the 'watchover' known as lrmoore.
Glad to help..