Solved

Cisco PIX NAT and static inside/outside from internal IP's

Posted on 2004-04-20
4
9,372 Views
Last Modified: 2013-11-16
My Cisco PIX 501 OS version 6.2(2) is ip outside X.242 and inside 10.0.0.254.  I want to forward traffic to X.242 (the PIX itself) Port 80 to an internal server (Historical reasons).  I’ve use the following config and everything words fine. Everybody can connect to the Internet and the Internet can use the port forward.  But the internal people cannot connect to the port forward.

From inside the following does NOT work:  “telnet 196.X.X.242 80”

Extract of my config:
ip address outside 196.X.X.242 255.255.255.248
ip address inside 10.0.0.254 255.255.255.0
access-list 100 permit ip 10.0.0.0 255.0.0.0 any
access-group 100 in interface inside
access-list 101 permit icmp any any
access-list 101 permit tcp any host 196.X.X.242 eq www
access-group 101 in interface outside
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) tcp 196.X.X.242 80 10.0.0.10 80 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 196.X.X.241 1

I think the PIX do not do the NAT for internal IP, to the port forward.  Does anybody have any tips?

0
Comment
Question by:louwtjie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
hawgpig earned 250 total points
ID: 10873438
Try this....
static (inside,outside) tcp interface 80 10.0.0.10 80 dns netmask 255.255.255.255 0 0
Instead of this...
static (inside,outside) tcp 196.X.X.242 80 10.0.0.10 80 netmask 255.255.255.255 0 0
do a
clear x
and a
clear arp


The word interface should be substituted for the outside IP Address and add the "DNS" just before the word netmask and it will do the DNS doctoring...
This of course assumes you are using an external DNS

Good Luck....
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10878379
Also look at the alias command.  I don't think the 'DNS' entry will work on anything bar PIX 6.3 ?
The following command will work with your config, as you already have access lists and static nat setup:

alias (inside) 10.0.0.10 196.x.x.242 255.255.255.255

More info - http://www.cisco.com/warp/public/110/alias.html

0
 
LVL 1

Author Comment

by:louwtjie
ID: 10880416
After getting the first solution, I read up more on DNS on Cisco and also noted that the first option should not work on that “old” OS, but it did.

The DNS option translate the DNS requires from the inside to an outside server very nicely by reporting the internal IP number

Thanks,
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10883926
Just to let you guys know this was actually started in 6.2(2)....It was not well published.....I actually started working for cisco just before 6.2(2) came out......the DNS statement on the static will work in 6.2(2).
Louwtjie
Right, it is the replacemet for dns doctoring (the alias command) from previous versions of pix os. The alias command is not accepted by PDM. PDM will not work with the alias command, So the dns statement in the static is taking it's place.
FYI
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Monitor Internet Edge Router behind Firewall 2 37
ASA ISP failover 3 33
Network over eigrp 100 topology ? 3 90
Equivalent of WSUS for Solaris, AIX and Cisco devices 11 127
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question