Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Get from outside through Cisco 827, PIX 501 to Server. Urgent.pls help

Reply
Thread Tools

Get from outside through Cisco 827, PIX 501 to Server. Urgent.pls help

 
 
Marc
Guest
Posts: n/a
 
      01-15-2004
I bought a Wireless camera about 2 months ago. It is set up to use port 81
and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type [the IP
address of Dialer1 in my Cisco 827]:81 or :8482. It always times out.

My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every day for
what I want to do)
Cisco 827 10.1.1.1
PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway obviously)
Inside network 192.168.1.X

Also, I can ping my 827 from my inside network. But when I telnet into the
router from my inside network and ping my inside network, it times out too.
The farthest I can get is the inside interface of the PIX. I thought Chap
may have something to do with all of this, but I'm not sure. I know if I
could just ping my inside network from my router, that would probably solve
most of this.

I've been at this for 2 months, and have tried everything. NG searches, Port
forwarding, access-lists. Nothing seems to work. I had port forwarding and
access-lists specifically for ports www, 81 and 8482 on my router, but I
removed them, because they didn't make a difference. I'm sure the answer
lies in my firewall, but no matter what I do, I can't get to my inside
network from the outside. Not even a ping from the router. I'm not an expert
like a lot of you, so I hope this is not too rudimentary. But I'm all out of
ideas.Any help would be greatly appreciated. My configs are below:

PIX 501:
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0JeJdBKOXHOPaqYc encrypted
passwd 0JeJdBKOXHOPaqYc encrypted
hostname pixfirewall
domain-name blabla.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 66.0.0.0 DNS
name 10.1.1.35 PIX_OUTSIDE
name 192.168.1.1 PIX_INSIDE
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any any eq 81
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq 8481
access-list outside_access_in deny ip any any
access-list inside_access_in permit ip any any
access-list inbound permit tcp any any eq 8482
no pager
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.1.17 format emblem
mtu outside 1492
mtu inside 1492
ip address outside PIX_OUTSIDE 255.0.0.0
ip address inside PIX_INSIDE 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.0 inside
pdm location DNS 255.255.255.0 inside
pdm location DNS 255.255.255.255 outside
pdm location PIX_OUTSIDE 255.255.255.255 outside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location PIX_OUTSIDE 255.255.255.255 inside
pdm location 192.168.1.17 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.1.50 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.50 www netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
255.255.255.255 0 0
static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 66.228.128.70 66.228.128.202
dhcpd lease 259200
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
terminal width 80
Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
: end
[OK]

Cisco 827:
Using 2038 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname DSLrouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
!
username blabla password 7 010409160A0D030B
username CRWS_Kannan privilege 15 password 7
015757406C5A002E65431F062A2007135A5
F527E7F7D78656775
no aaa new-model
ip subnet-zero
ip name-server 66.228.128.70
ip name-server 66.228.128.69
ip dhcp excluded-address 10.1.1.1
ip dhcp excluded-address 10.0.0.33 10.255.255.254
!
ip dhcp pool CLIENT
import all
network 10.0.0.0 255.0.0.0
default-router 10.1.1.1
lease 0 2
!
ip ssh break-string
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete
this:10.1.1.1-255.0.0.0
ip address 10.1.1.1 255.0.0.0 secondary
ip address 10.10.10.1 255.255.255.0
ip mtu 1452
ip nat inside
ip tcp adjust-mss 1452
ipv6 mtu 1452
hold-queue 100 out
!
interface Virtual-Template1
no ip address
!
interface ATM0
mtu 1492
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname blabla
ppp chap password 7 07182E5E1F0F1C01
ppp pap sent-username blabla password 7 131218005A0A012E
ppp ipcp dns request
ppp ipcp wins request
!
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure-server
!
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 120 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
exec-timeout 120 0
login local
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end




 
Reply With Quote
 
 
 
 
scott enwright
Guest
Posts: n/a
 
      01-15-2004
Marc,

Doesn't the configuration have to have the following properties:
1. A public address on the outside interface of the 827 router (a static
address would be perferable)
2. A private IP address on the inside of the 827 router
3. NAT is performed for all traffic entering the 827's Ethernet interface
and leaving the PPPoE circuit.
4. A private IP address is on the PIX's outside interface
5. A (different) private network is on the PIX's inside interface
6. NAT is being performed for all traffic leaving the PIX to the web

For this to work you need a configuration that:
1. Translates ports 81 and 8482 on the 827 public address into a private
address (one that is not defined on the PIX)
2. The PIX needs to translate these addresses to the real internal (PIX
inside) addresses/ports.

I have made the following assumpotions:
1. Both port 81 and 8482 goto the same box and the same ports.

Here is the config changes:

name 10.1.1.36 WEBSERVER
no static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
255.255.255.255
no static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
255.255.255.255
no static (inside,outside) tcp interface www 192.168.1.50 www netmask
255.255.255.255
no static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
255.255.255.255
no static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255
static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255

no access-list outside_access_in
access-list outside_access_in permit tcp any 10.1.1.36 eq 81
access-list outside_access_in permit tcp any 10.1.1.36 eq 8481
access-list outside_access_in deny ip any any
access-group outside_access_in in interface outside
no route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
route outside 0.0.0.0 0.0.0.0 10.10.10.1

no ip dhcp excluded-address 10.1.1.1
no ip dhcp excluded-address 10.0.0.33 10.255.255.254
no ip dhcp pool CLIENT


Cisco 827 Changes
====================
interface Ethernet0
no ip address 10.1.1.1 255.0.0.0 secondary
exit
ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
extendable no-alias
ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
extendable no-alias


Afterwards, can you do a 'show ip nat translations' and on the pix 'show
xlate' and repost this data and the new configs

Regards,

Scott.
\|/
(o o)
---------------------oOOO--(_)--OOOo----------------------
Out the 100Base-T, off the firewall, through the router, down
the T1, over the leased line, off the bridge, nothing but Net.
(Use ROT13 to see my email address)
.oooO Oooo.
----------------------( )---( )-----------------------
\ ( ) /
\_) (_/


"Marc" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I bought a Wireless camera about 2 months ago. It is set up to use port 81
> and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type [the IP
> address of Dialer1 in my Cisco 827]:81 or :8482. It always times out.
>
> My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every day for
> what I want to do)
> Cisco 827 10.1.1.1
> PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway obviously)
> Inside network 192.168.1.X
>
> Also, I can ping my 827 from my inside network. But when I telnet into the
> router from my inside network and ping my inside network, it times out

too.
> The farthest I can get is the inside interface of the PIX. I thought Chap
> may have something to do with all of this, but I'm not sure. I know if I
> could just ping my inside network from my router, that would probably

solve
> most of this.
>
> I've been at this for 2 months, and have tried everything. NG searches,

Port
> forwarding, access-lists. Nothing seems to work. I had port forwarding and
> access-lists specifically for ports www, 81 and 8482 on my router, but I
> removed them, because they didn't make a difference. I'm sure the answer
> lies in my firewall, but no matter what I do, I can't get to my inside
> network from the outside. Not even a ping from the router. I'm not an

expert
> like a lot of you, so I hope this is not too rudimentary. But I'm all out

of
> ideas.Any help would be greatly appreciated. My configs are below:
>
> PIX 501:
> PIX Version 6.3(3)
> interface ethernet0 10baset
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 0JeJdBKOXHOPaqYc encrypted
> passwd 0JeJdBKOXHOPaqYc encrypted
> hostname pixfirewall
> domain-name blabla.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 66.0.0.0 DNS
> name 10.1.1.35 PIX_OUTSIDE
> name 192.168.1.1 PIX_INSIDE
> access-list outside_access_in permit icmp any any echo-reply
> access-list outside_access_in permit tcp any any eq 81
> access-list outside_access_in permit tcp any any eq www
> access-list outside_access_in permit tcp any any eq 8481
> access-list outside_access_in deny ip any any
> access-list inside_access_in permit ip any any
> access-list inbound permit tcp any any eq 8482
> no pager
> logging on
> logging timestamp
> logging trap warnings
> logging host inside 192.168.1.17 format emblem
> mtu outside 1492
> mtu inside 1492
> ip address outside PIX_OUTSIDE 255.0.0.0
> ip address inside PIX_INSIDE 255.255.255.0
> ip verify reverse-path interface inside
> ip audit info action alarm
> ip audit attack action alarm
> pdm location 192.168.0.0 255.255.255.0 inside
> pdm location DNS 255.255.255.0 inside
> pdm location DNS 255.255.255.255 outside
> pdm location PIX_OUTSIDE 255.255.255.255 outside
> pdm location 10.0.0.0 255.0.0.0 inside
> pdm location PIX_OUTSIDE 255.255.255.255 inside
> pdm location 192.168.1.17 255.255.255.255 inside
> pdm location 192.168.0.0 255.255.0.0 inside
> pdm location 192.168.1.50 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface www 192.168.1.50 www netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
> 255.255.255.255 0 0
> static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255 0 0
> access-group outside_access_in in interface outside
> access-group inside_access_in in interface inside
> route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
> route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa authentication enable console LOCAL
> aaa authentication http console LOCAL
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 15
> ssh timeout 5
> console timeout 0
> dhcpd address 192.168.1.2-192.168.1.33 inside
> dhcpd dns 66.228.128.70 66.228.128.202
> dhcpd lease 259200
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
> terminal width 80
> Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
> : end
> [OK]
>
> Cisco 827:
> Using 2038 out of 131072 bytes
> !
> version 12.3
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname DSLrouter
> !
> boot-start-marker
> boot-end-marker
> !
> no logging buffered
> enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
> !
> username blabla password 7 010409160A0D030B
> username CRWS_Kannan privilege 15 password 7
> 015757406C5A002E65431F062A2007135A5
> F527E7F7D78656775
> no aaa new-model
> ip subnet-zero
> ip name-server 66.228.128.70
> ip name-server 66.228.128.69
> ip dhcp excluded-address 10.1.1.1
> ip dhcp excluded-address 10.0.0.33 10.255.255.254
> !
> ip dhcp pool CLIENT
> import all
> network 10.0.0.0 255.0.0.0
> default-router 10.1.1.1
> lease 0 2
> !
> ip ssh break-string
> !
> !
> interface Ethernet0
> description CRWS Generated text. Please do not delete
> this:10.1.1.1-255.0.0.0
> ip address 10.1.1.1 255.0.0.0 secondary
> ip address 10.10.10.1 255.255.255.0
> ip mtu 1452
> ip nat inside
> ip tcp adjust-mss 1452
> ipv6 mtu 1452
> hold-queue 100 out
> !
> interface Virtual-Template1
> no ip address
> !
> interface ATM0
> mtu 1492
> no ip address
> atm vc-per-vp 64
> no atm ilmi-keepalive
> pvc 0/35
> pppoe-client dial-pool-number 1
> !
> dsl operating-mode auto
> !
> interface Dialer1
> mtu 1492
> ip address negotiated
> ip nat outside
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 1
> dialer remote-name redback
> dialer-group 1
> ppp authentication pap chap callin
> ppp chap hostname blabla
> ppp chap password 7 07182E5E1F0F1C01
> ppp pap sent-username blabla password 7 131218005A0A012E
> ppp ipcp dns request
> ppp ipcp wins request
> !
> ip nat inside source list 102 interface Dialer1 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> ip http server
> ip http secure-server
> !
> access-list 102 permit ip 10.0.0.0 0.255.255.255 any
> dialer-list 1 protocol ip permit
> !
> !
> line con 0
> exec-timeout 120 0
> transport preferred all
> transport output all
> stopbits 1
> line vty 0 4
> exec-timeout 120 0
> login local
> length 0
> transport preferred all
> transport input all
> transport output all
> !
> scheduler max-task-time 5000
> !
> end
>
>
>
>



