Solved

Help with Cisco Pix 515 & nat

Posted on 2009-07-02
6
379 Views
Last Modified: 2012-05-07
my company has 3 usable outside IP addresses.  I have a cisco pix 515, and i have to have a certain internal IP address use a specific outside ip address when accessing the internet. help!
0
Comment
Question by:polaris101
6 Comments
 
LVL 11

Expert Comment

by:billwharton
ID: 24766379
Can you paste the current config of your pix over here? Also state the public ip address & private ip address and I'll provide you the configs
0
 

Author Comment

by:polaris101
ID: 24766387
i thought this command would do it...but nothing.

alias (inside) 10.242.55.252 66.x.x.147 255.255.255.255
0
 

Author Comment

by:polaris101
ID: 24766496
here is the code...
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .MADZuiaHAg25iU5 encrypted
passwd .MADZuiaHAg25iU5 encrypted
hostname Polaris515
domain-name ripcpc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.24.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.19.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.58.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.75.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.52.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.18.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.20.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.20.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.246.21.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.56.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.31.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.59.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.72.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.37.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.68.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.57.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.51.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.63.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 10.244.39.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 120 permit ip 10.242.55.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list 120 permit ip host 10.242.55.212 host 192.168.109.76
access-list 120 permit icmp any any
access-list 120 permit ip host 10.242.55.212 host 192.168.25.8
access-list 120 permit ip host 10.242.55.212 host 192.168.25.17
access-list 120 permit ip host 10.242.55.212 host 192.168.25.21
access-list 120 permit ip host 10.242.55.212 host 192.168.25.22
access-list 120 permit ip host 10.242.55.252 host 192.168.25.8
access-list 120 permit ip host 10.242.55.252 host 192.168.25.17
access-list 120 permit ip host 10.242.55.252 host 192.168.25.21
access-list 120 permit ip host 10.242.55.252 host 192.168.25.22
access-list 130 permit ip 10.242.55.0 255.255.255.0 10.244.68.0 255.255.255.0
access-list 146 permit ip host 10.242.55.212 host 192.168.25.8
access-list 146 permit ip host 10.242.55.212 host 192.168.25.17
access-list 146 permit ip host 10.242.55.212 host 192.168.25.21
access-list 146 permit ip host 10.242.55.212 host 192.168.25.22
access-list 146 permit ip host 10.242.55.252 host 192.168.25.8
access-list 146 permit ip host 10.242.55.252 host 192.168.25.17
access-list 146 permit ip host 10.242.55.252 host 192.168.25.21
access-list 146 permit ip host 10.242.55.252 host 192.168.25.22
access-list 150 permit ip 10.242.55.0 255.255.255.0 10.244.24.0 255.255.255.0
access-list 152 permit ip 10.242.55.0 255.255.255.0 10.246.19.0 255.255.255.0
access-list 158 permit ip 10.242.55.0 255.255.255.0 10.244.58.0 255.255.255.0
access-list 164 permit ip 10.242.55.0 255.255.255.0 10.244.75.0 255.255.255.0
access-list 168 permit ip 10.242.55.0 255.255.255.0 10.244.52.0 255.255.255.0
access-list 170 permit ip 10.242.55.0 255.255.255.0 10.244.72.0 255.255.255.0
access-list 172 permit ip 10.242.55.0 255.255.255.0 10.246.18.0 255.255.255.0
access-list 174 permit ip 10.242.55.0 255.255.255.0 10.246.20.0 255.255.255.0
access-list 178 permit ip 10.242.55.0 255.255.255.0 10.244.20.0 255.255.255.0
access-list 182 permit ip 10.242.55.0 255.255.255.0 10.246.21.0 255.255.255.0
access-list 184 permit ip 10.242.55.0 255.255.255.0 10.244.56.0 255.255.255.0
access-list 190 permit ip 10.242.55.0 255.255.255.0 10.244.31.0 255.255.255.0
access-list 194 permit ip 10.242.55.0 255.255.255.0 10.244.59.0 255.255.255.0
access-list 126 permit ip 10.242.55.0 255.255.255.0 10.244.37.0 255.255.255.0
access-list 134 permit ip 10.242.55.0 255.255.255.0 10.244.51.0 255.255.255.0
access-list 132 permit ip 10.242.55.0 255.255.255.0 10.244.57.0 255.255.255.0
access-list 138 permit ip 10.242.55.0 255.255.255.0 10.244.63.0 255.255.255.0
access-list 142 permit ip 10.242.55.0 255.255.255.0 10.244.39.0 255.255.255.0
access-list 110 permit tcp any host 66.xxx.xxx.146 eq https
access-list 110 permit tcp any host 66.xxx.xxx.146 eq ftp
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4555
access-list 110 permit tcp any host 66.xxx.xxx.146 eq ftp-data
access-list 110 permit tcp any host 66.xxx.xxx.147 eq https
access-list 110 permit tcp any host 66.xxx.xxx.147 eq www
access-list 110 permit icmp any any
access-list 110 permit tcp any host 66.xxx.xxx.146 eq ssh
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 5156
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4556
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4557
access-list 110 permit tcp any host 66.xxx.xxx.147 eq ssh
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 7071
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 7072
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 7073
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4558
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4559
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4560
access-list 110 permit tcp any host 66.xxx.xxx.146 eq 4561
access-list 148 permit ip 10.242.55.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list 131 permit ip 10.242.55.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list 123 permit ip host 10.242.55.212 host 192.168.109.76
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.xxx.xxx.146 255.255.255.240
ip address inside 10.242.55.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RemotePool 20.1.0.1-20.1.0.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.242.55.252 66.xxx.xxx.147 255.255.255.255
static (inside,outside) tcp 66.xxx.xxx.146 4555 10.242.55.253 4555 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 ftp 10.242.55.212 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 ftp-data 10.242.55.212 ftp-data netmask 255.255.255.255 0
 0
static (inside,outside) tcp 66.xxx.xxx.146 https 10.242.55.212 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 ssh 10.242.55.212 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 4556 10.242.55.253 4556 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 4557 10.242.55.253 4557 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 5156 10.242.55.251 5156 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.147 https 10.242.55.252 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.147 www 10.242.55.252 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.147 ssh 10.242.55.247 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 7071 10.242.55.245 7071 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 7072 10.242.55.245 7072 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 7073 10.242.55.245 7073 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 4558 10.242.55.253 4558 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 4559 10.242.55.253 4559 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 4560 10.242.55.253 4560 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.xxx.xxx.146 4561 10.242.55.253 4561 netmask 255.255.255.255 0 0
access-group 110 in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.145 1
timeout xlate 3:00:00
timeout conn 48:00:00 half-closed 48:00:00 udp 1:30:00 rpc 1:30:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.242.55.100 \
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set VPNTranSet esp-3des esp-md5-hmac
crypto ipsec transform-set BCBSRITranSet esp-3des esp-sha-hmac
crypto dynamic-map VPNMap 20 set transform-set VPNTranSet
<snip>
crypto map VPNMap 94 set transform-set VPNTranSet
crypto map VPNMap 99 ipsec-isakmp dynamic VPNMap
crypto map VPNMap interface outside
isakmp enable outside
 
