Cisco PIX NAT and static inside/outside from internal IP's
My Cisco PIX 501 OS version 6.2(2) is ip outside X.242 and inside 10.0.0.254. I want to forward traffic to X.242 (the PIX itself) Port 80 to an internal server (Historical reasons). I’ve use the following config and everything words fine. Everybody can connect to the Internet and the Internet can use the port forward. But the internal people cannot connect to the port forward.
From inside the following does NOT work: “telnet 196.X.X.242 80”
Extract of my config:
ip address outside 196.X.X.242 255.255.255.248
ip address inside 10.0.0.254 255.255.255.0
access-list 100 permit ip 10.0.0.0 255.0.0.0 any
access-group 100 in interface inside
access-list 101 permit icmp any any
access-list 101 permit tcp any host 196.X.X.242 eq www
access-group 101 in interface outside
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) tcp 196.X.X.242 80 10.0.0.10 80 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 196.X.X.241 1
I think the PIX do not do the NAT for internal IP, to the port forward. Does anybody have any tips?
From inside the following does NOT work: “telnet 196.X.X.242 80”
Extract of my config:
ip address outside 196.X.X.242 255.255.255.248
ip address inside 10.0.0.254 255.255.255.0
access-list 100 permit ip 10.0.0.0 255.0.0.0 any
access-group 100 in interface inside
access-list 101 permit icmp any any
access-list 101 permit tcp any host 196.X.X.242 eq www
access-group 101 in interface outside
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) tcp 196.X.X.242 80 10.0.0.10 80 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 196.X.X.241 1
I think the PIX do not do the NAT for internal IP, to the port forward. Does anybody have any tips?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After getting the first solution, I read up more on DNS on Cisco and also noted that the first option should not work on that “old” OS, but it did.
The DNS option translate the DNS requires from the inside to an outside server very nicely by reporting the internal IP number
Thanks,
The DNS option translate the DNS requires from the inside to an outside server very nicely by reporting the internal IP number
Thanks,
Just to let you guys know this was actually started in 6.2(2)....It was not well published.....I actually started working for cisco just before 6.2(2) came out......the DNS statement on the static will work in 6.2(2).
Louwtjie
Right, it is the replacemet for dns doctoring (the alias command) from previous versions of pix os. The alias command is not accepted by PDM. PDM will not work with the alias command, So the dns statement in the static is taking it's place.
FYI
Louwtjie
Right, it is the replacemet for dns doctoring (the alias command) from previous versions of pix os. The alias command is not accepted by PDM. PDM will not work with the alias command, So the dns statement in the static is taking it's place.
FYI
The following command will work with your config, as you already have access lists and static nat setup:
alias (inside) 10.0.0.10 196.x.x.242 255.255.255.255
More info - http://www.cisco.com/warp/public/110/alias.html