Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 156
  • Last Modified:

506E / Multiple Servers / 2600 w/ T1s

I'm having problems getting all of my nat and what not working.

here is what i need to do.

my Outside IP range is 70.241.39.2-254 (70.241.39.1 is the IP of the 2600 Router on the T1s)
my Inside IP range is 10.8.1.0-254

I have several servers that i need to be NAT.

70.241.39.25 > 10.8.1.2 (This is the AD machine w/ DNS Server running)
70.241.39.35 > 10.8.1.4 (Exchange 2000 for email pop3/imap/etc)
70.241.39.45 > 10.8.1.107 (Linux Email)
70.241.39.55 > 10.8.1.3 (Websites)

Then for convenience i'd like to be able to forward
70.241.39.100 > 10.8.1.100 (Desktop on inside)

I'll paste my config.

I've been able to get outbound traffic to work, and i think my Global/NAT pools are way jacked, so any recommendations on them and their schema would be greatly appreciated.

Also, when i'm in the pix - i can't ping anything from it's outside interface, nor can anything ping or whatever from inside to outside (i tried playing w/ the icmp stuff but i know i have it wrong)

Thanks.


---------------------------------------------------------------------------
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 656 encrypted
passwd 5656 encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list out_in permit tcp any any
access-list out_in permit tcp any host 70.241.39.25 eq domain
pager lines 24
interface ethernet0 10full
interface ethernet1 10full
icmp permit any echo outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 70.241.39.3 255.255.255.0
ip address inside 10.8.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 2 70.241.39.15 netmask 255.255.255.0
nat (inside) 2 10.8.1.0 255.255.255.0 0 0
static (inside,outside) 70.241.39.25 10.8.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.35 10.8.1.4 netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.241.39.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.8.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.8.1.100-10.8.1.150 inside
dhcpd dns 151.164.169.201 151.164.67.201
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:ceb12d10619ebd4d121e9cc2b0656310
0
NickUA
Asked:
NickUA
  • 7
  • 6
1 Solution
 
lrmooreCommented:
One suggestion on your global:
Either don't use a mask, or use "interface"
This will setup PAT example:

   global (outside) 2 interface
or
   global (outside) 2 70.241.29.15

you're on the right track with the statics, just keep going:
   static (inside,outside) 70.241.39.45 10.8.1.107 netmask 255.255.255.255
   static (inside,outside) 70.241.39.55 10.8.1.3 netmask 255.255.255.255
   static (inside,outside) 70.241.39.100 10.8.1.100 netmask 255.255.255.255

Always "clear xlate" when changes statics, before and after changes:
pix#clear xlate

Now, just let some traffic in. I don't suggest using "tcp any any". You must also explicitly permit icmp traffic in you acl:

 no access-list out_in permit tcp any any
access-list out_in permit icmp any any echo-reply
access-list out_in permit icmp any any unreachable
access-list out_in permit icmp any any ttl-exceeded
access-list out_in permit udp any host 70.241.39.25 eq domain  <- dns querries use UDP
access-list out_in permit tcp any host 70.241.39.25 eq domain
access-list out_in permit tcp any host 70.241.39.35 eq smtp
access-list out_in permit tcp any host 70.241.39.35 eq pop3
access-list out_in permit tcp any host 70.241.39.35 eq imap
access-list out_in permit tcp any host 70.241.39.45 eq smtp
access-list out_in permit tcp any host 70.241.39.55 eq http
access-list out_in permit tcp any host 70.241.39.55 eq https
<etc>

Always re-apply the acl to the interface after making any changes:
   access-group out_in in interface outside

Since you are using Exchange, you'll have to turn off the fixup:
    no fixup protocol smtp 25

That should just about do it for you....
0
 
NickUAAuthor Commented:
Irmoore: it's really wierd...  i went by your changes (i acutally got the UDP DNS one working right after i posted) ... but i can't get any of the otehr static/access-lists to work.  they don't even hit the access-list count

static (inside,outside) 70.241.39.10 10.8.1.107 netmask 255.255.255.255

access-list out_in permit tcp any host 70.241.39.10 eq http (did www also)

this should pull up an apache webpage on the linux machine...

i even did

access-list out_in permit tcp any host 70.241.39.25 eq http (did www also)
and i have IIS6 running w/ a default webpage running (i can get to it form inside) and when i go http://70.241.39.25 it times out and pulls nothing up...  it's really strange?

