Solved

Additional Static IP address not passing through the PIX 501 to the inside server

Posted on 2008-10-08
22
337 Views
Last Modified: 2012-05-05
Recently needed to setup an additional external IP address to allow access to a server on the inside of our network.  I used static nat entries and also ACLs in hopes the traffic would work as expected.  I cannot get to the internal server from the outside using the new IP address.  Any ideas?    The new server on the inside is 192.168.0.25 and on the outside the public IP address is xx.xx.160.179.
PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 4096

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.0.101 exchange1

name 192.168.0.100 admin1

name 192.168.1.0 JuneHome

name 192.168.0.25 Voicemail

name xx.xx.160.179 Voicemail1

access-list webinside permit tcp any any eq www

access-list webinside permit ip any any

access-list webinside permit udp any any

access-list webinside permit tcp any any

access-list webinside permit icmp any any

access-list outside_in permit ip any any

access-list outside_in permit tcp any any

access-list outside_in permit udp any any

access-list outside_in permit icmp any any

access-list outside_in permit tcp any eq www any eq www

access-list outside_in permit tcp any interface outside eq smtp

access-list outside_in permit tcp any interface outside eq pop3

access-list outside_in permit tcp any host xx.xx.160.178 eq 3389

access-list outside_in permit udp any host xx.xx.160.178 eq 3389

access-list outside_in permit tcp any host Voicemail1 eq www

access-list vpntest_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

access-list vpntest_splitTunnelAcl permit ip JuneHome 255.255.255.0 any

pager lines 24

logging on

logging console critical

logging buffered errors

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.160.178 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool remote 192.168.0.50-192.168.0.55

ip local pool test 192.168.50.10-192.168.50.15

pdm location 192.168.0.1 255.255.255.255 inside

pdm location exchange1 255.255.255.255 inside

pdm location admin1 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm location JuneHome 255.255.255.0 outside

pdm location Voicemail 255.255.255.255 inside

pdm location Voicemail1 255.255.255.255 outside

pdm logging alerts 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp Voicemail1 www Voicemail www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp exchange1 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www exchange1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 exchange1 pop3 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 3389 admin1 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 admin1 3389 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group webinside in interface inside

route outside 0.0.0.0 0.0.0.0 xx.xx.160.177 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group2

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer xx.xx.xx.xx

crypto map outside_map 20 set transform-set ESP-3DES-MD5

! Incomplete

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address xx.xx.198.162 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpntest address-pool remote

vpngroup vpntest dns-server admin1 exchange1

vpngroup vpntest default-domain arrow-metals

vpngroup vpntest split-tunnel vpntest_splitTunnelAcl

vpngroup vpntest pfs

vpngroup vpntest idle-time 1800

vpngroup vpntest password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 10

ssh xx.xx.xx.xx 255.255.255.255 outside

ssh timeout 5

management-access inside

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

Open in new window

0
Comment
Question by:kurtb
  • 7
  • 6
  • 5
  • +1
22 Comments
 
LVL 2

Expert Comment

by:AdamComp
ID: 22672870
the command you're looking for is static (inside,outside) (outside IP) (inside IP) netmask 255.255.255.255

so:
static (inside,outside) xx.xx.160.179 192.168.0.25 netmask 255.255.255.255

Of course you need to make your access-list as well to allow appropriate traffic
0
 

Author Comment

by:kurtb
ID: 22673878
It looks like line 70 already has a version of this...

static (inside,outside) tcp Voicemail1 www Voicemail www netmask 255.255.255.255 0 0

Voicemail1 is x.x.160.179 and Voicemail is 192.168.0.25.  I just have it passing port 80 traffic through though.
0
 
LVL 2

Expert Comment

by:AdamComp
ID: 22674112
What are you trying to do with the voicemail?  
0
 
LVL 2

Expert Comment

by:AdamComp
ID: 22674192
Unless you realy need that public IP for other applications on different ports, try NATing the whole IP address (take out the "www" quailifier in the command), then use access-lists to allow only the ports you need.

I know some Voicemail configuration websites (like for the Mitel Nupoint Messenger), use https instead of regular http.  That would be a different port number (443)
0
 

Author Comment

by:kurtb
ID: 22674520
I have checked on the inside of the firewall, 192.168.0.25, is accessible via http and is not enabled for https.  The only thing being done with this voicemail system is allowing web access for the vendor to remotely support their product.   I have tried the NATing the whole IP address with the same results.  
0
 
LVL 2

Expert Comment

by:AdamComp
ID: 22674627
try opening up the whole IP address to test without the "www" qualifier.  Test it.  If it works, then there is a port that needs to be opened up
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675196
What AdamComp means is to run a command like this:
static (inside,outside) Voicemail1 Voicemail netmask 255.255.255.255 0 0
And to open all ports on the ACL (be careful!!!) use this:

access-list outside_in permit ip any host Voicemail1
Cheers! Let me know if you have any questions!
 
0
 

Author Comment

by:kurtb
ID: 22677884
I have entered both and I am having the same result.  The website that is internal on 192.168.0.25 is not accessible from the Internet on 97.86.160.179.  There is got to be something easy that we are not seeing.
0
 
LVL 2

Expert Comment

by:AdamComp
ID: 22678723
What kind of voicemail is it?
0
 

Expert Comment

by:techeternal
ID: 22679046
Not sure what type of voicemail system it is, all I know is that on the inside of the network, 192.168.0.25 on port 80 a website comes up and asks for credentials.  Just curious, why do you ask?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22679579
That's interesting.... Did you open the ACL?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:techeternal
ID: 22679598
Yes I did.  I only added to my existing list that was there already.
0
 
LVL 2

Expert Comment

by:AdamComp
ID: 22679766
The reason I ask, is I work on telephone systems and I might be able to ask around about it.  I am trained in Mitel and Inter-tel, but I've got friends who have worked on nortel and avaya
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22679839
techeternal, are you kurtb or another expert/
Hmmm... can you please post your current config so I can see it with changes?

