tshi5791
asked on
Unable to access static NAT address on the PIX 515e
I recently installed a PIX 515E. The problem I have is that static IP addresses are unable to access the Internet and are therefore unbale to be reached from outside. Below is the configuration
firewall# sh conf
: Saved
: Written by enable_15 at 18:37:30.320 EDT Wed Apr 25 2007
!
PIX Version 7.2(2)
!
hostname firewall
domain-name xxxxxx
enable password xxxxxx encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.91 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 172.16.253.1 255.255.255.0
!
passwd xxxxxxx encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxx
object-group protocol TCP_UDP
protocol-object tcp
protocol-object udp
object-group service VIDEO tcp-udp
port-object range 3230 3235
port-object eq 1720
port-object eq 3603
port-object eq 389
port-object range 1718 1719
port-object range 3235 3258
object-group service Reject tcp-udp
port-object eq 3127
port-object eq 4444
port-object eq 593
port-object eq 135
port-object eq 445
port-object eq 1433
port-object eq 1434
port-object eq 138
port-object eq 137
port-object eq 79
port-object eq 1900
port-object eq 2869
port-object eq 10243
object-group network Internal_Net
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0
network-object 10.1.4.0 255.255.255.0
network-object 10.2.67.0 255.255.255.0
network-object 10.0.1.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
network-object 10.75.225.0 255.255.255.0
network-object 10.16.5.0 255.255.255.0
object-group network RAS_Users
network-object 10.1.33.0 255.255.255.0
object-group network Bad_Net
network-object 127.0.0.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
network-object 224.0.0.0 255.255.255.0
network-object 192.0.0.0 255.255.255.0
network-object 127.0.0.1 255.255.255.255
access-list RAVPN_Split_Tunnel standard permit 10.0.0.0 255.0.0.0
access-list from-Internet-In extended deny object-group TCP_UDP any any object-group Reject
access-list from-Internet-In extended deny ip object-group Bad_Net any
access-list from-Internet-In extended permit icmp any any echo-reply
access-list from-Internet-In extended permit icmp any any time-exceeded
access-list from-Internet-In extended permit icmp any any unreachable
access-list from-Internet-In extended permit udp host x.x.x.x host x.x.x.x. eq syslog
access-list from-Internet-In extended permit tcp any host x.x.x.x eq https
access-list from-Internet-In extended permit tcp any host x.x.x.x eq www
access-list from-Internet-In extended permit object-group TCP_UDP any host x.x.x.x object-group V
access-list from-Internet-In extended permit icmp any any
access-list from-Inside-Out extended deny object-group TCP_UDP any any object-group Reject
access-list from-Inside-Out extended permit ip object-group Internal_Net any log
access-list nycvpn extended permit ip object-group Internal_Net object-group RAS_Users
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging history debugging
logging asdm informational
logging host inside 10.1.1.7
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPN 10.1.33.1-10.1.33.30
ip verify reverse-path interface outside
ip audit name NetAttach info action alarm
ip audit name NetAttack attack action alarm
ip audit interface outside NetAttack
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nycvpn
nat (inside) 1 10.0.0.0 255.0.0.0
nat (DMZ) 1 172.16.253.0 255.255.255.0
static (inside,outside) udp interface syslog 10.1.1.7 syslog netmask 255.255.255.255
static (inside,outside) 208.58.x.2 10.1.1.4 netmask 255.255.255.255
static (dmz,outside) 208.58.x.3 10.1.1.92 netmask 255.255.255.255
access-group from-Internet-In in interface outside
access-group from-Inside-Out in interface inside
route outside 0.0.0.0 0.0.0.0 208.58.x.x 1
route inside 10.0.0.0 255.0.0.0 10.1.1.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ host 10.0.3.14
