We help IT Professionals succeed at work.
Get Started

Unable to access static NAT address on the PIX 515e

tshi5791
tshi5791 asked
on
451 Views
Last Modified: 2010-04-09
I recently installed a PIX 515E. The problem I have is that static IP addresses are unable to access the Internet and are therefore unbale to be reached from outside. Below is the configuration

firewall# sh conf
: Saved
: Written by enable_15 at 18:37:30.320 EDT Wed Apr 25 2007
!
PIX Version 7.2(2)
!
hostname firewall
domain-name xxxxxx
enable password xxxxxx encrypted
names
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.x
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.91 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 172.16.253.1 255.255.255.0
!
passwd xxxxxxx encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxxxxxxx
object-group protocol TCP_UDP
 protocol-object tcp
 protocol-object udp
object-group service VIDEO tcp-udp
 port-object range 3230 3235
 port-object eq 1720
 port-object eq 3603
 port-object eq 389
  port-object range 1718 1719
  port-object range 3235 3258
 object-group service Reject tcp-udp
  port-object eq 3127
  port-object eq 4444
  port-object eq 593
  port-object eq 135
  port-object eq 445
  port-object eq 1433
  port-object eq 1434
  port-object eq 138
  port-object eq 137
  port-object eq 79
  port-object eq 1900
  port-object eq 2869
  port-object eq 10243
 object-group network Internal_Net
  network-object 10.1.1.0 255.255.255.0
  network-object 10.1.2.0 255.255.255.0
  network-object 10.1.3.0 255.255.255.0
  network-object 10.1.4.0 255.255.255.0
  network-object 10.2.67.0 255.255.255.0
  network-object 10.0.1.0 255.255.255.0
  network-object 10.0.2.0 255.255.255.0
  network-object 10.0.3.0 255.255.255.0
  network-object 10.75.225.0 255.255.255.0
  network-object 10.16.5.0 255.255.255.0
 object-group network RAS_Users
  network-object 10.1.33.0 255.255.255.0
 object-group network Bad_Net
  network-object 127.0.0.0 255.255.255.0
  network-object 172.16.0.0 255.255.0.0
  network-object 192.168.0.0 255.255.0.0
  network-object 224.0.0.0 255.255.255.0
  network-object 192.0.0.0 255.255.255.0
  network-object 127.0.0.1 255.255.255.255
 access-list RAVPN_Split_Tunnel standard permit 10.0.0.0 255.0.0.0
 access-list from-Internet-In extended deny object-group TCP_UDP any any object-group Reject
 access-list from-Internet-In extended deny ip object-group Bad_Net any
 access-list from-Internet-In extended permit icmp any any echo-reply
 access-list from-Internet-In extended permit icmp any any time-exceeded
 access-list from-Internet-In extended permit icmp any any unreachable
 access-list from-Internet-In extended permit udp host x.x.x.x host x.x.x.x. eq syslog
 access-list from-Internet-In extended permit tcp any host x.x.x.x eq https
 access-list from-Internet-In extended permit tcp any host x.x.x.x eq www
 access-list from-Internet-In extended permit object-group TCP_UDP any host x.x.x.x object-group V
 access-list from-Internet-In extended permit icmp any any
 access-list from-Inside-Out extended deny object-group TCP_UDP any any object-group Reject
 access-list from-Inside-Out extended permit ip object-group Internal_Net any log
 access-list nycvpn extended permit ip object-group Internal_Net object-group RAS_Users
 pager lines 24
 logging enable
 logging timestamp
 logging buffered debugging
 logging trap informational
 logging history debugging
 logging asdm informational
 logging host inside 10.1.1.7
 mtu outside 1500
 mtu inside 1500
 mtu DMZ 1500
 ip local pool VPN 10.1.33.1-10.1.33.30
 ip verify reverse-path interface outside
 ip audit name NetAttach info action alarm