 
Reply With Quote
 
 
 
 
Phillip Remaker
Guest
Posts: n/a
 
      01-15-2004

"Marc" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Also, I can ping my 827 from my inside network. But when I telnet into the
> router from my inside network and ping my inside network, it times out

too.

Right, that's what you want the 501 doing. Allow outbound, stop inbound.
You need to punch a hole through the 501 to allow inbound traffic.


> The farthest I can get is the inside interface of the PIX.


That is a feature. If you want pings answered from the routide, you'd need
to add
access-list outside_access_in permit icmp any any echo-request

Couple things:

0) You really want a static address service for this job.
0a) Or a DDNS service (most webcams support that these days... which webcam?
Linksys does DDNS

1) If you are trying to attach TO the webcam, you will need a translation
for the 827 of the form
ip nat inside source static tcp y.y.y.y 81 x.x.x.x 81 extendable
ip nat inside source static tcp y.y.y.y 8483 5900 x.x.x.x 8483 extendable

Where y.y.y.y is the inside address and x.x.x.x is the public IP.

BUT since your public IP is dynamic, you can't do that.

I'm not sure there is a way to allow thes emaps to learn and use the dynamic
address, inless the form

ip nat inside source static tcp y.y.y.y 81 interface dialer 0 81 extendable
ip nat inside source static tcp y.y.y.y 8483 5900 interface dialer 0 8483
extendable

is accepted by the parser, which I think it is not.

Why do you have the 827 involved at all? Just as an (expensive) DSL modem?
You might prefer getting an RFC1483 bridge (cheap!) and using the PPPOE
feature of the 501.

Or better, get a static address.

Double NAT is too painful even for the heartiest of folks.

This application begs for a static address.

If you just need simple NAT services, you might consider a Linksys in this
application.


 
Reply With Quote
 
Marc
Guest
Posts: n/a
 
      01-16-2004
Thank you for the config. I changed it. The new configs are below, as well
as the xlate and ip nat translations It looks like port 80, 81, 8481 and
8482 are still blank. Can you determine what I did wrong? Thanks.

DSL Router:
DSLrouter#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 24.155.75.86:64436 10.1.1.35:64436 24.167.56.193:1949
24.167.56.193:1949
tcp 24.155.75.86:1 10.1.1.1:23 10.1.1.35:64336 10.1.1.35:64336
tcp 24.155.75.86:64495 10.1.1.35:64495 64.157.107.71:80
64.157.107.71:80
tcp 24.155.75.86:64496 10.1.1.35:64496 64.157.107.71:80
64.157.107.71:80
tcp 24.155.75.86:80 192.1.2.14:80 --- ---
tcp 24.155.75.86:81 192.1.2.14:81 --- ---
tcp 24.155.75.86:64498 10.1.1.35:64498 209.11.131.36:80
209.11.131.36:80
tcp 24.155.75.86:64521 10.1.1.35:64521 24.165.151.247:1077
24.165.151.247:107
7
tcp 24.155.75.86:64522 10.1.1.35:64522 24.165.151.247:1077
24.165.151.247:107
7
tcp 24.155.75.86:64523 10.1.1.35:64523 24.165.151.247:1077
24.165.151.247:107
7
tcp 24.155.75.86:8481 192.1.2.14:8481 --- ---
tcp 24.155.75.86:8482 192.1.2.14:8482 --- ---
tcp 24.155.75.86:64361 10.1.1.35:64361 216.155.193.167:5050
216.155.193.167:5
050
tcp 24.155.75.86:64501 10.1.1.35:64501 67.23.182.154:3531
67.23.182.154:3531
tcp 24.155.75.86:64487 10.1.1.35:64487 66.135.211.87:443
66.135.211.87:443

PIX 501

pixfirewall# sh xlate
12 in use, 318 most used
PAT Global PIX_OUTSIDE(64501) Local 192.168.1.101(2734)
PAT Global PIX_OUTSIDE(64496) Local 192.168.1.102(4160)
PAT Global PIX_OUTSIDE(64495) Local 192.168.1.102(4159)
PAT Global PIX_OUTSIDE(64487) Local 192.168.1.102(4153)
PAT Global PIX_OUTSIDE(64436) Local 192.168.1.101(2723)
PAT Global PIX_OUTSIDE(64361) Local 192.168.1.102(4035)
PAT Global PIX_OUTSIDE(64353) Local 192.168.1.102(4010)
PAT Global PIX_OUTSIDE(64336) Local 192.168.1.102(3996)
PAT Global PIX_OUTSIDE(64523) Local 192.168.1.101(2741)
PAT Global PIX_OUTSIDE(64522) Local 192.168.1.101(2740)
PAT Global PIX_OUTSIDE(64521) Local 192.168.1.101(2739)
PAT Global PIX_OUTSIDE(64514) Local 192.168.1.102(4173)

Current Configs
PIX 501
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0JeJdBKOXHOPaqYc encrypted
passwd 0JeJdBKOXHOPaqYc encrypted
hostname pixfirewall
domain-name blabla.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 66.0.0.0 DNS
name 10.1.1.35 PIX_OUTSIDE
name 192.168.1.1 PIX_INSIDE
name 10.1.1.36 WEBSERVER
access-list outside_access_in deny ip any any
access-list outside_access_in permit tcp any host WEBSERVER eq 81
access-list outside_access_in permit tcp any host WEBSERVER eq www
access-list outside_access_in permit tcp any host WEBSERVER eq 8481
access-list outside_access_in permit tcp any host WEBSERVER eq 8482
access-list inside_access_in permit ip any any
access-list inbound permit tcp any any eq 8482
no pager
logging on
logging timestamp
logging trap warnings
logging host inside 192.168.1.17 format emblem
mtu outside 1492
mtu inside 1492
ip address outside PIX_OUTSIDE 255.0.0.0
ip address inside PIX_INSIDE 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.0 inside
pdm location DNS 255.255.255.0 inside
pdm location DNS 255.255.255.255 outside
pdm location PIX_OUTSIDE 255.255.255.255 outside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location PIX_OUTSIDE 255.255.255.255 inside
pdm location 192.168.1.17 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.1.50 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) WEBSERVER 192.168.1.50 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 66.228.128.70 66.228.128.202
dhcpd lease 259200
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
terminal width 80
Cryptochecksum:91f94940fc2a1e2f45f9b1c901828384

Router 827:

version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname DSLrouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
!
username blabla password 7 010409160A0D030B
username CRWS_Kannan privilege 15 password 7
015757406C5A002E65431F062A2007135A5
F527E7F7D78656775
no aaa new-model
ip subnet-zero
ip name-server 66.228.128.70
ip name-server 66.228.128.69
ip dhcp excluded-address 10.1.1.1
ip dhcp excluded-address 10.0.0.33 10.255.255.254
!
ip dhcp pool CLIENT
import all
network 10.0.0.0 255.0.0.0
default-router 10.1.1.1
lease 0 2
!
ip ssh break-string
!
!
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete
this:10.1.1.1-255.0.0.0
ip address 10.1.1.1 255.0.0.0
ip mtu 1452
ip nat inside
ip tcp adjust-mss 1452
ipv6 mtu 1452
hold-queue 100 out
!
interface Virtual-Template1
no ip address
!
interface ATM0
mtu 1492
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname blabla
ppp chap password 7 07182E5E1F0F1C01
ppp pap sent-username blabla password 7 131218005A0A012E
ppp ipcp dns request
ppp ipcp wins request
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure-server
!
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 120 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
exec-timeout 120 0
login local
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end


