|
|
|
|
11-20-2003, 06:52 PM
|
#1 |
PIX and STATIC command issues
I have the following entries set up (PIX Version 6.1(4)):
static (inside,outside) tcp xxx.xxx.xxx.xxx 443 192.168.1.127 443 netmask 255.255.255.255 0 0 static (inside,outside) tcp xxx.xxx.xxx.xxx 22 192.168.1.127 22 netmask 255.255.255.255 0 0 static (inside,outside) tcp xxx.xxx.xxx.xxx telnet 192.168.1.150 telnet netmask 255.255.255.255 0 0 The first two ports (22,443) go to server 192.168.1.127, the third port (23) goes to server 192.168.1.150. The first two work correctly, but when I telnet (23) to xxx.xxx.xxx.xxx, the first server answers (192.168.1.127). I am confused. I basically copied this straight from the Cisco website example, substituting my IP addresses. Any ideas? Thanks in advance, Dan Rice DRice |
|
|
|
11-20-2003, 07:08 PM
|
#2 |
|
Posts: n/a
|
Re: PIX and STATIC command issues
In article <k38vb.11421$>,
DRice <> wrote: :I have the following entries set up (PIX Version 6.1(4)): :static (inside,outside) tcp xxx.xxx.xxx.xxx 443 192.168.1.127 443 netmask 255.255.255.255 0 0 :static (inside,outside) tcp xxx.xxx.xxx.xxx 22 192.168.1.127 22 netmask 255.255.255.255 0 0 :static (inside,outside) tcp xxx.xxx.xxx.xxx telnet 192.168.1.150 telnet netmask 255.255.255.255 0 0 :The first two ports (22,443) go to server 192.168.1.127, the third port (23) :goes to server 192.168.1.150. The first two work correctly, but when I :telnet (23) to xxx.xxx.xxx.xxx, the first server answers (192.168.1.127). Those entries look correct at the moment, but I'm left wondering whether xxx.xxx.xxx.xxx happens to be the external IP address of the PIX? If it is, then you need to use the word 'interface' instead of the actual IP address. static (inside, outside) tcp interface 443 192.168.1.127 443 netmask 255.255.255.255 0 0 and so on. -- "Infinity is like a stuffed walrus I can hold in the palm of my hand. Don't do anything with infinity you wouldn't do with a stuffed walrus." -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ. |
|
|
|
11-20-2003, 07:17 PM
|
#3 |
|
Posts: n/a
|
Re: PIX and STATIC command issues
"Walter Roberson" <> wrote in message
news:bpj3fg$1od$... > In article <k38vb.11421$>, > DRice <> wrote: > :I have the following entries set up (PIX Version 6.1(4)): > > :static (inside,outside) tcp xxx.xxx.xxx.xxx 443 192.168.1.127 443 netmask 255.255.255.255 0 0 > :static (inside,outside) tcp xxx.xxx.xxx.xxx 22 192.168.1.127 22 netmask 255.255.255.255 0 0 > :static (inside,outside) tcp xxx.xxx.xxx.xxx telnet 192.168.1.150 telnet netmask 255.255.255.255 0 0 > > :The first two ports (22,443) go to server 192.168.1.127, the third port (23) > :goes to server 192.168.1.150. The first two work correctly, but when I > :telnet (23) to xxx.xxx.xxx.xxx, the first server answers (192.168.1.127). > > Those entries look correct at the moment, but I'm left wondering > whether xxx.xxx.xxx.xxx happens to be the external IP address of the > PIX? If it is, then you need to use the word 'interface' instead of > the actual IP address. > > static (inside, outside) tcp interface 443 192.168.1.127 443 netmask 255.255.255.255 0 0 > > and so on. > -- > "Infinity is like a stuffed walrus I can hold in the palm of my hand. > Don't do anything with infinity you wouldn't do with a stuffed walrus." > -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ. No, it is one of the IP's in our range, not the actual PIX interface IP. Our address range is xxx.yyy.zzz.32 255.255.255.240. 33 is our router, 34, is the PIX, 35 is used for internal access, and 36 is used for PAT. Which has led me to another issue. I tried using a static xxx.yyy.zzz.37 192.168.1.150 and created an acl to allow tcp myipaddress any and it won't even respond. Something is amiss. Dan |
|
|
|
11-20-2003, 10:09 PM
|
#4 |
|
Posts: n/a
|
Re: PIX and STATIC command issues
On Thu, 20 Nov 2003 13:17:33 -0600, DRice wrote:
