Solved

Help with Cisco Pix 515 & nat

Posted on 2009-07-02
6
370 Views
Last Modified: 2012-05-07
my company has 3 usable outside IP addresses.  I have a cisco pix 515, and i have to have a certain internal IP address use a specific outside ip address when accessing the internet. help!
0
Comment
Question by:polaris101
6 Comments
 
LVL 11

Expert Comment

by:billwharton
ID: 24766379
Can you paste the current config of your pix over here? Also state the public ip address & private ip address and I'll provide you the configs
0
 

Author Comment

by:polaris101
ID: 24766387
i thought this command would do it...but nothing.

alias (inside) 10.242.55.252 66.x.x.147 255.255.255.255
0
 

Author Comment

by:polaris101
ID: 24766496
here is the code...
PIX Version 6.3(4)

interface ethernet0 10full

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password .MADZuiaHAg25iU5 encrypted

passwd .MADZuiaHAg25iU5 encrypted

hostname Polaris515

domain-name ripcpc.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.24.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.19.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.58.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.75.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.52.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.18.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.20.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.20.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.21.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.56.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.31.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.59.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.72.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.37.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.68.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.57.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.51.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.63.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.39.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 192.168.125.0 255.255.255.0

access-list 120 permit ip 10.242.55.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list 120 permit ip host 10.242.55.212 host 192.168.109.76