"scott enwright" <(E-Mail Removed)> wrote in message
news:0OrNb.13106$(E-Mail Removed)...
> Marc,
>
> Doesn't the configuration have to have the following properties:
> 1. A public address on the outside interface of the 827 router (a static
> address would be perferable)
> 2. A private IP address on the inside of the 827 router
> 3. NAT is performed for all traffic entering the 827's Ethernet interface
> and leaving the PPPoE circuit.
> 4. A private IP address is on the PIX's outside interface
> 5. A (different) private network is on the PIX's inside interface
> 6. NAT is being performed for all traffic leaving the PIX to the web
>
> For this to work you need a configuration that:
> 1. Translates ports 81 and 8482 on the 827 public address into a private
> address (one that is not defined on the PIX)
> 2. The PIX needs to translate these addresses to the real internal (PIX
> inside) addresses/ports.
>
> I have made the following assumpotions:
> 1. Both port 81 and 8482 goto the same box and the same ports.
>
> Here is the config changes:
>
> name 10.1.1.36 WEBSERVER
> no static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
> 255.255.255.255
> no static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
> 255.255.255.255
> no static (inside,outside) tcp interface www 192.168.1.50 www netmask
> 255.255.255.255
> no static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
> 255.255.255.255
> no static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255
> static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255
>
> no access-list outside_access_in
> access-list outside_access_in permit tcp any 10.1.1.36 eq 81
> access-list outside_access_in permit tcp any 10.1.1.36 eq 8481
> access-list outside_access_in deny ip any any
> access-group outside_access_in in interface outside
> no route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
> route outside 0.0.0.0 0.0.0.0 10.10.10.1
>
> no ip dhcp excluded-address 10.1.1.1
> no ip dhcp excluded-address 10.0.0.33 10.255.255.254
> no ip dhcp pool CLIENT
>
>
> Cisco 827 Changes
> ====================
> interface Ethernet0
> no ip address 10.1.1.1 255.0.0.0 secondary
> exit
> ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
> extendable no-alias
> ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
> extendable no-alias
>
>
> Afterwards, can you do a 'show ip nat translations' and on the pix 'show
> xlate' and repost this data and the new configs
>
> Regards,
>
> Scott.
> \|/
> (o o)
> ---------------------oOOO--(_)--OOOo----------------------
> Out the 100Base-T, off the firewall, through the router, down
> the T1, over the leased line, off the bridge, nothing but Net.
> (Use ROT13 to see my email address)
> .oooO Oooo.
> ----------------------( )---( )-----------------------
> \ ( ) /
> \_) (_/
>
>
> "Marc" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I bought a Wireless camera about 2 months ago. It is set up to use port

81
> > and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type [the IP
> > address of Dialer1 in my Cisco 827]:81 or :8482. It always times out.
> >
> > My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every day

for
> > what I want to do)
> > Cisco 827 10.1.1.1
> > PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway obviously)
> > Inside network 192.168.1.X
> >
> > Also, I can ping my 827 from my inside network. But when I telnet into

the
> > router from my inside network and ping my inside network, it times out

> too.
> > The farthest I can get is the inside interface of the PIX. I thought

Chap
> > may have something to do with all of this, but I'm not sure. I know if I
> > could just ping my inside network from my router, that would probably

> solve
> > most of this.
> >
> > I've been at this for 2 months, and have tried everything. NG searches,

> Port
> > forwarding, access-lists. Nothing seems to work. I had port forwarding

and
> > access-lists specifically for ports www, 81 and 8482 on my router, but I
> > removed them, because they didn't make a difference. I'm sure the answer
> > lies in my firewall, but no matter what I do, I can't get to my inside
> > network from the outside. Not even a ping from the router. I'm not an

> expert
> > like a lot of you, so I hope this is not too rudimentary. But I'm all

out
> of
> > ideas.Any help would be greatly appreciated. My configs are below:
> >
> > PIX 501:
> > PIX Version 6.3(3)
> > interface ethernet0 10baset
> > interface ethernet1 100full
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password 0JeJdBKOXHOPaqYc encrypted
> > passwd 0JeJdBKOXHOPaqYc encrypted
> > hostname pixfirewall
> > domain-name blabla.com
> > fixup protocol dns maximum-length 512
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol tftp 69
> > names
> > name 66.0.0.0 DNS
> > name 10.1.1.35 PIX_OUTSIDE
> > name 192.168.1.1 PIX_INSIDE
> > access-list outside_access_in permit icmp any any echo-reply
> > access-list outside_access_in permit tcp any any eq 81
> > access-list outside_access_in permit tcp any any eq www
> > access-list outside_access_in permit tcp any any eq 8481
> > access-list outside_access_in deny ip any any
> > access-list inside_access_in permit ip any any
> > access-list inbound permit tcp any any eq 8482
> > no pager
> > logging on
> > logging timestamp
> > logging trap warnings
> > logging host inside 192.168.1.17 format emblem
> > mtu outside 1492
> > mtu inside 1492
> > ip address outside PIX_OUTSIDE 255.0.0.0
> > ip address inside PIX_INSIDE 255.255.255.0
> > ip verify reverse-path interface inside
> > ip audit info action alarm
> > ip audit attack action alarm
> > pdm location 192.168.0.0 255.255.255.0 inside
> > pdm location DNS 255.255.255.0 inside
> > pdm location DNS 255.255.255.255 outside
> > pdm location PIX_OUTSIDE 255.255.255.255 outside
> > pdm location 10.0.0.0 255.0.0.0 inside
> > pdm location PIX_OUTSIDE 255.255.255.255 inside
> > pdm location 192.168.1.17 255.255.255.255 inside
> > pdm location 192.168.0.0 255.255.0.0 inside
> > pdm location 192.168.1.50 255.255.255.255 inside
> > pdm logging informational 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface www 192.168.1.50 www netmask
> > 255.255.255.255 0 0
> > static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
> > 255.255.255.255 0 0
> > static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255 0

0
> > access-group outside_access_in in interface outside
> > access-group inside_access_in in interface inside
> > route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
> > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > aaa authentication enable console LOCAL
> > aaa authentication http console LOCAL
> > http server enable
> > http 192.168.1.0 255.255.255.0 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > telnet 192.168.1.0 255.255.255.0 inside
> > telnet timeout 15
> > ssh timeout 5
> > console timeout 0
> > dhcpd address 192.168.1.2-192.168.1.33 inside
> > dhcpd dns 66.228.128.70 66.228.128.202
> > dhcpd lease 259200
> > dhcpd ping_timeout 750
> > dhcpd auto_config outside
> > dhcpd enable inside
> > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
> > terminal width 80
> > Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
> > : end
> > [OK]
> >
> > Cisco 827:
> > Using 2038 out of 131072 bytes
> > !
> > version 12.3
> > no service pad
> > service timestamps debug uptime
> > service timestamps log uptime
> > service password-encryption
> > !
> > hostname DSLrouter
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > no logging buffered
> > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
> > !
> > username blabla password 7 010409160A0D030B
> > username CRWS_Kannan privilege 15 password 7
> > 015757406C5A002E65431F062A2007135A5
> > F527E7F7D78656775
> > no aaa new-model
> > ip subnet-zero
> > ip name-server 66.228.128.70
> > ip name-server 66.228.128.69
> > ip dhcp excluded-address 10.1.1.1
> > ip dhcp excluded-address 10.0.0.33 10.255.255.254
> > !
> > ip dhcp pool CLIENT
> > import all
> > network 10.0.0.0 255.0.0.0
> > default-router 10.1.1.1
> > lease 0 2
> > !
> > ip ssh break-string
> > !
> > !
> > interface Ethernet0
> > description CRWS Generated text. Please do not delete
> > this:10.1.1.1-255.0.0.0
> > ip address 10.1.1.1 255.0.0.0 secondary
> > ip address 10.10.10.1 255.255.255.0
> > ip mtu 1452
> > ip nat inside
> > ip tcp adjust-mss 1452
> > ipv6 mtu 1452
> > hold-queue 100 out
> > !
> > interface Virtual-Template1
> > no ip address
> > !
> > interface ATM0
> > mtu 1492
> > no ip address
> > atm vc-per-vp 64
> > no atm ilmi-keepalive
> > pvc 0/35
> > pppoe-client dial-pool-number 1
> > !
> > dsl operating-mode auto
> > !
> > interface Dialer1
> > mtu 1492
> > ip address negotiated
> > ip nat outside
> > encapsulation ppp
> > ip tcp adjust-mss 1452
> > dialer pool 1
> > dialer remote-name redback
> > dialer-group 1
> > ppp authentication pap chap callin
> > ppp chap hostname blabla
> > ppp chap password 7 07182E5E1F0F1C01
> > ppp pap sent-username blabla password 7 131218005A0A012E
> > ppp ipcp dns request
> > ppp ipcp wins request
> > !
> > ip nat inside source list 102 interface Dialer1 overload
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Dialer1
> > ip http server
> > ip http secure-server
> > !
> > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
> > dialer-list 1 protocol ip permit
> > !
> > !
> > line con 0
> > exec-timeout 120 0
> > transport preferred all
> > transport output all
> > stopbits 1
> > line vty 0 4
> > exec-timeout 120 0
> > login local
> > length 0
> > transport preferred all
> > transport input all
> > transport output all
> > !
> > scheduler max-task-time 5000
> > !
> > end
> >
> >
> >
> >

>
>



 
Reply With Quote
 
Marc
Guest
Posts: n/a
 
      01-16-2004

"Phillip Remaker" <(E-Mail Removed)> wrote in message
news:1074159174.156347@sj-nntpcache-5...
>
> "Marc" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Also, I can ping my 827 from my inside network. But when I telnet into

the
> > router from my inside network and ping my inside network, it times out

> too.
>
> Right, that's what you want the 501 doing. Allow outbound, stop inbound.
> You need to punch a hole through the 501 to allow inbound traffic.
>
>
> > The farthest I can get is the inside interface of the PIX.