> "Walter Roberson" <> wrote in message > news:bpj3fg$1od$... >> In article <k38vb.11421$>, DRice >> <> wrote: :I have the following entries set up >> (PIX Version 6.1(4)): >> >> :static (inside,outside) tcp xxx.xxx.xxx.xxx 443 192.168.1.127 443 >> netmask > 255.255.255.255 0 0 >> :static (inside,outside) tcp xxx.xxx.xxx.xxx 22 192.168.1.127 22 >> netmask > 255.255.255.255 0 0 >> :static (inside,outside) tcp xxx.xxx.xxx.xxx telnet 192.168.1.150 >> telnet > netmask 255.255.255.255 0 0 >> >> :The first two ports (22,443) go to server 192.168.1.127, the third >> port > (23) >> :goes to server 192.168.1.150. The first two work correctly, but when >> I :telnet (23) to xxx.xxx.xxx.xxx, the first server answers >> (192.168.1.127). >> >> Those entries look correct at the moment, but I'm left wondering >> whether xxx.xxx.xxx.xxx happens to be the external IP address of the >> PIX? If it is, then you need to use the word 'interface' instead of the >> actual IP address. >> >> static (inside, outside) tcp interface 443 192.168.1.127 443 netmask > 255.255.255.255 0 0 >> >> and so on. >> -- >> "Infinity is like a stuffed walrus I can hold in the palm of my >> hand. Don't do anything with infinity you wouldn't do with a stuffed >> walrus." -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ. > > No, it is one of the IP's in our range, not the actual PIX interface IP. > Our address range is xxx.yyy.zzz.32 255.255.255.240. 33 is our router, > 34, is the PIX, 35 is used for internal access, and 36 is used for PAT. > Which has led me to another issue. I tried using a static > xxx.yyy.zzz.37 192.168.1.150 and created an acl to allow tcp myipaddress > any and it won't even respond. Something is amiss. > > Dan Dan, Are the hosts being statically pat'ed included in a nat/global policy that does not include the global pat addresses? If so you may want to have a look at CSCdy56503 - Basically you need to "add in PAT rules for the inside host to use the same global address as the static PAT statement." The 6.3 documentation has been modified to include this information. rik Bain |
|
|
|
11-20-2003, 11:44 PM
|
#5 |
|
Posts: n/a
|
Re: PIX and STATIC command issues
"Rik Bain" <> wrote in message
news  inz.org...> On Thu, 20 Nov 2003 13:17:33 -0600, DRice wrote: > > > "Walter Roberson" <> wrote in message > > news:bpj3fg$1od$... > >> In article <k38vb.11421$>, DRice > >> <> wrote: :I have the following entries set up > >> (PIX Version 6.1(4)): > >> > >> :static (inside,outside) tcp xxx.xxx.xxx.xxx 443 192.168.1.127 443 > >> netmask > > 255.255.255.255 0 0 > >> :static (inside,outside) tcp xxx.xxx.xxx.xxx 22 192.168.1.127 22 > >> netmask > > 255.255.255.255 0 0 > >> :static (inside,outside) tcp xxx.xxx.xxx.xxx telnet 192.168.1.150 > >> telnet > > netmask 255.255.255.255 0 0 > >> > >> :The first two ports (22,443) go to server 192.168.1.127, the third > >> port > > (23) > >> :goes to server 192.168.1.150. The first two work correctly, but when > >> I :telnet (23) to xxx.xxx.xxx.xxx, the first server answers > >> (192.168.1.127). > >> > >> Those entries look correct at the moment, but I'm left wondering > >> whether xxx.xxx.xxx.xxx happens to be the external IP address of the > >> PIX? If it is, then you need to use the word 'interface' instead of the > >> actual IP address. > >> > >> static (inside, outside) tcp interface 443 192.168.1.127 443 netmask > > 255.255.255.255 0 0 > >> > >> and so on. > >> -- > >> "Infinity is like a stuffed walrus I can hold in the palm of my > >> hand. Don't do anything with infinity you wouldn't do with a stuffed > >> walrus." -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ. > > > > No, it is one of the IP's in our range, not the actual PIX interface IP. > > Our address range is xxx.yyy.zzz.32 255.255.255.240. 33 is our router, > > 34, is the PIX, 35 is used for internal access, and 36 is used for PAT. > > Which has led me to another issue. I tried using a static > > xxx.yyy.zzz.37 192.168.1.150 and created an acl to allow tcp myipaddress > > any and it won't even respond. Something is amiss. > > > > Dan > > Dan, > > Are the hosts being statically pat'ed included in a nat/global policy > that does not include the global pat addresses? > > If so you may want to have a look at CSCdy56503 - > > Basically you need to "add in PAT rules for the > inside host to use the same global address as the static PAT statement." > > The 6.3 documentation has been modified to include this information. > > rik Bain Phew...that went straight over my head. But I have been staring at this stuff all day and now its all like a foreign language. DRice |