key xxxx
aaa-server TACACS+ host 10.0.3.13
key xxxxx
aaa-server RADIUS protocol radius
aaa-server NY-HQ protocol nt
aaa-server NY-HQ host 10.1.1.1
nt-auth-domain-controller 10.1.1.1
group-policy NY-HQ-RA-VPN-POLICY internal
group-policy NY-HQ-RA-VPN-POLICY attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel
default-domain value xxxxxxxxx
url-cache src_dst 100
aaa local authentication attempts max-fail 10
http server enable
http 10.0.2.144 255.255.255.255 inside
http 10.0.1.161 255.255.255.255 inside
http 10.0.0.95 255.255.255.255 inside
http 10.1.1.105 255.255.255.255 inside
snmp-server host inside 10.0.0.105 community MgtPrivate
snmp-server host inside 10.0.3.15 community MgtPrivate
no snmp-server location
no snmp-server contact
snmp-server community MgtPrivate
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set YC esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set YC
crypto map ctcnycmap 10 ipsec-isakmp dynamic dynmap
crypto map ctcnycmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group NY-HQ-RA-VPN-GROUP type ipsec-ra
tunnel-group NY-HQ-RA-VPN-GROUP general-attributes
address-pool CTCNYCVPN
authentication-server-grou p NY-HQ
default-group-policy NY-HQ-RA-VPN-POLICY
tunnel-group NY-HQ-RA-VPN-GROUP ipsec-attributes
pre-shared-key *
telnet 10.0.0.95 255.255.255.255 inside
telnet 10.0.2.144 255.255.255.255 inside
telnet 10.0.1.161 255.255.255.255 inside
telnet 10.1.1.105 255.255.255.255 inside
telnet timeout 60
ssh 10.0.2.144 255.255.255.255 inside
ssh 10.0.1.161 255.255.255.255 inside
ssh 10.0.0.95 255.255.255.255 inside
ssh 10.1.1.105 255.255.255.255 inside
ssh timeout 60
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.3.100
client-update enable
prompt hostname context
Cryptochecksum:xxxxxxxx
firewall#
firewall# sh conf
: Saved
: Written by enable_15 at 18:37:30.320 EDT Wed Apr 25 2007
!
PIX Version 7.2(2)
!
hostname firewall
domain-name xxxxxx
enable password xxxxxx encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.x
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.91 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 172.16.253.1 255.255.255.0
!
passwd xxxxxxx encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxx
object-group protocol TCP_UDP
protocol-object tcp
protocol-object udp
object-group service VIDEO tcp-udp
port-object range 3230 3235
port-object eq 1720
port-object eq 3603
port-object eq 389
port-object range 1718 1719
port-object range 3235 3258
object-group service Reject tcp-udp
port-object eq 3127
port-object eq 4444
port-object eq 593
port-object eq 135
port-object eq 445
port-object eq 1433
port-object eq 1434
port-object eq 138
port-object eq 137
port-object eq 79
port-object eq 1900
port-object eq 2869
port-object eq 10243
object-group network Internal_Net
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0
network-object 10.1.4.0 255.255.255.0
network-object 10.2.67.0 255.255.255.0
network-object 10.0.1.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
network-object 10.75.225.0 255.255.255.0
network-object 10.16.5.0 255.255.255.0
object-group network RAS_Users
network-object 10.1.33.0 255.255.255.0
object-group network Bad_Net
network-object 127.0.0.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
network-object 224.0.0.0 255.255.255.0
network-object 192.0.0.0 255.255.255.0
network-object 127.0.0.1 255.255.255.255
access-list RAVPN_Split_Tunnel standard permit 10.0.0.0 255.0.0.0
access-list from-Internet-In extended deny object-group TCP_UDP any any object-group Reject
access-list from-Internet-In extended deny ip object-group Bad_Net any
access-list from-Internet-In extended permit icmp any any echo-reply
access-list from-Internet-In extended permit icmp any any time-exceeded
access-list from-Internet-In extended permit icmp any any unreachable
access-list from-Internet-In extended permit udp host x.x.x.x host x.x.x.x. eq syslog
access-list from-Internet-In extended permit tcp any host x.x.x.x eq https
access-list from-Internet-In extended permit tcp any host x.x.x.x eq www
access-list from-Internet-In extended permit object-group TCP_UDP any host x.x.x.x object-group V
access-list from-Internet-In extended permit icmp any any
access-list from-Inside-Out extended deny object-group TCP_UDP any any object-group Reject
access-list from-Inside-Out extended permit ip object-group Internal_Net any log
access-list nycvpn extended permit ip object-group Internal_Net object-group RAS_Users
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging history debugging
logging asdm informational
logging host inside 10.1.1.7
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPN 10.1.33.1-10.1.33.30
ip verify reverse-path interface outside
ip audit name NetAttach info action alarm
ip audit name NetAttack attack action alarm
ip audit interface outside NetAttack
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nycvpn
nat (inside) 1 10.0.0.0 255.0.0.0
nat (DMZ) 1 172.16.253.0 255.255.255.0
static (inside,outside) udp interface syslog 10.1.1.7 syslog netmask 255.255.255.255
static (inside,outside) 208.58.x.2 10.1.1.4 netmask 255.255.255.255
static (dmz,outside) 208.58.x.3 10.1.1.92 netmask 255.255.255.255
access-group from-Internet-In in interface outside
access-group from-Inside-Out in interface inside
route outside 0.0.0.0 0.0.0.0 208.58.x.x 1
route inside 10.0.0.0 255.0.0.0 10.1.1.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ host 10.0.3.14
key xxxx
aaa-server TACACS+ host 10.0.3.13
key xxxxx
aaa-server RADIUS protocol radius
aaa-server NY-HQ protocol nt
aaa-server NY-HQ host 10.1.1.1
nt-auth-domain-controller 10.1.1.1
group-policy NY-HQ-RA-VPN-POLICY internal
group-policy NY-HQ-RA-VPN-POLICY attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel
default-domain value xxxxxxxxx
url-cache src_dst 100
aaa local authentication attempts max-fail 10
http server enable
http 10.0.2.144 255.255.255.255 inside
http 10.0.1.161 255.255.255.255 inside
http 10.0.0.95 255.255.255.255 inside
http 10.1.1.105 255.255.255.255 inside
snmp-server host inside 10.0.0.105 community MgtPrivate
snmp-server host inside 10.0.3.15 community MgtPrivate
no snmp-server location
no snmp-server contact
snmp-server community MgtPrivate
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set YC esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set YC
crypto map ctcnycmap 10 ipsec-isakmp dynamic dynmap
crypto map ctcnycmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group NY-HQ-RA-VPN-GROUP type ipsec-ra
tunnel-group NY-HQ-RA-VPN-GROUP general-attributes
address-pool CTCNYCVPN
authentication-server-grou
default-group-policy NY-HQ-RA-VPN-POLICY
tunnel-group NY-HQ-RA-VPN-GROUP ipsec-attributes
pre-shared-key *
telnet 10.0.0.95 255.255.255.255 inside
telnet 10.0.2.144 255.255.255.255 inside
telnet 10.0.1.161 255.255.255.255 inside
telnet 10.1.1.105 255.255.255.255 inside
telnet timeout 60
ssh 10.0.2.144 255.255.255.255 inside
ssh 10.0.1.161 255.255.255.255 inside
ssh 10.0.0.95 255.255.255.255 inside
ssh 10.1.1.105 255.255.255.255 inside
ssh timeout 60
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.3.100
client-update enable
prompt hostname context
Cryptochecksum:xxxxxxxx
firewall#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
YOU are TRULY a GENIUS. I have been all over the place looking for a soluction to this problem at no avail. Thanks again!!!
You are quite welcome. Proxyarp is enabled by default and statics usually work right away. When you disable it, then the PIX can't use any IP address other than its own interface IP for any static xlates or other global groups.
ASKER
names
name 172.16.253.200 Polycom description Video conferencing placed in DMZ
static (dmz,outside) 208.58.x.3 Polycom netmask 255.255.255.255