NAT Problem on PIX

Posted on 2005-04-24
Last Modified: 2013-11-16
I am experiencing a maddening problem on our Cisco PIX:

When I setup a NAT rule to bind a global address to an internal server it closes all connectivity to that server. Thus, rather than allowing external data to pass to the internal server (access rule is also setup), it actually blocks that server from accessing external hosts.

Originally, we had this problem with hosts on the inside network, but not for hosts on the dmz. We wiped the setup and everything suddenly worked fine with the new setup.
This then completely stopped working when there was an IP address conflict on the external interface (my mistake) and nothing would go through at all.

So, third try, I have one server on the DMZ and it won't connect to the internet, it also will not be visible.

Perhaps important to note as well:
There is an implicit rule that controls access. However, when I create any type of other rule on the internal interface, the implicit rule stops functioning. I have to create a new rule to allow outgoing traffic. Is this normal?
I am starting to suspect your PIX is not working correctly. We are still using our old firewall until we can get this one to work.

This is our configuration (I changed the external IP addresses)

Building configuration...
: Saved
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password ujZsBO8dBcra862y encrypted
passwd ujZsBO8dBcra862y encrypted
hostname tkypix1
clock timezone JST 9
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name DNS1
access-list outside_access_in permit tcp any host eq domain
access-list inside_access_in permit tcp any host DNS2 eq domain
access-list inside_access_in permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside
ip address inside
ip address dmz
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location dmz
pdm location DNS2 dmz
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0 0
static (dmz,outside) DNS2 netmask 0 0
static (inside,dmz) netmask 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet dmz
telnet intf3
telnet intf4
telnet intf5
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
terminal width 80
: end

Question by:wvanbesien
    LVL 79

    Expert Comment

    >when I create any type of other rule on the internal interface, the implicit rule stops functioning. I have to create a new rule to allow outgoing traffic. Is this normal?
    Correct. This is normal. Only one rule applied at a time implicit, or explicit..

    Remove the acl from the inside interface until you can get everything working, then we can help you write a proper acl to make any restrictions that you want for outbound traffic..

    >access-list outside_access_in permit tcp any host eq domain
    DNS uses UDP packets, not TCP packets. Should be:
       access-list outside_access_in permit udp any host eq domain
    LVL 1

    Author Comment


    I actually got it to work, but I don't know how. Obviously, I changed the access lists, all 6 servers are accessible now.  

    Suddenly, traffic was allowed to flow and everything worked normal. Is there some sort of emergency lockdown system to blocks access incase there is a misconfiguration? At another time when I was configuring the rules, the PDM experienced some problem and suddenly all access was cut off. Reloading the PIX cleared it up.

    LVL 79

    Expert Comment

    Did you fix the access-list to allow UDP vs TCP for DNS?
    You must have..
    LVL 79

    Accepted Solution

    Are you still working on this?
    Have you found a solution?
    Do you need more information?

    This question will be classified as abandoned soon if we don't get some feedback from you.

    Can you close out this question? See here for details:

    Thanks for your attention!

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now