pronetJonathan
asked on
PIX-501 forward all traffic for specific external IP
Our main office has several public IPs available that are being managed by a PIX-501. We recently added a device inside the network and we would like to have a single IP send all traffic to the device without filtering any ports. These are the commands that I setup on the PIX (xxx.xxx.xxx.xxx is the public IP):
static (inside,outside) xxx.xxx.xxx.xxx 192.168.3.33 netmask 255.255.255.255 0 0
pdm location 192.168.3.33 255.255.255.255 inside
access-list outside_access_in permit udp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit esp any host xxx.xxx.xxx.xxx
To test this I enabled telnet on the new device. From inside the network I can connect to it via its internal ip (192.168.3.33), but from outside the network I cannot connect via its external IP. Am I missing a command?
static (inside,outside) xxx.xxx.xxx.xxx 192.168.3.33 netmask 255.255.255.255 0 0
pdm location 192.168.3.33 255.255.255.255 inside
access-list outside_access_in permit udp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit esp any host xxx.xxx.xxx.xxx
To test this I enabled telnet on the new device. From inside the network I can connect to it via its internal ip (192.168.3.33), but from outside the network I cannot connect via its external IP. Am I missing a command?
Try outside access group on interface and outside access-list on it.. By default any incoming connection refused by PIX/ASA..
Also you can use only
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
instead
access-list outside_access_in permit udp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit esp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
instead
access-list outside_access_in permit udp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit esp any host xxx.xxx.xxx.xxx
ASKER
So using
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
will account for all the others as well?
Also, I already have the command
access-group outside_access_in in interface outside
from previous settings. Is this what you meant in the first post?
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
will account for all the others as well?
Also, I already have the command
access-group outside_access_in in interface outside
from previous settings. Is this what you meant in the first post?
>will account for all the others as well?
Aha..
What is internal IP of PIX?
Aha..
What is internal IP of PIX?
And can you ping from 192.168.3.33 external IP's?
ASKER
Internal IP: 192.168.3.254
Yes, 192.168.3.33 can ping external IPs.
Yes, 192.168.3.33 can ping external IPs.
Please, show debug on error level, and what IOS do you have?
You have right configuration. May be problem in outgoing packets? Such as access group on inside interface? Let's see you debug..
Make sure your inside device has its default gateway/route pointed to the PIX.
If its a PC with more than one NIC make sure it uses the right NIC as default gateway.
If its a PC with more than one NIC make sure it uses the right NIC as default gateway.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.