Thanks,
Nick
0
 
lrmooreCommented:
What is the default gateway of the apache server? Is it 10.8.1.1 ???
Same with the IIS server ...
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
NickUAAuthor Commented:
ahh **** nm irmoore - it works... just i can't go to those IPs from inside pix.. i guess they don't go out pix and then back in?  is there a way i can make it work from inside pix?  make sense?

So that when i go to http://ipaddressofthings or http://mail.mydomain.com which resolves to the same ip that it pulls up when i'm on a machine behind the pix?

Thanks,
Nick
0
 
lrmooreCommented:
If you want to do it from inside the pix?
Use Alias and DNS Doctoring:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Let me know if you can't access that link. Do you have a CCO login?
0
 
NickUAAuthor Commented:
irmoore, i dont have CCO login - i did at one time and i don't know where the username/pass is to save my life.  can you email the article to me?  ndozier@uark.edu

Thanks.
0
 
lrmooreCommented:
Try this:

http://24.215.255.213/Alias.pdf

I'll shut off access in an hour...
0
 
lrmooreCommented:
You might have to use this link...
http://24.214.255.213/alias.pdf

it appears that IIS6 may be case-sensitive on the file name. I'm no Web guru...
0
 
NickUAAuthor Commented:
irmoore - trying to download... doesn't seem to be going through.
0
 
lrmooreCommented:
Check your email then..
0
 
NickUAAuthor Commented:
Okay irmoore - one last problem.. i think it's possibly pix related as i've tried troubleshooting all of our networks here.  Here is the 99% working config.  What's going on now.. is that my AD/DNS Server 10.8.1.2 and the other "servers" are having problems talking to each other and i think it may be an alias or static thing but i'm not sure.  It seems any computer that i have a static assigned to will start to drop packets on the inside of the network.  example:

I have 2 desktops in house that are just dhcp workstations... they can ping each other all day long, the servers can ping them just fine, no problems.  if i try and ping the servers from a workstation the server(s) will respond maybe 1 time and time out the rest...  but - from the server to the workstation the workstation replies every time.  Also, from server to server some servers can talk to each other, some can't... it's really strange.  Any help would be appreciated.

Thanks,
Nick

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password asdfencrypted
passwd asdf encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list out_in permit tcp any any
access-list out_in permit tcp any host 70.241.39.25 eq domain
access-list out_in permit udp any host 70.241.39.25 eq domain
access-list out_in permit tcp any host 70.241.39.25 eq www
access-list out_in permit tcp any host 70.241.39.10 eq www
access-list out_in permit tcp any host 70.241.39.30 eq smtp
access-list out_in permit tcp any host 70.241.39.30 eq 143
access-list out_in permit tcp any host 70.241.39.30 eq pop3
access-list out_in permit tcp any host 70.241.39.10 eq smtp
access-list out_in permit tcp any host 70.241.39.10 eq pop3
access-list out_in permit tcp any host 70.241.39.10 eq 143
access-list out_in permit tcp any host 70.241.39.47 eq www
access-list out_in permit icmp any any echo-reply
access-list out_in permit icmp any any unreachable
pager lines 24
interface ethernet0 10full
interface ethernet1 10full
icmp permit any echo outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 70.241.39.3 255.255.255.0
ip address inside 10.8.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.8.1.107 70.241.39.10 255.255.255.255
alias (inside) 10.8.1.2 70.241.39.25 255.255.255.255
alias (inside) 10.8.1.4 70.241.39.30 255.255.255.255
alias (inside) 10.8.1.12 70.241.39.47 255.255.255.255
static (inside,outside) 70.241.39.25 10.8.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.10 10.8.1.107 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.30 10.8.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.47 10.8.1.12 netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.241.38.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.8.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.8.1.100-10.8.1.150 inside
dhcpd dns 151.164.169.201 151.164.67.201
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 100
Cryptochecksum:67f28d9d0cbbc082d23239daa65607de
: end
[OK]
0
 
lrmooreCommented:
Did you notice the very small notation in the alias document that you must disable proxyarp?

sysopt noproxyarp inside
0
 
NickUAAuthor Commented:
lrmoore: once again - you're the man :)  - who reads fine print?

Thanks,
Nick
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now