|
|
|
11-21-2003, 04:37 AM
|
#6 |
|
Posts: n/a
|
Re: PIX and STATIC command issues
"Rik Bain" <> wrote in message news inz.org...> On Thu, 20 Nov 2003 13:17:33 -0600, DRice wrote: > > > "Walter Roberson" <> wrote in message > > news:bpj3fg$1od$... > >> In article <k38vb.11421$>, DRice > >> <> wrote: :I have the following entries set up > >> (PIX Version 6.1(4)): > >> > >> :static (inside,outside) tcp xxx.xxx.xxx.xxx 443 192.168.1.127 443 > >> netmask > > 255.255.255.255 0 0 > >> :static (inside,outside) tcp xxx.xxx.xxx.xxx 22 192.168.1.127 22 > >> netmask > > 255.255.255.255 0 0 > >> :static (inside,outside) tcp xxx.xxx.xxx.xxx telnet 192.168.1.150 > >> telnet > > netmask 255.255.255.255 0 0 > >> > >> :The first two ports (22,443) go to server 192.168.1.127, the third > >> port > > (23) > >> :goes to server 192.168.1.150. The first two work correctly, but when > >> I :telnet (23) to xxx.xxx.xxx.xxx, the first server answers > >> (192.168.1.127). > >> > >> Those entries look correct at the moment, but I'm left wondering > >> whether xxx.xxx.xxx.xxx happens to be the external IP address of the > >> PIX? If it is, then you need to use the word 'interface' instead of the > >> actual IP address. > >> > >> static (inside, outside) tcp interface 443 192.168.1.127 443 netmask > > 255.255.255.255 0 0 > >> > >> and so on. > >> -- > >> "Infinity is like a stuffed walrus I can hold in the palm of my > >> hand. Don't do anything with infinity you wouldn't do with a stuffed > >> walrus." -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ. > > > > No, it is one of the IP's in our range, not the actual PIX interface IP. > > Our address range is xxx.yyy.zzz.32 255.255.255.240. 33 is our router, > > 34, is the PIX, 35 is used for internal access, and 36 is used for PAT. > > Which has led me to another issue. I tried using a static > > xxx.yyy.zzz.37 192.168.1.150 and created an acl to allow tcp myipaddress > > any and it won't even respond. Something is amiss. > > > > Dan > > Dan, > > Are the hosts being statically pat'ed included in a nat/global policy > that does not include the global pat addresses? > > If so you may want to have a look at CSCdy56503 - > > Basically you need to "add in PAT rules for the > inside host to use the same global address as the static PAT statement." > > The 6.3 documentation has been modified to include this information. > > rik Bain Ok, I think I get what you are getting at (although I can't get CSCdy56503), but wouldn't it not work at all if this were the case? It routes the first two statics correctly to server1, but the third static gets routed to Server1 also, instead of the Server2 address like the command line says. It's basically ignoring the local IP entry. I wrote this exactly like the cisco webpage ( http://www.cisco.com/en/US/products/...80094aad.shtml ) said to, yet it doesn't work correctly. DRice |
|
|
|
11-21-2003, 03:50 PM
|
#7 |
|
Posts: n/a
|
Re: PIX and STATIC command issues
On Thu, 20 Nov 2003 22:37:34 -0600, DRice wrote:
> > Ok, I think I get what you are getting at (although I can't get > CSCdy56503), but wouldn't it not work at all if this were the case? It > routes the first two statics correctly to server1, but the third static > gets routed to Server1 also, instead of the Server2 address like the > command line says. It's basically ignoring the local IP entry. I wrote > this exactly like the cisco webpage ( > http://www.cisco.com/en/US/products/...80094aad.shtml > ) said to, yet it doesn't work correctly. > > DRice Can you post the output of: show stat sh nat sh global you can change the ip addresses. . . |