>
> That is a feature. If you want pings answered from the routide, you'd

need
> to add
> access-list outside_access_in permit icmp any any echo-request
>
> Couple things:
>
> 0) You really want a static address service for this job.
> 0a) Or a DDNS service (most webcams support that these days... which

webcam?
> Linksys does DDNS
>
> 1) If you are trying to attach TO the webcam, you will need a translation
> for the 827 of the form
> ip nat inside source static tcp y.y.y.y 81 x.x.x.x 81 extendable
> ip nat inside source static tcp y.y.y.y 8483 5900 x.x.x.x 8483 extendable
>
> Where y.y.y.y is the inside address and x.x.x.x is the public IP.
>
> BUT since your public IP is dynamic, you can't do that.
>
> I'm not sure there is a way to allow thes emaps to learn and use the

dynamic
> address, inless the form
>
> ip nat inside source static tcp y.y.y.y 81 interface dialer 0 81

extendable
> ip nat inside source static tcp y.y.y.y 8483 5900 interface dialer 0 8483
> extendable
>
> is accepted by the parser, which I think it is not.
>
> Why do you have the 827 involved at all? Just as an (expensive) DSL

modem?
> You might prefer getting an RFC1483 bridge (cheap!) and using the PPPOE
> feature of the 501.
>
> Or better, get a static address.
>
> Double NAT is too painful even for the heartiest of folks.
>
> This application begs for a static address.
>
> If you just need simple NAT services, you might consider a Linksys in this
> application.
>

I'm thinking about getting rid of the 827. I won it at a Cisco conference,
several years ago. I could buy 3 statics, but I want to get it working with
the dynamic first. The lease for my IP is 3 days, which is enough time to
test this config. Actually, I'm thinking about getting rid of the PIX too. I
used to do Cisco, but in my job now, I just do Windows. To me, the PIX is a
great firewall, but it is not user friendly. It's too complicated to just
block or open a simple port, as I'm experiencing here. For example. With the
Linksys, I believe all you have to do is select 'Allow virtual port [port
number], and that's it. On the other hand, I love a challenge, which is why
I want to tackle this.


 
Reply With Quote
 
scott enwright
Guest
Posts: n/a
 
      01-16-2004
ok,

the translations got screwed up on the router, enter these lines to correct
it (you shouldnt get any errors when entering them):

no ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
no ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
no ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
no ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
ip nat inside source static tcp 10.1.1.36 81 interface Dialer1 81
ip nat inside source static tcp 10.1.1.36 8481 interface Dialer1 8481
ip nat inside source static tcp 10.1.1.36 80 interface Dialer1 80
ip nat inside source static tcp 10.1.1.36 482 interface Dialer1 8482


Correct the PIX's inbound access-list.

no access-list outside_access_in
access-list outside_access_in permit tcp any host WEBSERVER eq 81
access-list outside_access_in permit tcp any host WEBSERVER eq www
access-list outside_access_in permit tcp any host WEBSERVER eq 8481
access-list outside_access_in permit tcp any host WEBSERVER eq 8482
access-list outside_access_in deny ip any any
access-group outside_access_in in interface outside

Thats all that looks wrong to me. Please repost the same stuff again

Regards,

Scott.
\|/
(o o)
---------------------oOOO--(_)--OOOo----------------------
Out the 100Base-T, off the firewall, through the router, down
the T1, over the leased line, off the bridge, nothing but Net.
(Use ROT13 to see my email address)
.oooO Oooo.
----------------------( )---( )-----------------------
\ ( ) /
\_) (_/


"Marc" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thank you for the config. I changed it. The new configs are below, as well
> as the xlate and ip nat translations It looks like port 80, 81, 8481 and
> 8482 are still blank. Can you determine what I did wrong? Thanks.
>
> DSL Router:
> DSLrouter#sh ip nat translations
> Pro Inside global Inside local Outside local Outside

global
> tcp 24.155.75.86:64436 10.1.1.35:64436 24.167.56.193:1949
> 24.167.56.193:1949
> tcp 24.155.75.86:1 10.1.1.1:23 10.1.1.35:64336

10.1.1.35:64336
> tcp 24.155.75.86:64495 10.1.1.35:64495 64.157.107.71:80
> 64.157.107.71:80
> tcp 24.155.75.86:64496 10.1.1.35:64496 64.157.107.71:80
> 64.157.107.71:80
> tcp 24.155.75.86:80 192.1.2.14:80 --- ---
> tcp 24.155.75.86:81 192.1.2.14:81 --- ---
> tcp 24.155.75.86:64498 10.1.1.35:64498 209.11.131.36:80
> 209.11.131.36:80
> tcp 24.155.75.86:64521 10.1.1.35:64521 24.165.151.247:1077
> 24.165.151.247:107
> 7
> tcp 24.155.75.86:64522 10.1.1.35:64522 24.165.151.247:1077
> 24.165.151.247:107
> 7
> tcp 24.155.75.86:64523 10.1.1.35:64523 24.165.151.247:1077
> 24.165.151.247:107
> 7
> tcp 24.155.75.86:8481 192.1.2.14:8481 --- ---
> tcp 24.155.75.86:8482 192.1.2.14:8482 --- ---
> tcp 24.155.75.86:64361 10.1.1.35:64361 216.155.193.167:5050
> 216.155.193.167:5
> 050
> tcp 24.155.75.86:64501 10.1.1.35:64501 67.23.182.154:3531
> 67.23.182.154:3531
> tcp 24.155.75.86:64487 10.1.1.35:64487 66.135.211.87:443
> 66.135.211.87:443
>
> PIX 501
>
> pixfirewall# sh xlate
> 12 in use, 318 most used
> PAT Global PIX_OUTSIDE(64501) Local 192.168.1.101(2734)
> PAT Global PIX_OUTSIDE(64496) Local 192.168.1.102(4160)
> PAT Global PIX_OUTSIDE(64495) Local 192.168.1.102(4159)
> PAT Global PIX_OUTSIDE(64487) Local 192.168.1.102(4153)
> PAT Global PIX_OUTSIDE(64436) Local 192.168.1.101(2723)
> PAT Global PIX_OUTSIDE(64361) Local 192.168.1.102(4035)
> PAT Global PIX_OUTSIDE(64353) Local 192.168.1.102(4010)
> PAT Global PIX_OUTSIDE(64336) Local 192.168.1.102(3996)
> PAT Global PIX_OUTSIDE(64523) Local 192.168.1.101(2741)
> PAT Global PIX_OUTSIDE(64522) Local 192.168.1.101(2740)
> PAT Global PIX_OUTSIDE(64521) Local 192.168.1.101(2739)
> PAT Global PIX_OUTSIDE(64514) Local 192.168.1.102(4173)
>
> Current Configs
> PIX 501
> PIX Version 6.3(3)
> interface ethernet0 10baset
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 0JeJdBKOXHOPaqYc encrypted
> passwd 0JeJdBKOXHOPaqYc encrypted
> hostname pixfirewall
> domain-name blabla.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 66.0.0.0 DNS
> name 10.1.1.35 PIX_OUTSIDE
> name 192.168.1.1 PIX_INSIDE
> name 10.1.1.36 WEBSERVER
> access-list outside_access_in deny ip any any
> access-list outside_access_in permit tcp any host WEBSERVER eq 81
> access-list outside_access_in permit tcp any host WEBSERVER eq www
> access-list outside_access_in permit tcp any host WEBSERVER eq 8481
> access-list outside_access_in permit tcp any host WEBSERVER eq 8482
> access-list inside_access_in permit ip any any
> access-list inbound permit tcp any any eq 8482
> no pager
> logging on
> logging timestamp
> logging trap warnings
> logging host inside 192.168.1.17 format emblem
> mtu outside 1492
> mtu inside 1492
> ip address outside PIX_OUTSIDE 255.0.0.0
> ip address inside PIX_INSIDE 255.255.255.0
> ip verify reverse-path interface inside
> ip audit info action alarm
> ip audit attack action alarm
> pdm location 192.168.0.0 255.255.255.0 inside
> pdm location DNS 255.255.255.0 inside
> pdm location DNS 255.255.255.255 outside
> pdm location PIX_OUTSIDE 255.255.255.255 outside
> pdm location 10.0.0.0 255.0.0.0 inside
> pdm location PIX_OUTSIDE 255.255.255.255 inside
> pdm location 192.168.1.17 255.255.255.255 inside
> pdm location 192.168.0.0 255.255.0.0 inside
> pdm location 192.168.1.50 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) WEBSERVER 192.168.1.50 netmask 255.255.255.255 0 0
> access-group outside_access_in in interface outside
> access-group inside_access_in in interface inside
> route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
> route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa authentication enable console LOCAL
> aaa authentication http console LOCAL
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 15
> ssh timeout 5
> console timeout 0
> dhcpd address 192.168.1.2-192.168.1.33 inside
> dhcpd dns 66.228.128.70 66.228.128.202
> dhcpd lease 259200
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
> terminal width 80
> Cryptochecksum:91f94940fc2a1e2f45f9b1c901828384
>
> Router 827:
>
> version 12.3
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname DSLrouter
> !
> boot-start-marker
> boot-end-marker
> !
> no logging buffered
> enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
> !
> username blabla password 7 010409160A0D030B
> username CRWS_Kannan privilege 15 password 7
> 015757406C5A002E65431F062A2007135A5
> F527E7F7D78656775
> no aaa new-model
> ip subnet-zero
> ip name-server 66.228.128.70
> ip name-server 66.228.128.69
> ip dhcp excluded-address 10.1.1.1
> ip dhcp excluded-address 10.0.0.33 10.255.255.254
> !
> ip dhcp pool CLIENT
> import all
> network 10.0.0.0 255.0.0.0
> default-router 10.1.1.1
> lease 0 2
> !
> ip ssh break-string
> !
> !
> !
> !
> !
> !
> interface Ethernet0
> description CRWS Generated text. Please do not delete
> this:10.1.1.1-255.0.0.0
> ip address 10.1.1.1 255.0.0.0
> ip mtu 1452
> ip nat inside
> ip tcp adjust-mss 1452
> ipv6 mtu 1452
> hold-queue 100 out
> !
> interface Virtual-Template1
> no ip address
> !
> interface ATM0
> mtu 1492
> no ip address
> atm vc-per-vp 64
> no atm ilmi-keepalive
> pvc 0/35
> pppoe-client dial-pool-number 1
> !
> dsl operating-mode auto
> !
> interface Dialer1
> mtu 1492
> ip address negotiated
> ip nat outside
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 1
> dialer remote-name redback
> dialer-group 1
> ppp authentication pap chap callin
> ppp chap hostname blabla
> ppp chap password 7 07182E5E1F0F1C01
> ppp pap sent-username blabla password 7 131218005A0A012E
> ppp ipcp dns request
> ppp ipcp wins request
> !
> ip nat inside source list 102 interface Dialer1 overload
> ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
> ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
> ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
> ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> ip http server
> ip http secure-server
> !
> access-list 102 permit ip 10.0.0.0 0.255.255.255 any
> dialer-list 1 protocol ip permit
> !
> !
> line con 0
> exec-timeout 120 0
> transport preferred all
> transport output all
> stopbits 1
> line vty 0 4
> exec-timeout 120 0
> login local
> length 0
> transport preferred all
> transport input all
> transport output all
> !
> scheduler max-task-time 5000
> !
> end
>
>
> "scott enwright" <(E-Mail Removed)> wrote in message
> news:0OrNb.13106$(E-Mail Removed)...
> > Marc,
> >
> > Doesn't the configuration have to have the following properties:
> > 1. A public address on the outside interface of the 827 router (a static
> > address would be perferable)
> > 2. A private IP address on the inside of the 827 router
> > 3. NAT is performed for all traffic entering the 827's Ethernet

