Solved

506E / Multiple Servers / 2600 w/ T1s

Posted on 2004-09-20
13
142 Views
Last Modified: 2010-04-09
I'm having problems getting all of my nat and what not working.

here is what i need to do.

my Outside IP range is 70.241.39.2-254 (70.241.39.1 is the IP of the 2600 Router on the T1s)
my Inside IP range is 10.8.1.0-254

I have several servers that i need to be NAT.

70.241.39.25 > 10.8.1.2 (This is the AD machine w/ DNS Server running)
70.241.39.35 > 10.8.1.4 (Exchange 2000 for email pop3/imap/etc)
70.241.39.45 > 10.8.1.107 (Linux Email)
70.241.39.55 > 10.8.1.3 (Websites)

Then for convenience i'd like to be able to forward
70.241.39.100 > 10.8.1.100 (Desktop on inside)

I'll paste my config.

I've been able to get outbound traffic to work, and i think my Global/NAT pools are way jacked, so any recommendations on them and their schema would be greatly appreciated.

Also, when i'm in the pix - i can't ping anything from it's outside interface, nor can anything ping or whatever from inside to outside (i tried playing w/ the icmp stuff but i know i have it wrong)

Thanks.


---------------------------------------------------------------------------
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 656 encrypted
passwd 5656 encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list out_in permit tcp any any
access-list out_in permit tcp any host 70.241.39.25 eq domain
pager lines 24
interface ethernet0 10full
interface ethernet1 10full
icmp permit any echo outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 70.241.39.3 255.255.255.0
ip address inside 10.8.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 2 70.241.39.15 netmask 255.255.255.0
nat (inside) 2 10.8.1.0 255.255.255.0 0 0
static (inside,outside) 70.241.39.25 10.8.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.35 10.8.1.4 netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.241.39.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.8.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.8.1.100-10.8.1.150 inside
dhcpd dns 151.164.169.201 151.164.67.201
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:ceb12d10619ebd4d121e9cc2b0656310
0
Comment
Question by:NickUA
  • 7
  • 6
13 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12107456
One suggestion on your global:
Either don't use a mask, or use "interface"
This will setup PAT example:

   global (outside) 2 interface
or
   global (outside) 2 70.241.29.15

you're on the right track with the statics, just keep going:
   static (inside,outside) 70.241.39.45 10.8.1.107 netmask 255.255.255.255
   static (inside,outside) 70.241.39.55 10.8.1.3 netmask 255.255.255.255
   static (inside,outside) 70.241.39.100 10.8.1.100 netmask 255.255.255.255

Always "clear xlate" when changes statics, before and after changes:
pix#clear xlate

Now, just let some traffic in. I don't suggest using "tcp any any". You must also explicitly permit icmp traffic in you acl:

 no access-list out_in permit tcp any any
access-list out_in permit icmp any any echo-reply
access-list out_in permit icmp any any unreachable
access-list out_in permit icmp any any ttl-exceeded
access-list out_in permit udp any host 70.241.39.25 eq domain  <- dns querries use UDP
access-list out_in permit tcp any host 70.241.39.25 eq domain
access-list out_in permit tcp any host 70.241.39.35 eq smtp
access-list out_in permit tcp any host 70.241.39.35 eq pop3
access-list out_in permit tcp any host 70.241.39.35 eq imap
access-list out_in permit tcp any host 70.241.39.45 eq smtp
access-list out_in permit tcp any host 70.241.39.55 eq http
access-list out_in permit tcp any host 70.241.39.55 eq https
<etc>

Always re-apply the acl to the interface after making any changes:
   access-group out_in in interface outside

Since you are using Exchange, you'll have to turn off the fixup:
    no fixup protocol smtp 25

That should just about do it for you....
0
 
LVL 1

Author Comment

by:NickUA
ID: 12107599
Irmoore: it's really wierd...  i went by your changes (i acutally got the UDP DNS one working right after i posted) ... but i can't get any of the otehr static/access-lists to work.  they don't even hit the access-list count

static (inside,outside) 70.241.39.10 10.8.1.107 netmask 255.255.255.255

access-list out_in permit tcp any host 70.241.39.10 eq http (did www also)

this should pull up an apache webpage on the linux machine...

i even did

access-list out_in permit tcp any host 70.241.39.25 eq http (did www also)
and i have IIS6 running w/ a default webpage running (i can get to it form inside) and when i go http://70.241.39.25 it times out and pulls nothing up...  it's really strange?