access-list 120 permit icmp any any

access-list 120 permit ip host 10.242.55.212 host 192.168.25.8

access-list 120 permit ip host 10.242.55.212 host 192.168.25.17

access-list 120 permit ip host 10.242.55.212 host 192.168.25.21

access-list 120 permit ip host 10.242.55.212 host 192.168.25.22

access-list 120 permit ip host 10.242.55.252 host 192.168.25.8

access-list 120 permit ip host 10.242.55.252 host 192.168.25.17

access-list 120 permit ip host 10.242.55.252 host 192.168.25.21

access-list 120 permit ip host 10.242.55.252 host 192.168.25.22

access-list 130 permit ip 10.242.55.0 255.255.255.0 10.244.68.0 255.255.255.0

access-list 146 permit ip host 10.242.55.212 host 192.168.25.8

access-list 146 permit ip host 10.242.55.212 host 192.168.25.17

access-list 146 permit ip host 10.242.55.212 host 192.168.25.21

access-list 146 permit ip host 10.242.55.212 host 192.168.25.22

access-list 146 permit ip host 10.242.55.252 host 192.168.25.8

access-list 146 permit ip host 10.242.55.252 host 192.168.25.17

access-list 146 permit ip host 10.242.55.252 host 192.168.25.21

access-list 146 permit ip host 10.242.55.252 host 192.168.25.22

access-list 150 permit ip 10.242.55.0 255.255.255.0 10.244.24.0 255.255.255.0

access-list 152 permit ip 10.242.55.0 255.255.255.0 10.246.19.0 255.255.255.0

access-list 158 permit ip 10.242.55.0 255.255.255.0 10.244.58.0 255.255.255.0

access-list 164 permit ip 10.242.55.0 255.255.255.0 10.244.75.0 255.255.255.0

access-list 168 permit ip 10.242.55.0 255.255.255.0 10.244.52.0 255.255.255.0

access-list 170 permit ip 10.242.55.0 255.255.255.0 10.244.72.0 255.255.255.0

access-list 172 permit ip 10.242.55.0 255.255.255.0 10.246.18.0 255.255.255.0

access-list 174 permit ip 10.242.55.0 255.255.255.0 10.246.20.0 255.255.255.0

access-list 178 permit ip 10.242.55.0 255.255.255.0 10.244.20.0 255.255.255.0

access-list 182 permit ip 10.242.55.0 255.255.255.0 10.246.21.0 255.255.255.0

access-list 184 permit ip 10.242.55.0 255.255.255.0 10.244.56.0 255.255.255.0

access-list 190 permit ip 10.242.55.0 255.255.255.0 10.244.31.0 255.255.255.0

access-list 194 permit ip 10.242.55.0 255.255.255.0 10.244.59.0 255.255.255.0

access-list 126 permit ip 10.242.55.0 255.255.255.0 10.244.37.0 255.255.255.0

access-list 134 permit ip 10.242.55.0 255.255.255.0 10.244.51.0 255.255.255.0

access-list 132 permit ip 10.242.55.0 255.255.255.0 10.244.57.0 255.255.255.0

access-list 138 permit ip 10.242.55.0 255.255.255.0 10.244.63.0 255.255.255.0

access-list 142 permit ip 10.242.55.0 255.255.255.0 10.244.39.0 255.255.255.0

access-list 110 permit tcp any host 66.xxx.xxx.146 eq https

access-list 110 permit tcp any host 66.xxx.xxx.146 eq ftp

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4555

access-list 110 permit tcp any host 66.xxx.xxx.146 eq ftp-data

access-list 110 permit tcp any host 66.xxx.xxx.147 eq https

access-list 110 permit tcp any host 66.xxx.xxx.147 eq www

access-list 110 permit icmp any any

access-list 110 permit tcp any host 66.xxx.xxx.146 eq ssh

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 5156

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4556

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4557

access-list 110 permit tcp any host 66.xxx.xxx.147 eq ssh

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 7071

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 7072

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 7073

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4558

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4559

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4560

access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4561

access-list 148 permit ip 10.242.55.0 255.255.255.0 192.168.125.0 255.255.255.0

access-list 131 permit ip 10.242.55.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list 123 permit ip host 10.242.55.212 host 192.168.109.76

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 66.xxx.xxx.146 255.255.255.240

ip address inside 10.242.55.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool RemotePool 20.1.0.1-20.1.0.254

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 120

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 10.242.55.252 66.xxx.xxx.147 255.255.255.255

static (inside,outside) tcp 66.xxx.xxx.146 4555 10.242.55.253 4555 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 ftp 10.242.55.212 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 ftp-data 10.242.55.212 ftp-data netmask 255.255.255.255 0

 0

static (inside,outside) tcp 66.xxx.xxx.146 https 10.242.55.212 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 ssh 10.242.55.212 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 4556 10.242.55.253 4556 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 4557 10.242.55.253 4557 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 5156 10.242.55.251 5156 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.147 https 10.242.55.252 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.147 www 10.242.55.252 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.147 ssh 10.242.55.247 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 7071 10.242.55.245 7071 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 7072 10.242.55.245 7072 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 7073 10.242.55.245 7073 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 4558 10.242.55.253 4558 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 4559 10.242.55.253 4559 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 4560 10.242.55.253 4560 netmask 255.255.255.255 0 0

static (inside,outside) tcp 66.xxx.xxx.146 4561 10.242.55.253 4561 netmask 255.255.255.255 0 0

access-group 110 in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.145 1

timeout xlate 3:00:00

timeout conn 48:00:00 half-closed 48:00:00 udp 1:30:00 rpc 1:30:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 10.242.55.100 \

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set VPNTranSet esp-3des esp-md5-hmac

crypto ipsec transform-set BCBSRITranSet esp-3des esp-sha-hmac

crypto dynamic-map VPNMap 20 set transform-set VPNTranSet

<snip>

crypto map VPNMap 94 set transform-set VPNTranSet

crypto map VPNMap 99 ipsec-isakmp dynamic VPNMap

crypto map VPNMap interface outside

isakmp enable outside
 

<snip>
 
 

isakmp identity address

isakmp keepalive 10

isakmp client configuration address-pool local RemotePool outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption 3des

isakmp policy 50 hash sha

isakmp policy 50 group 1

isakmp policy 50 lifetime 86400

vpngroup vpn3000-client address-pool RemotePool

vpngroup vpn3000-client split-tunnel 120

vpngroup vpn3000-client idle-time 1800

vpngroup vpn3000-client password ********

telnet 192.168.254.250 255.255.255.255 outside

telnet 10.242.55.0 255.255.255.0 inside

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 60

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local RemotePool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username ripcpcremote password *********

dhcpd address 10.242.55.100-10.242.55.129 inside

dhcpd dns 68.9.16.30 68.13.16.30

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:c32be5f5eb5b154d49b2d47911144558

: end

Polaris515(config)#

Open in new window

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24767096
HI,

If you want to use more IP address an interface you must enable proxy arp:

no no sysopt noproxyarp outside

Please refer this webpage:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml

As I see, the nat, and the access-list are well configured!

Best regards,
Istvan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24768173
You already have proxyarp enabled because you don't see "no sysopt noproxyarp outside" in the config.
What you need is a static 1-1 NAT with "dns" tag
static (inside,outside) 10.242.55.252 66.x.x.147 255.255.255.255 dns

And get rid of the alias
no alias (inside) 10.242.55.252 66.x.x.147 255.255.255.255
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 500 total points
ID: 24773355
THe alias command is deprecated. lrmoore  is correct that you need a 1-1 NAT, and the outside address will be an unused address on that outside subnet. The "dns" at the end is not necessary because your original question did not say anything about DNS - just static NAT.

static (inside,outside) 66.xx.xx.147 10.242.55.252 netmask 255.255.255.255 (note the order. syntax is
"static (inside-if-name,outside-if-name) outside-NAT-IP inside-real-ip netmask 255.255.255.255 "

This NAT says the Pix will answer any packet destined for 66.xx.xx.147 and NAT it to the internal 10.242.55.252 address. What passes through that NAT is determined by the ACL 110.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now