0
 

Expert Comment

by:techeternal
ID: 22680936
Techeternal is also Kurtb.  I posted from the wrong acct originally.  Below is the current config in use.

PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.101 exchange1
name 192.168.0.100 admin1
name 192.168.1.0 JuneHome
name 192.168.0.25 Voicemail
access-list webinside permit tcp any any eq www
access-list webinside permit ip any any
access-list webinside permit udp any any
access-list webinside permit tcp any any
access-list webinside permit icmp any any
access-list outside_in permit ip any any
access-list outside_in permit tcp any any
access-list outside_in permit udp any any
access-list outside_in permit icmp any any
access-list outside_in permit tcp any eq www any eq www
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any host xx.xx.160.178 eq 3389
access-list outside_in permit udp any host xx.xx.160.178 eq 3389
access-list outside_in permit ip any host xx.xx.160.179
access-list outside_in permit udp any host xx.xx.160.179 eq www
pager lines 24
logging on
logging console critical
logging buffered errors
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.160.178 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.0.50-192.168.0.55
ip local pool test 192.168.50.10-192.168.50.15
pdm location 192.168.0.1 255.255.255.255 inside
pdm location exchange1 255.255.255.255 inside
pdm location admin1 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location JuneHome 255.255.255.0 outside
pdm location Voicemail 255.255.255.255 inside
pdm location 97.86.160.179 255.255.255.255 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp exchange1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www exchange1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 exchange1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 admin1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.160.179 Voicemail netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group webinside in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.160.177 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group2
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 24.240.198.162
crypto map outside_map 20 set transform-set ESP-3DES-MD5
! Incomplete
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpntest address-pool remote
vpngroup vpntest dns-server admin1 exchange1
vpngroup vpntest default-domain
vpngroup vpntest pfs
vpngroup vpntest idle-time 1800
vpngroup vpntest password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
vpnclient vpngroup test password ********
terminal width 80
Cryptochecksum:be784a53c3f70b9eef64e88fe985b221
: end
arrowoffice#


0
 
LVL 2

Accepted Solution

by:
AdamComp earned 125 total points
ID: 22681817
It looks like you have two of these:
static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.160.179 Voicemail netmask 255.255.255.255 0 0

negate the first one before trying the latter
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22681865
Run:
no static (inside,outside) xx.xx.160.179 Voicemail netmask 255.255.255.255 0 0
This will only translate port 80 for the web server. You must create a new static for each port you want to use. This allows you to use multiple servers on one static IP address. It's called PAT.
Let me know how this works!
Cheers!
0
 

Expert Comment

by:techeternal
ID: 22681868
I have removed the below statement.  Still no change.  

 no static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0
0
 

Expert Comment

by:techeternal
ID: 22681908
I have also tried re-adding :

static (inside,outside) tcp xx.xx.160.179 www Voicemail www netmask 255.255.255.255 0 0

and then removing:

static (inside,outside) 97.86.160.179 Voicemail netmask 255.255.255.255 0 0

still no change
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 125 total points
ID: 22682845
Sorry I'm asking so much, but please post your current config again.
Cheers!
0
 

Expert Comment

by:techeternal
ID: 22731190
Here is the current running config.  

Hopefully someone sees something I have overlooked.

PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100
 

hostname arrowoffice

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 4096

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.0.101 exchange1

name 192.168.0.100 admin1

name 192.168.1.0 JuneHome

name 192.168.0.25 Voicemail

access-list webinside permit tcp any any eq www

access-list webinside permit ip any any

access-list webinside permit udp any any

access-list webinside permit tcp any any

access-list webinside permit icmp any any

access-list outside_in permit ip any any

access-list outside_in permit tcp any any

access-list outside_in permit udp any any

access-list outside_in permit icmp any any

access-list outside_in permit tcp any eq www any eq www

access-list outside_in permit tcp any interface outside eq smtp

access-list outside_in permit tcp any interface outside eq pop3

access-list outside_in permit tcp any host 97.86.160.178 eq 3389

access-list outside_in permit udp any host 97.86.160.178 eq 3389

access-list outside_in permit ip any host 97.86.160.179

access-list outside_in permit udp any host 97.86.160.179 eq www

pager lines 24

logging on

logging console critical

logging buffered errors

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.160.178 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool remote 192.168.0.50-192.168.0.55

ip local pool test 192.168.50.10-192.168.50.15

pdm location 192.168.0.1 255.255.255.255 inside

pdm location exchange1 255.255.255.255 inside

pdm location admin1 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm location JuneHome 255.255.255.0 outside

pdm location Voicemail 255.255.255.255 inside

pdm logging alerts 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp exchange1 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www exchange1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 5634 exchange1 5634 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 5633 exchange1 5633 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 exchange1 pop3 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 3389 admin1 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 admin1 3389 netmask 255.255.255.255 0 0

static (inside,outside) xx.xx.160.179 Voicemail netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group webinside in interface inside

route outside 0.0.0.0 0.0.0.0 xx.xx.160.177 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group2

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer xx.xx.xx.xx

crypto map outside_map 20 set transform-set ESP-3DES-MD5

! Incomplete

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpntest address-pool remote

vpngroup vpntest dns-server admin1 exchange1

vpngroup vpntest default-domain arrow-metals

vpngroup vpntest pfs

vpngroup vpntest idle-time 1800

vpngroup vpntest password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 10

management-access inside

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Open in new window

0
 

Author Comment

by:kurtb
ID: 23402599
The final resolution for this was to purchase an ASA.
Sorry for the delay of a response.
Thank you for your assistance with this.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now