|
|
|
11-22-2003, 12:33 AM
|
#8 |
|
Posts: n/a
|
Re: PIX and STATIC command issues
"Rik Bain" <> wrote in message
> > Can you post the output of: > > show stat > sh nat > sh global > > you can change the ip addresses. . . Here is what I get. finifw# sh stat static (inside,outside) tcp xxx.yyy.zzz.35 22 192.168.1.127 22 netmask 255.255.255.255 0 0 static (inside,outside) tcp xxx.yyy.zzz.35 443 192.168.1.127 443 netmask 255.255.255.255 0 0 static (inside,outside) tcp xxx.yyy.zzz.35 telnet 192.168.1.150 telnet netmask 255.255.255.255 0 0 finifw# sh nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 finifw# sh global global (outside) 1 xxx.yyy.zzz.36 Again, all ports get directed to 192.168.1.127, regardless of what the static line says. DRice |
|
|
|
11-22-2003, 01:11 AM
|
#9 |
|
Posts: n/a
|
Re: PIX and STATIC command issues
On Fri, 21 Nov 2003 18:33:37 -0600, DRice wrote:
> "Rik Bain" <> wrote in message >> >> Can you post the output of: >> >> show stat >> sh nat >> sh global >> >> you can change the ip addresses. . . > > Here is what I get. > > finifw# sh stat > static (inside,outside) tcp xxx.yyy.zzz.35 22 192.168.1.127 22 netmask > 255.255.255.255 0 0 > static (inside,outside) tcp xxx.yyy.zzz.35 443 192.168.1.127 443 netmask > 255.255.255.255 0 0 > static (inside,outside) tcp xxx.yyy.zzz.35 telnet 192.168.1.150 telnet > netmask 255.255.255.255 0 0 > finifw# sh nat > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > finifw# sh global > global (outside) 1 xxx.yyy.zzz.36 > > Again, all ports get directed to 192.168.1.127, regardless of what the > static line says. > > DRice OK, so 192.168.1.127 is included in nat/global policy 1, which translates to .36, but your statics translate it to .35 (for certain ports). From the command reference: "If you have a separate translation for all inside traffic that uses a different global address, you can still configure the Telnet server to use the same address as the static statement by creating a more exclusive nat statement just for that server. Because nat statements are read for the best match, more exclusive nat statements are matched before general statements. static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 255.255.255.255 nat (inside) 1 10.1.1.15 255.255.255.255 global (outside) 1 10.1.2.14 netmask 255.255.255.255 nat (inside) 2 0.0.0.0 0.0.0.0 global (outside) 2 10.1.2.78 netmask 255.255.255.255" What that means? You have: static (inside,outside) tcp xxx.yyy.zzz.35 22 192.168.1.127 22 netmask 255.255.255.255 0 0 static (inside,outside) tcp xxx.yyy.zzz.35 443 192.168.1.127 443 netmask 255.255.255.255 0 0 static (inside,outside) tcp xxx.yyy.zzz.35 telnet 192.168.1.150 telnet netmask 255.255.255.255 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 xxx.yyy.zzz.36 Now add: nat (inside) 10 192.168.1.127 255.255.255.255 nat (inside) 10 192.168.1.150 255.255.255.255 global (outside) 10 xxx.yyy.zzz.35 netmask 255.255.255.255 This is basically what the bug id i posted earlier states. HTH, Rik Bain |
|
|
|
11-22-2003, 05:36 AM
|
#10 |
|
Posts: n/a
|
Re: PIX and STATIC command issues
In article <LLBvb.15947$> ,
DRice <> wrote: :Unfortunately, I do not have (or know how to get) the 'bug id's'. They must :be at a deeper level on the Cisco website than I can gain access too. :Either that, or I am stupid. Either way, thank you very much for clearing :that up for me. If you put the bug number Rik quoted into the www.cisco.com search window, then the results page will recommend using the bug toolkit. Click on that, and it will ask for your CCO username and password. Enter those in and the bug toolkit will open and display the description of the bug. -- Warhol's Second Law of Usenet: "In the future, everyone will troll for 15 minutes." |
|
|