Thanks,
Nick
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107632
What is the default gateway of the apache server? Is it 10.8.1.1 ???
Same with the IIS server ...
0
 
LVL 1

Author Comment

by:NickUA
ID: 12107642
ahh **** nm irmoore - it works... just i can't go to those IPs from inside pix.. i guess they don't go out pix and then back in?  is there a way i can make it work from inside pix?  make sense?

So that when i go to http://ipaddressofthings or http://mail.mydomain.com which resolves to the same ip that it pulls up when i'm on a machine behind the pix?

Thanks,
Nick
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107657
If you want to do it from inside the pix?
Use Alias and DNS Doctoring:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

Let me know if you can't access that link. Do you have a CCO login?
0
 
LVL 1

Author Comment

by:NickUA
ID: 12107698
irmoore, i dont have CCO login - i did at one time and i don't know where the username/pass is to save my life.  can you email the article to me?  ndozier@uark.edu

Thanks.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 79

Expert Comment

by:lrmoore
ID: 12107725
Try this:

http://24.215.255.213/Alias.pdf

I'll shut off access in an hour...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107728
You might have to use this link...
http://24.214.255.213/alias.pdf

it appears that IIS6 may be case-sensitive on the file name. I'm no Web guru...
0
 
LVL 1

Author Comment

by:NickUA
ID: 12107900
irmoore - trying to download... doesn't seem to be going through.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107949
Check your email then..
0
 
LVL 1

Author Comment

by:NickUA
ID: 12115192
Okay irmoore - one last problem.. i think it's possibly pix related as i've tried troubleshooting all of our networks here.  Here is the 99% working config.  What's going on now.. is that my AD/DNS Server 10.8.1.2 and the other "servers" are having problems talking to each other and i think it may be an alias or static thing but i'm not sure.  It seems any computer that i have a static assigned to will start to drop packets on the inside of the network.  example:

I have 2 desktops in house that are just dhcp workstations... they can ping each other all day long, the servers can ping them just fine, no problems.  if i try and ping the servers from a workstation the server(s) will respond maybe 1 time and time out the rest...  but - from the server to the workstation the workstation replies every time.  Also, from server to server some servers can talk to each other, some can't... it's really strange.  Any help would be appreciated.

Thanks,
Nick

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password asdfencrypted
passwd asdf encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list out_in permit tcp any any
access-list out_in permit tcp any host 70.241.39.25 eq domain
access-list out_in permit udp any host 70.241.39.25 eq domain
access-list out_in permit tcp any host 70.241.39.25 eq www
access-list out_in permit tcp any host 70.241.39.10 eq www
access-list out_in permit tcp any host 70.241.39.30 eq smtp
access-list out_in permit tcp any host 70.241.39.30 eq 143
access-list out_in permit tcp any host 70.241.39.30 eq pop3
access-list out_in permit tcp any host 70.241.39.10 eq smtp
access-list out_in permit tcp any host 70.241.39.10 eq pop3
access-list out_in permit tcp any host 70.241.39.10 eq 143
access-list out_in permit tcp any host 70.241.39.47 eq www
access-list out_in permit icmp any any echo-reply
access-list out_in permit icmp any any unreachable
pager lines 24
interface ethernet0 10full
interface ethernet1 10full
icmp permit any echo outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 70.241.39.3 255.255.255.0
ip address inside 10.8.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.8.1.107 70.241.39.10 255.255.255.255
alias (inside) 10.8.1.2 70.241.39.25 255.255.255.255
alias (inside) 10.8.1.4 70.241.39.30 255.255.255.255
alias (inside) 10.8.1.12 70.241.39.47 255.255.255.255
static (inside,outside) 70.241.39.25 10.8.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.10 10.8.1.107 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.30 10.8.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.47 10.8.1.12 netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.241.38.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.8.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.8.1.100-10.8.1.150 inside
dhcpd dns 151.164.169.201 151.164.67.201
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 100
Cryptochecksum:67f28d9d0cbbc082d23239daa65607de
: end
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12115465
Did you notice the very small notation in the alias document that you must disable proxyarp?

sysopt noproxyarp inside
0
 
LVL 1

Author Comment

by:NickUA
ID: 12118655
lrmoore: once again - you're the man :)  - who reads fine print?

Thanks,
Nick
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now