<snip>
 
 
isakmp identity address
isakmp keepalive 10
isakmp client configuration address-pool local RemotePool outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
vpngroup vpn3000-client address-pool RemotePool
vpngroup vpn3000-client split-tunnel 120
vpngroup vpn3000-client idle-time 1800
vpngroup vpn3000-client password ********
telnet 192.168.254.250 255.255.255.255 outside
telnet 10.242.55.0 255.255.255.0 inside
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local RemotePool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username ripcpcremote password *********
dhcpd address 10.242.55.100-10.242.55.129 inside
dhcpd dns 68.9.16.30 68.13.16.30
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:c32be5f5eb5b154d49b2d47911144558
: end
Polaris515(config)#

Open in new window

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24767096
HI,

If you want to use more IP address an interface you must enable proxy arp:

no no sysopt noproxyarp outside

Please refer this webpage:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml

As I see, the nat, and the access-list are well configured!

Best regards,
Istvan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24768173
You already have proxyarp enabled because you don't see "no sysopt noproxyarp outside" in the config.
What you need is a static 1-1 NAT with "dns" tag
static (inside,outside) 10.242.55.252 66.x.x.147 255.255.255.255 dns

And get rid of the alias
no alias (inside) 10.242.55.252 66.x.x.147 255.255.255.255
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 500 total points
ID: 24773355
THe alias command is deprecated. lrmoore  is correct that you need a 1-1 NAT, and the outside address will be an unused address on that outside subnet. The "dns" at the end is not necessary because your original question did not say anything about DNS - just static NAT.

static (inside,outside) 66.xx.xx.147 10.242.55.252 netmask 255.255.255.255 (note the order. syntax is
"static (inside-if-name,outside-if-name) outside-NAT-IP inside-real-ip netmask 255.255.255.255 "

This NAT says the Pix will answer any packet destined for 66.xx.xx.147 and NAT it to the internal 10.242.55.252 address. What passes through that NAT is determined by the ACL 110.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question