interface
> > and leaving the PPPoE circuit.
> > 4. A private IP address is on the PIX's outside interface
> > 5. A (different) private network is on the PIX's inside interface
> > 6. NAT is being performed for all traffic leaving the PIX to the web
> >
> > For this to work you need a configuration that:
> > 1. Translates ports 81 and 8482 on the 827 public address into a private
> > address (one that is not defined on the PIX)
> > 2. The PIX needs to translate these addresses to the real internal (PIX
> > inside) addresses/ports.
> >
> > I have made the following assumpotions:
> > 1. Both port 81 and 8482 goto the same box and the same ports.
> >
> > Here is the config changes:
> >
> > name 10.1.1.36 WEBSERVER
> > no static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
> > 255.255.255.255
> > no static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
> > 255.255.255.255
> > no static (inside,outside) tcp interface www 192.168.1.50 www netmask
> > 255.255.255.255
> > no static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
> > 255.255.255.255
> > no static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255
> > static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255
> >
> > no access-list outside_access_in
> > access-list outside_access_in permit tcp any 10.1.1.36 eq 81
> > access-list outside_access_in permit tcp any 10.1.1.36 eq 8481
> > access-list outside_access_in deny ip any any
> > access-group outside_access_in in interface outside
> > no route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
> > route outside 0.0.0.0 0.0.0.0 10.10.10.1
> >
> > no ip dhcp excluded-address 10.1.1.1
> > no ip dhcp excluded-address 10.0.0.33 10.255.255.254
> > no ip dhcp pool CLIENT
> >
> >
> > Cisco 827 Changes
> > ====================
> > interface Ethernet0
> > no ip address 10.1.1.1 255.0.0.0 secondary
> > exit
> > ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
> > extendable no-alias
> > ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
> > extendable no-alias
> >
> >
> > Afterwards, can you do a 'show ip nat translations' and on the pix 'show
> > xlate' and repost this data and the new configs
> >
> > Regards,
> >
> > Scott.
> > \|/
> > (o o)
> > ---------------------oOOO--(_)--OOOo----------------------
> > Out the 100Base-T, off the firewall, through the router, down
> > the T1, over the leased line, off the bridge, nothing but Net.
> > (Use ROT13 to see my email address)
> > .oooO Oooo.
> > ----------------------( )---( )-----------------------
> > \ ( ) /
> > \_) (_/
> >
> >
> > "Marc" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I bought a Wireless camera about 2 months ago. It is set up to use

port
> 81
> > > and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type [the

IP
> > > address of Dialer1 in my Cisco 827]:81 or :8482. It always times out.
> > >
> > > My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every day

> for
> > > what I want to do)
> > > Cisco 827 10.1.1.1
> > > PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway

obviously)
> > > Inside network 192.168.1.X
> > >
> > > Also, I can ping my 827 from my inside network. But when I telnet into

> the
> > > router from my inside network and ping my inside network, it times out

> > too.
> > > The farthest I can get is the inside interface of the PIX. I thought

> Chap
> > > may have something to do with all of this, but I'm not sure. I know if

I
> > > could just ping my inside network from my router, that would probably

> > solve
> > > most of this.
> > >
> > > I've been at this for 2 months, and have tried everything. NG

searches,
> > Port
> > > forwarding, access-lists. Nothing seems to work. I had port forwarding

> and
> > > access-lists specifically for ports www, 81 and 8482 on my router, but

I
> > > removed them, because they didn't make a difference. I'm sure the

answer
> > > lies in my firewall, but no matter what I do, I can't get to my inside
> > > network from the outside. Not even a ping from the router. I'm not an

> > expert
> > > like a lot of you, so I hope this is not too rudimentary. But I'm all

> out
> > of
> > > ideas.Any help would be greatly appreciated. My configs are below:
> > >
> > > PIX 501:
> > > PIX Version 6.3(3)
> > > interface ethernet0 10baset
> > > interface ethernet1 100full
> > > nameif ethernet0 outside security0
> > > nameif ethernet1 inside security100
> > > enable password 0JeJdBKOXHOPaqYc encrypted
> > > passwd 0JeJdBKOXHOPaqYc encrypted
> > > hostname pixfirewall
> > > domain-name blabla.com
> > > fixup protocol dns maximum-length 512
> > > fixup protocol ftp 21
> > > fixup protocol h323 h225 1720
> > > fixup protocol h323 ras 1718-1719
> > > fixup protocol http 80
> > > fixup protocol ils 389
> > > fixup protocol rsh 514
> > > fixup protocol rtsp 554
> > > fixup protocol sip 5060
> > > fixup protocol sip udp 5060
> > > fixup protocol skinny 2000
> > > fixup protocol smtp 25
> > > fixup protocol sqlnet 1521
> > > fixup protocol tftp 69
> > > names
> > > name 66.0.0.0 DNS
> > > name 10.1.1.35 PIX_OUTSIDE
> > > name 192.168.1.1 PIX_INSIDE
> > > access-list outside_access_in permit icmp any any echo-reply
> > > access-list outside_access_in permit tcp any any eq 81
> > > access-list outside_access_in permit tcp any any eq www
> > > access-list outside_access_in permit tcp any any eq 8481
> > > access-list outside_access_in deny ip any any
> > > access-list inside_access_in permit ip any any
> > > access-list inbound permit tcp any any eq 8482
> > > no pager
> > > logging on
> > > logging timestamp
> > > logging trap warnings
> > > logging host inside 192.168.1.17 format emblem
> > > mtu outside 1492
> > > mtu inside 1492
> > > ip address outside PIX_OUTSIDE 255.0.0.0
> > > ip address inside PIX_INSIDE 255.255.255.0
> > > ip verify reverse-path interface inside
> > > ip audit info action alarm
> > > ip audit attack action alarm
> > > pdm location 192.168.0.0 255.255.255.0 inside
> > > pdm location DNS 255.255.255.0 inside
> > > pdm location DNS 255.255.255.255 outside
> > > pdm location PIX_OUTSIDE 255.255.255.255 outside
> > > pdm location 10.0.0.0 255.0.0.0 inside
> > > pdm location PIX_OUTSIDE 255.255.255.255 inside
> > > pdm location 192.168.1.17 255.255.255.255 inside
> > > pdm location 192.168.0.0 255.255.0.0 inside
> > > pdm location 192.168.1.50 255.255.255.255 inside
> > > pdm logging informational 100
> > > pdm history enable
> > > arp timeout 14400
> > > global (outside) 1 interface
> > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
> > > 255.255.255.255 0 0
> > > static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
> > > 255.255.255.255 0 0
> > > static (inside,outside) tcp interface www 192.168.1.50 www netmask
> > > 255.255.255.255 0 0
> > > static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
> > > 255.255.255.255 0 0
> > > static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255

0
> 0
> > > access-group outside_access_in in interface outside
> > > access-group inside_access_in in interface inside
> > > route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
> > > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
> > > timeout xlate 0:05:00
> > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > > 1:00:00
> > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > > timeout uauth 0:05:00 absolute
> > > aaa-server TACACS+ protocol tacacs+
> > > aaa-server RADIUS protocol radius
> > > aaa-server LOCAL protocol local
> > > aaa authentication enable console LOCAL
> > > aaa authentication http console LOCAL
> > > http server enable
> > > http 192.168.1.0 255.255.255.0 inside
> > > no snmp-server location
> > > no snmp-server contact
> > > snmp-server community public
> > > no snmp-server enable traps
> > > floodguard enable
> > > telnet 192.168.1.0 255.255.255.0 inside
> > > telnet timeout 15
> > > ssh timeout 5
> > > console timeout 0
> > > dhcpd address 192.168.1.2-192.168.1.33 inside
> > > dhcpd dns 66.228.128.70 66.228.128.202
> > > dhcpd lease 259200
> > > dhcpd ping_timeout 750
> > > dhcpd auto_config outside
> > > dhcpd enable inside
> > > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
> > > terminal width 80
> > > Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
> > > : end
> > > [OK]
> > >
> > > Cisco 827:
> > > Using 2038 out of 131072 bytes
> > > !
> > > version 12.3
> > > no service pad
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > service password-encryption
> > > !
> > > hostname DSLrouter
> > > !
> > > boot-start-marker
> > > boot-end-marker
> > > !
> > > no logging buffered
> > > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
> > > !
> > > username blabla password 7 010409160A0D030B
> > > username CRWS_Kannan privilege 15 password 7
> > > 015757406C5A002E65431F062A2007135A5
> > > F527E7F7D78656775
> > > no aaa new-model
> > > ip subnet-zero
> > > ip name-server 66.228.128.70
> > > ip name-server 66.228.128.69
> > > ip dhcp excluded-address 10.1.1.1
> > > ip dhcp excluded-address 10.0.0.33 10.255.255.254
> > > !
> > > ip dhcp pool CLIENT
> > > import all
> > > network 10.0.0.0 255.0.0.0
> > > default-router 10.1.1.1
> > > lease 0 2
> > > !
> > > ip ssh break-string
> > > !
> > > !
> > > interface Ethernet0
> > > description CRWS Generated text. Please do not delete
> > > this:10.1.1.1-255.0.0.0
> > > ip address 10.1.1.1 255.0.0.0 secondary
> > > ip address 10.10.10.1 255.255.255.0
> > > ip mtu 1452
> > > ip nat inside
> > > ip tcp adjust-mss 1452
> > > ipv6 mtu 1452
> > > hold-queue 100 out
> > > !
> > > interface Virtual-Template1
> > > no ip address
> > > !
> > > interface ATM0
> > > mtu 1492
> > > no ip address
> > > atm vc-per-vp 64
> > > no atm ilmi-keepalive
> > > pvc 0/35
> > > pppoe-client dial-pool-number 1
> > > !
> > > dsl operating-mode auto
> > > !
> > > interface Dialer1
> > > mtu 1492
> > > ip address negotiated
> > > ip nat outside
> > > encapsulation ppp
> > > ip tcp adjust-mss 1452
> > > dialer pool 1
> > > dialer remote-name redback
> > > dialer-group 1
> > > ppp authentication pap chap callin
> > > ppp chap hostname blabla
> > > ppp chap password 7 07182E5E1F0F1C01
> > > ppp pap sent-username blabla password 7 131218005A0A012E
> > > ppp ipcp dns request
> > > ppp ipcp wins request
> > > !
> > > ip nat inside source list 102 interface Dialer1 overload
> > > ip classless
> > > ip route 0.0.0.0 0.0.0.0 Dialer1
> > > ip http server
> > > ip http secure-server
> > > !
> > > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
> > > dialer-list 1 protocol ip permit
> > > !
> > > !
> > > line con 0
> > > exec-timeout 120 0
> > > transport preferred all
> > > transport output all
> > > stopbits 1
> > > line vty 0 4
> > > exec-timeout 120 0
> > > login local
> > > length 0
> > > transport preferred all
> > > transport input all
> > > transport output all
> > > !
> > > scheduler max-task-time 5000
> > > !
> > > end
> > >
> > >
> > >
> > >

> >
> >

>
>



 
Reply With Quote
 
Marc
Guest
Posts: n/a
 
      01-17-2004
Scott. It worked!

This was the key:

(I left out the other ports in this post to avoid redundancy)

PIX:

access-list outside_access_in permit ip any host 10.1.1.36
access-list inside_access_in permit ip any any
access-list inbound permit tcp any any eq 81
access-list outside_access_in deny ip any any (last rule)

static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255 0 0

827:
ip nat inside source static tcp 10.1.1.36 81 interface Dialer1 81

Now when I get a static IP, I think all I have to do is change "interface
Dialer1" to the public IP address.

Not only did this work, but I learned a lot about nat translation as well,
and it's function.

Thanks!

"scott enwright" <(E-Mail Removed)> wrote in message
news:GnMNb.14362$(E-Mail Removed)...
> ok,
>
> the translations got screwed up on the router, enter these lines to

correct
> it (you shouldnt get any errors when entering them):
>
> no ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
> no ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
> no ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
> no ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
> ip nat inside source static tcp 10.1.1.36 81 interface Dialer1 81
> ip nat inside source static tcp 10.1.1.36 8481 interface Dialer1 8481
> ip nat inside source static tcp 10.1.1.36 80 interface Dialer1 80
> ip nat inside source static tcp 10.1.1.36 482 interface Dialer1 8482
>
>
> Correct the PIX's inbound access-list.
>
> no access-list outside_access_in
> access-list outside_access_in permit tcp any host WEBSERVER eq 81
> access-list outside_access_in permit tcp any host WEBSERVER eq www
> access-list outside_access_in permit tcp any host WEBSERVER eq 8481
> access-list outside_access_in permit tcp any host WEBSERVER eq 8482
> access-list outside_access_in deny ip any any
> access-group outside_access_in in interface outside
>
> Thats all that looks wrong to me. Please repost the same stuff again
>
> Regards,
>
> Scott.
> \|/
> (o o)
> ---------------------oOOO--(_)--OOOo----------------------
> Out the 100Base-T, off the firewall, through the router, down
> the T1, over the leased line, off the bridge, nothing but Net.
> (Use ROT13 to see my email address)
> .oooO Oooo.
> ----------------------( )---( )-----------------------
> \ ( ) /
> \_) (_/
>
>
> "Marc" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Thank you for the config. I changed it. The new configs are below, as

well
> > as the xlate and ip nat translations It looks like port 80, 81, 8481 and
> > 8482 are still blank. Can you determine what I did wrong? Thanks.
> >
> > DSL Router:
> > DSLrouter#sh ip nat translations
> > Pro Inside global Inside local Outside local Outside

> global
> > tcp 24.155.75.86:64436 10.1.1.35:64436 24.167.56.193:1949
> > 24.167.56.193:1949
> > tcp 24.155.75.86:1 10.1.1.1:23 10.1.1.35:64336

> 10.1.1.35:64336
> > tcp 24.155.75.86:64495 10.1.1.35:64495 64.157.107.71:80
> > 64.157.107.71:80
> > tcp 24.155.75.86:64496 10.1.1.35:64496 64.157.107.71:80
> > 64.157.107.71:80
> > tcp 24.155.75.86:80 192.1.2.14:80 --- ---
> > tcp 24.155.75.86:81 192.1.2.14:81 --- ---
> > tcp 24.155.75.86:64498 10.1.1.35:64498 209.11.131.36:80
> > 209.11.131.36:80
> > tcp 24.155.75.86:64521 10.1.1.35:64521 24.165.151.247:1077
> > 24.165.151.247:107
> > 7
> > tcp 24.155.75.86:64522 10.1.1.35:64522 24.165.151.247:1077
> > 24.165.151.247:107
> > 7
> > tcp 24.155.75.86:64523 10.1.1.35:64523 24.165.151.247:1077
> > 24.165.151.247:107
> > 7
> > tcp 24.155.75.86:8481 192.1.2.14:8481 --- ---
> > tcp 24.155.75.86:8482 192.1.2.14:8482 --- ---
> > tcp 24.155.75.86:64361 10.1.1.35:64361 216.155.193.167:5050
> > 216.155.193.167:5
> > 050
> > tcp 24.155.75.86:64501 10.1.1.35:64501 67.23.182.154:3531
> > 67.23.182.154:3531
> > tcp 24.155.75.86:64487 10.1.1.35:64487 66.135.211.87:443
> > 66.135.211.87:443
> >
> > PIX 501
> >
> > pixfirewall# sh xlate
> > 12 in use, 318 most used
> > PAT Global PIX_OUTSIDE(64501) Local 192.168.1.101(2734)
> > PAT Global PIX_OUTSIDE(64496) Local 192.168.1.102(4160)
> > PAT Global PIX_OUTSIDE(64495) Local 192.168.1.102(4159)
> > PAT Global PIX_OUTSIDE(64487) Local 192.168.1.102(4153)
> > PAT Global PIX_OUTSIDE(64436) Local 192.168.1.101(2723)
> > PAT Global PIX_OUTSIDE(64361) Local 192.168.1.102(4035)
> > PAT Global PIX_OUTSIDE(64353) Local 192.168.1.102(4010)
> > PAT Global PIX_OUTSIDE(64336) Local 192.168.1.102(3996)
> > PAT Global PIX_OUTSIDE(64523) Local 192.168.1.101(2741)
> > PAT Global PIX_OUTSIDE(64522) Local 192.168.1.101(2740)
> > PAT Global PIX_OUTSIDE(64521) Local 192.168.1.101(2739)
> > PAT Global PIX_OUTSIDE(64514) Local 192.168.1.102(4173)
> >
> > Current Configs
> > PIX 501
> > PIX Version 6.3(3)
> > interface ethernet0 10baset
> > interface ethernet1 100full
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password 0JeJdBKOXHOPaqYc encrypted
> > passwd 0JeJdBKOXHOPaqYc encrypted
> > hostname pixfirewall
> > domain-name blabla.com
> > fixup protocol dns maximum-length 512
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol tftp 69
> > names
> > name 66.0.0.0 DNS
> > name 10.1.1.35 PIX_OUTSIDE
> > name 192.168.1.1 PIX_INSIDE
> > name 10.1.1.36 WEBSERVER
> > access-list outside_access_in deny ip any any
> > access-list outside_access_in permit tcp any host WEBSERVER eq 81
> > access-list outside_access_in permit tcp any host WEBSERVER eq www
> > access-list outside_access_in permit tcp any host WEBSERVER eq 8481
> > access-list outside_access_in permit tcp any host WEBSERVER eq 8482
> > access-list inside_access_in permit ip any any
> > access-list inbound permit tcp any any eq 8482
> > no pager
> > logging on
> > logging timestamp
> > logging trap warnings
> > logging host inside 192.168.1.17 format emblem
> > mtu outside 1492
> > mtu inside 1492
> > ip address outside PIX_OUTSIDE 255.0.0.0
> > ip address inside PIX_INSIDE 255.255.255.0
> > ip verify reverse-path interface inside
> > ip audit info action alarm
> > ip audit attack action alarm
> > pdm location 192.168.0.0 255.255.255.0 inside
> > pdm location DNS 255.255.255.0 inside
> > pdm location DNS 255.255.255.255 outside
> > pdm location PIX_OUTSIDE 255.255.255.255 outside
> > pdm location 10.0.0.0 255.0.0.0 inside
> > pdm location PIX_OUTSIDE 255.255.255.255 inside
> > pdm location 192.168.1.17 255.255.255.255 inside
> > pdm location 192.168.0.0 255.255.0.0 inside
> > pdm location 192.168.1.50 255.255.255.255 inside
> > pdm logging informational 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) WEBSERVER 192.168.1.50 netmask 255.255.255.255 0

0
> > access-group outside_access_in in interface outside
> > access-group inside_access_in in interface inside
> > route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
> > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > aaa authentication enable console LOCAL
> > aaa authentication http console LOCAL
> > http server enable
> > http 192.168.1.0 255.255.255.0 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > telnet 192.168.1.0 255.255.255.0 inside
> > telnet timeout 15
> > ssh timeout 5
> > console timeout 0
> > dhcpd address 192.168.1.2-192.168.1.33 inside
> > dhcpd dns 66.228.128.70 66.228.128.202
> > dhcpd lease 259200
> > dhcpd ping_timeout 750
> > dhcpd auto_config outside
> > dhcpd enable inside
> > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
> > terminal width 80
> > Cryptochecksum:91f94940fc2a1e2f45f9b1c901828384
> >
> > Router 827:
> >
> > version 12.3
> > no service pad
> > service timestamps debug uptime
> > service timestamps log uptime
> > service password-encryption
> > !
> > hostname DSLrouter
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > no logging buffered
> > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
> > !
> > username blabla password 7 010409160A0D030B
> > username CRWS_Kannan privilege 15 password 7
> > 015757406C5A002E65431F062A2007135A5
> > F527E7F7D78656775
> > no aaa new-model
> > ip subnet-zero
> > ip name-server 66.228.128.70
> > ip name-server 66.228.128.69
> > ip dhcp excluded-address 10.1.1.1
> > ip dhcp excluded-address 10.0.0.33 10.255.255.254
> > !
> > ip dhcp pool CLIENT
> > import all
> > network 10.0.0.0 255.0.0.0
> > default-router 10.1.1.1
> > lease 0 2
> > !
> > ip ssh break-string
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Ethernet0
> > description CRWS Generated text. Please do not delete
> > this:10.1.1.1-255.0.0.0
> > ip address 10.1.1.1 255.0.0.0
> > ip mtu 1452
> > ip nat inside
> > ip tcp adjust-mss 1452
> > ipv6 mtu 1452
> > hold-queue 100 out
> > !
> > interface Virtual-Template1
> > no ip address
> > !
> > interface ATM0
> > mtu 1492
> > no ip address
> > atm vc-per-vp 64
> > no atm ilmi-keepalive
> > pvc 0/35
> > pppoe-client dial-pool-number 1
> > !
> > dsl operating-mode auto
> > !
> > interface Dialer1
> > mtu 1492
> > ip address negotiated
> > ip nat outside
> > encapsulation ppp
> > ip tcp adjust-mss 1452
> > dialer pool 1
> > dialer remote-name redback
> > dialer-group 1
> > ppp authentication pap chap callin
> > ppp chap hostname blabla
> > ppp chap password 7 07182E5E1F0F1C01
> > ppp pap sent-username blabla password 7 131218005A0A012E
> > ppp ipcp dns request
> > ppp ipcp wins request
> > !
> > ip nat inside source list 102 interface Dialer1 overload
> > ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
> > ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
> > ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
> > ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Dialer1
> > ip http server
> > ip http secure-server
> > !
> > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
> > dialer-list 1 protocol ip permit
> > !
> > !
> > line con 0
> > exec-timeout 120 0
> > transport preferred all
> > transport output all
> > stopbits 1
> > line vty 0 4
> > exec-timeout 120 0
> > login local
> > length 0
> > transport preferred all
> > transport input all
> > transport output all
> > !
> > scheduler max-task-time 5000
> > !
> > end
> >
> >
> > "scott enwright" <(E-Mail Removed)> wrote in message
> > news:0OrNb.13106$(E-Mail Removed)...
> > > Marc,
> > >
> > > Doesn't the configuration have to have the following properties:
> > > 1. A public address on the outside interface of the 827 router (a

static
> > > address would be perferable)
> > > 2. A private IP address on the inside of the 827 router
> > > 3. NAT is performed for all traffic entering the 827's Ethernet

> interface
> > > and leaving the PPPoE circuit.
> > > 4. A private IP address is on the PIX's outside interface
> > > 5. A (different) private network is on the PIX's inside interface
> > > 6. NAT is being performed for all traffic leaving the PIX to the web
> > >
> > > For this to work you need a configuration that:
> > > 1. Translates ports 81 and 8482 on the 827 public address into a

private
> > > address (one that is not defined on the PIX)
> > > 2. The PIX needs to translate these addresses to the real internal

(PIX
> > > inside) addresses/ports.
> > >
> > > I have made the following assumpotions:
> > > 1. Both port 81 and 8482 goto the same box and the same ports.
> > >
> > > Here is the config changes:
> > >
> > > name 10.1.1.36 WEBSERVER
> > > no static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
> > > 255.255.255.255
> > > no static (inside,outside) tcp interface 8482 192.168.1.50 8482

netmask
> > > 255.255.255.255
> > > no static (inside,outside) tcp interface www 192.168.1.50 www netmask
> > > 255.255.255.255
> > > no static (inside,outside) tcp interface 8481 192.168.1.50 8481

netmask
> > > 255.255.255.255
> > > no static (inside,outside) PIX_INSIDE PIX_INSIDE netmask

255.255.255.255
> > > static (inside,outside) 10.1.1.36 192.168.1.50 netmask

255.255.255.255
> > >
> > > no access-list outside_access_in
> > > access-list outside_access_in permit tcp any 10.1.1.36 eq 81
> > > access-list outside_access_in permit tcp any 10.1.1.36 eq 8481
> > > access-list outside_access_in deny ip any any
> > > access-group outside_access_in in interface outside
> > > no route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
> > > route outside 0.0.0.0 0.0.0.0 10.10.10.1
> > >
> > > no ip dhcp excluded-address 10.1.1.1
> > > no ip dhcp excluded-address 10.0.0.33 10.255.255.254
> > > no ip dhcp pool CLIENT
> > >
> > >
> > > Cisco 827 Changes
> > > ====================
> > > interface Ethernet0
> > > no ip address 10.1.1.1 255.0.0.0 secondary
> > > exit
> > > ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
> > > extendable no-alias
> > > ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
> > > extendable no-alias
> > >
> > >
> > > Afterwards, can you do a 'show ip nat translations' and on the pix

'show
> > > xlate' and repost this data and the new configs
> > >
> > > Regards,
> > >
> > > Scott.
> > > \|/
> > > (o o)
> > > ---------------------oOOO--(_)--OOOo----------------------
> > > Out the 100Base-T, off the firewall, through the router, down
> > > the T1, over the leased line, off the bridge, nothing but Net.
> > > (Use ROT13 to see my email address)
> > > .oooO Oooo.
> > > ----------------------( )---( )-----------------------
> > > \ ( ) /
> > > \_) (_/
> > >
> > >
> > > "Marc" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > I bought a Wireless camera about 2 months ago. It is set up to use

> port
> > 81
> > > > and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type

[the
> IP
> > > > address of Dialer1 in my Cisco 827]:81 or :8482. It always times

out.
> > > >
> > > > My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every

day
> > for
> > > > what I want to do)
> > > > Cisco 827 10.1.1.1
> > > > PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway

> obviously)
> > > > Inside network 192.168.1.X
> > > >
> > > > Also, I can ping my 827 from my inside network. But when I telnet

into
> > the
> > > > router from my inside network and ping my inside network, it times

out
> > > too.
> > > > The farthest I can get is the inside interface of the PIX. I thought

> > Chap
> > > > may have something to do with all of this, but I'm not sure. I know

if
> I
> > > > could just ping my inside network from my router, that would

probably
> > > solve
> > > > most of this.
> > > >
> > > > I've been at this for 2 months, and have tried everything. NG

> searches,
> > > Port
> > > > forwarding, access-lists. Nothing seems to work. I had port

forwarding
> > and
> > > > access-lists specifically for ports www, 81 and 8482 on my router,

but
> I
> > > > removed them, because they didn't make a difference. I'm sure the

> answer
> > > > lies in my firewall, but no matter what I do, I can't get to my

inside
> > > > network from the outside. Not even a ping from the router. I'm not

an
> > > expert
> > > > like a lot of you, so I hope this is not too rudimentary. But I'm

all
> > out
> > > of
> > > > ideas.Any help would be greatly appreciated. My configs are below:
> > > >
> > > > PIX 501:
> > > > PIX Version 6.3(3)
> > > > interface ethernet0 10baset
> > > > interface ethernet1 100full
> > > > nameif ethernet0 outside security0
> > > > nameif ethernet1 inside security100
> > > > enable password 0JeJdBKOXHOPaqYc encrypted
> > > > passwd 0JeJdBKOXHOPaqYc encrypted
> > > > hostname pixfirewall
> > > > domain-name blabla.com
> > > > fixup protocol dns maximum-length 512
> > > > fixup protocol ftp 21
> > > > fixup protocol h323 h225 1720
> > > > fixup protocol h323 ras 1718-1719
> > > > fixup protocol http 80
> > > > fixup protocol ils 389
> > > > fixup protocol rsh 514
> > > > fixup protocol rtsp 554
> > > > fixup protocol sip 5060
> > > > fixup protocol sip udp 5060
> > > > fixup protocol skinny 2000
> > > > fixup protocol smtp 25
> > > > fixup protocol sqlnet 1521
> > > > fixup protocol tftp 69
> > > > names
> > > > name 66.0.0.0 DNS
> > > > name 10.1.1.35 PIX_OUTSIDE
> > > > name 192.168.1.1 PIX_INSIDE
> > > > access-list outside_access_in permit icmp any any echo-reply
> > > > access-list outside_access_in permit tcp any any eq 81
> > > > access-list outside_access_in permit tcp any any eq www
> > > > access-list outside_access_in permit tcp any any eq 8481
> > > > access-list outside_access_in deny ip any any
> > > > access-list inside_access_in permit ip any any
> > > > access-list inbound permit tcp any any eq 8482
> > > > no pager
> > > > logging on
> > > > logging timestamp
> > > > logging trap warnings
> > > > logging host inside 192.168.1.17 format emblem
> > > > mtu outside 1492
> > > > mtu inside 1492
> > > > ip address outside PIX_OUTSIDE 255.0.0.0
> > > > ip address inside PIX_INSIDE 255.255.255.0
> > > > ip verify reverse-path interface inside
> > > > ip audit info action alarm
> > > > ip audit attack action alarm
> > > > pdm location 192.168.0.0 255.255.255.0 inside
> > > > pdm location DNS 255.255.255.0 inside
> > > > pdm location DNS 255.255.255.255 outside
> > > > pdm location PIX_OUTSIDE 255.255.255.255 outside
> > > > pdm location 10.0.0.0 255.0.0.0 inside
> > > > pdm location PIX_OUTSIDE 255.255.255.255 inside
> > > > pdm location 192.168.1.17 255.255.255.255 inside
> > > > pdm location 192.168.0.0 255.255.0.0 inside
> > > > pdm location 192.168.1.50 255.255.255.255 inside
> > > > pdm logging informational 100
> > > > pdm history enable
> > > > arp timeout 14400
> > > > global (outside) 1 interface
> > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
> > > > 255.255.255.255 0 0
> > > > static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
> > > > 255.255.255.255 0 0
> > > > static (inside,outside) tcp interface www 192.168.1.50 www netmask
> > > > 255.255.255.255 0 0
> > > > static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
> > > > 255.255.255.255 0 0
> > > > static (inside,outside) PIX_INSIDE PIX_INSIDE netmask

255.255.255.255
> 0
> > 0
> > > > access-group outside_access_in in interface outside
> > > > access-group inside_access_in in interface inside
> > > > route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
> > > > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
> > > > timeout xlate 0:05:00
> > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

h225
> > > > 1:00:00
> > > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > > > timeout uauth 0:05:00 absolute
> > > > aaa-server TACACS+ protocol tacacs+
> > > > aaa-server RADIUS protocol radius
> > > > aaa-server LOCAL protocol local
> > > > aaa authentication enable console LOCAL
> > > > aaa authentication http console LOCAL
> > > > http server enable
> > > > http 192.168.1.0 255.255.255.0 inside
> > > > no snmp-server location
> > > > no snmp-server contact
> > > > snmp-server community public
> > > > no snmp-server enable traps
> > > > floodguard enable
> > > > telnet 192.168.1.0 255.255.255.0 inside
> > > > telnet timeout 15
> > > > ssh timeout 5
> > > > console timeout 0
> > > > dhcpd address 192.168.1.2-192.168.1.33 inside
> > > > dhcpd dns 66.228.128.70 66.228.128.202
> > > > dhcpd lease 259200
> > > > dhcpd ping_timeout 750
> > > > dhcpd auto_config outside
> > > > dhcpd enable inside
> > > > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
> > > > terminal width 80
> > > > Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
> > > > : end
> > > > [OK]
> > > >
> > > > Cisco 827:
> > > > Using 2038 out of 131072 bytes
> > > > !
> > > > version 12.3
> > > > no service pad
> > > > service timestamps debug uptime
> > > > service timestamps log uptime
> > > > service password-encryption
> > > > !
> > > > hostname DSLrouter
> > > > !
> > > > boot-start-marker
> > > > boot-end-marker
> > > > !
> > > > no logging buffered
> > > > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
> > > > !
> > > > username blabla password 7 010409160A0D030B
> > > > username CRWS_Kannan privilege 15 password 7
> > > > 015757406C5A002E65431F062A2007135A5
> > > > F527E7F7D78656775
> > > > no aaa new-model
> > > > ip subnet-zero
> > > > ip name-server 66.228.128.70
> > > > ip name-server 66.228.128.69
> > > > ip dhcp excluded-address 10.1.1.1
> > > > ip dhcp excluded-address 10.0.0.33 10.255.255.254
> > > > !
> > > > ip dhcp pool CLIENT
> > > > import all
> > > > network 10.0.0.0 255.0.0.0
> > > > default-router 10.1.1.1
> > > > lease 0 2
> > > > !
> > > > ip ssh break-string
> > > > !
> > > > !
> > > > interface Ethernet0
> > > > description CRWS Generated text. Please do not delete
> > > > this:10.1.1.1-255.0.0.0
> > > > ip address 10.1.1.1 255.0.0.0 secondary
> > > > ip address 10.10.10.1 255.255.255.0
> > > > ip mtu 1452
> > > > ip nat inside
> > > > ip tcp adjust-mss 1452
> > > > ipv6 mtu 1452
> > > > hold-queue 100 out
> > > > !
> > > > interface Virtual-Template1
> > > > no ip address
> > > > !
> > > > interface ATM0
> > > > mtu 1492
> > > > no ip address
> > > > atm vc-per-vp 64
> > > > no atm ilmi-keepalive
> > > > pvc 0/35
> > > > pppoe-client dial-pool-number 1
> > > > !
> > > > dsl operating-mode auto
> > > > !
> > > > interface Dialer1
> > > > mtu 1492
> > > > ip address negotiated
> > > > ip nat outside
> > > > encapsulation ppp
> > > > ip tcp adjust-mss 1452
> > > > dialer pool 1
> > > > dialer remote-name redback
> > > > dialer-group 1
> > > > ppp authentication pap chap callin
> > > > ppp chap hostname blabla
> > > > ppp chap password 7 07182E5E1F0F1C01
> > > > ppp pap sent-username blabla password 7 131218005A0A012E
> > > > ppp ipcp dns request
> > > > ppp ipcp wins request
> > > > !
> > > > ip nat inside source list 102 interface Dialer1 overload
> > > > ip classless
> > > > ip route 0.0.0.0 0.0.0.0 Dialer1
> > > > ip http server
> > > > ip http secure-server
> > > > !
> > > > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
> > > > dialer-list 1 protocol ip permit
> > > > !
> > > > !
> > > > line con 0
> > > > exec-timeout 120 0
> > > > transport preferred all
> > > > transport output all
> > > > stopbits 1
> > > > line vty 0 4
> > > > exec-timeout 120 0
> > > > login local
> > > > length 0
> > > > transport preferred all
> > > > transport input all
> > > > transport output all
> > > > !
> > > > scheduler max-task-time 5000
> > > > !
> > > > end
> > > >
> > > >
> > > >
> > > >
> > >
> > >

> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Kiwi syslogging of Cisco 2811 through outside interface of Pix 501 pix help Cisco 2 01-31-2007 05:07 AM
MAC OS X using Cisco VPN Client through CISCO PIX 501 InetSecurity Cisco 0 06-23-2006 01:57 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
Cisco VPN through a PIX 501 to another PIX? Andrew J Instone-Cowie Cisco 5 01-22-2004 05:44 PM



Advertisments