 ip audit name NetAttack attack action alarm
 ip audit interface outside NetAttack
 no failover
 icmp unreachable rate-limit 1 burst-size 1
 asdm image flash:/asdm-522.bin
 no asdm history enable
 arp timeout 14400
 global (outside) 1 interface
 nat (inside) 0 access-list nycvpn
 nat (inside) 1 10.0.0.0 255.0.0.0
 nat (DMZ) 1 172.16.253.0 255.255.255.0
 static (inside,outside) udp interface syslog 10.1.1.7 syslog netmask 255.255.255.255
 static (inside,outside) 208.58.x.2 10.1.1.4 netmask 255.255.255.255
 static (dmz,outside) 208.58.x.3 10.1.1.92 netmask 255.255.255.255
 access-group from-Internet-In in interface outside
 access-group from-Inside-Out in interface inside
 route outside 0.0.0.0 0.0.0.0 208.58.x.x 1
 route inside 10.0.0.0 255.0.0.0 10.1.1.11 1
 timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
 timeout uauth 0:05:00 absolute
 aaa-server TACACS+ protocol tacacs+
 aaa-server TACACS+ host 10.0.3.14
  key xxxx
 aaa-server TACACS+ host 10.0.3.13
  key xxxxx
 aaa-server RADIUS protocol radius
 aaa-server NY-HQ protocol nt
 aaa-server NY-HQ host 10.1.1.1
  nt-auth-domain-controller 10.1.1.1
 group-policy NY-HQ-RA-VPN-POLICY internal
 group-policy NY-HQ-RA-VPN-POLICY attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RAVPN_Split_Tunnel
  default-domain value xxxxxxxxx
 url-cache src_dst 100
 aaa local authentication attempts max-fail 10
 http server enable
 http 10.0.2.144 255.255.255.255 inside
 http 10.0.1.161 255.255.255.255 inside
 http 10.0.0.95 255.255.255.255 inside
 http 10.1.1.105 255.255.255.255 inside
 snmp-server host inside 10.0.0.105 community MgtPrivate
 snmp-server host inside 10.0.3.15 community MgtPrivate
 no snmp-server location
 no snmp-server contact
 snmp-server community MgtPrivate
 snmp-server enable traps snmp authentication linkup linkdown coldstart
 sysopt connection tcpmss 1300
 sysopt noproxyarp outside
 sysopt noproxyarp inside
 crypto ipsec transform-set YC esp-3des esp-md5-hmac
 crypto dynamic-map dynmap 10 set transform-set YC
 crypto map ctcnycmap 10 ipsec-isakmp dynamic dynmap
 crypto map ctcnycmap interface outside
 crypto isakmp identity address
 crypto isakmp enable outside
 crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
 crypto isakmp nat-traversal  20
 tunnel-group NY-HQ-RA-VPN-GROUP type ipsec-ra
 tunnel-group NY-HQ-RA-VPN-GROUP general-attributes
  address-pool CTCNYCVPN
  authentication-server-group NY-HQ
  default-group-policy NY-HQ-RA-VPN-POLICY
 tunnel-group NY-HQ-RA-VPN-GROUP ipsec-attributes
  pre-shared-key *
 telnet 10.0.0.95 255.255.255.255 inside
 telnet 10.0.2.144 255.255.255.255 inside
 telnet 10.0.1.161 255.255.255.255 inside
 telnet 10.1.1.105 255.255.255.255 inside
 telnet timeout 60
 ssh 10.0.2.144 255.255.255.255 inside
 ssh 10.0.1.161 255.255.255.255 inside
 ssh 10.0.0.95 255.255.255.255 inside
 ssh 10.1.1.105 255.255.255.255 inside
 ssh timeout 60
 ssh version 2
 console timeout 0
 !
 class-map inspection_default
  match default-inspection-traffic
 !
 !
 policy-map type inspect dns migrated_dns_map_1
  parameters
   message-length maximum 512
 policy-map global_policy
  class inspection_default
   inspect dns migrated_dns_map_1
   inspect ftp
   inspect h323 ras
   inspect http
   inspect ils
   inspect netbios
   inspect rsh
   inspect skinny
   inspect esmtp
   inspect sqlnet
   inspect sunrpc
   inspect tftp
   inspect sip
   inspect xdmcp
 !
 service-policy global_policy global
 smtp-server 10.0.3.100
 client-update enable
 prompt hostname context
 Cryptochecksum:xxxxxxxx
firewall#
Comment
Watch Question
Systems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE