PAT on Pix501

Discussion in 'Cisco' started by adrien_t@hotmail.com, Feb 19, 2005.

  1. Guest

    I am trying to set up PAT for port 80 on my PIX 501 and it's not
    working. I have followed the instructions on Cisco.com without success.
    I was hoping someone could look at my config as let me know what is
    wrong.

    Building configuration...
    : Saved
    :
    PIX Version 6.1(4)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password <...> encrypted
    passwd <...> encrypted
    hostname pixfirewall
    domain-name pix.firewall
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any unreachable
    access-list 101 permit icmp any any source-quench
    access-list 101 permit icmp any any traceroute
    access-list 101 permit icmp any any time-exceeded
    pager lines 24
    logging on
    logging buffered errors
    logging trap notifications
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside 64.140.81.226 255.255.255.224
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.1.50 255.255.255.255 inside
    pdm location 192.165.1.2 255.255.255.255 inside
    pdm location 192.165.1.0 255.255.255.0 inside
    pdm location 64.140.81.226 255.255.255.255 outside
    pdm location 192.168.1.243 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface www 192.168.1.243 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 8080 192.168.1.243 8080 netmask
    255.255.255.255 0 0
    access-group 101 in interface outside
    route outside 0.0.0.0 0.0.0.0 64.140.81.225 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    telnet timeout 5
    ssh timeout 5
    dhcpd address 192.168.1.25-192.168.1.56 inside
    dhcpd dns 64.140.81.231 170.147.45.165
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:165f5e29369450e5da581ea6eb1c6a16
    : end
    [OK]
     
    , Feb 19, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :I am trying to set up PAT for port 80 on my PIX 501 and it's not
    :working.

    :pIX Version 6.1(4)

    :access-list 101 permit icmp any any echo-reply
    :access-list 101 permit icmp any any unreachable
    :access-list 101 permit icmp any any source-quench
    :access-list 101 permit icmp any any traceroute
    :access-list 101 permit icmp any any time-exceeded

    As a security note: I have seen completely random 'source-quench'
    packets directed to our systems, sent from IP addresses we have
    never visited (I checked the connection logs to be sure.)
    I am thus not sure that it is safe to allow 'any' to source-quench you.
    It could be used as part of a DoS attack, considering that it is
    icmp and thus someone could forge a packet telling you to stop sending
    to (say) your provider.

    :global (outside) 1 interface
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    :static (inside,outside) tcp interface www 192.168.1.243 www netmask 255.255.255.255 0 0
    :static (inside,outside) tcp interface 8080 192.168.1.243 8080 netmask 255.255.255.255 0 0
    :access-group 101 in interface outside
    :route outside 0.0.0.0 0.0.0.0 64.140.81.225 1

    Your statics suggest that you want incoming port 80 and 8080 to be
    directed to your internal machine 192.168.1.243, but the access-list
    you have applied to the outside does not permit incoming 80 or 8080.
    The effect of the configuration you have is that if your system
    192.168.1.243 happens to start a new connection and uses ports 80 or 8080
    as the source port (unlikely unless you specifically programmed that)
    then it would appear as source port 80 or 8080 (respectively) in
    going to the outside world, instead of appearing as a random port
    number as would be the case if you did not have the statics.

    My money would be on you having omitted

    access-list 101 permit tcp any any eq www
    access-list 101 permit tcp any any eq 8080
    --
    Is "meme" descriptive or perscriptive? Does the knowledge that
    memes exist not subtly encourage the creation of more memes?
    -- A Child's Garden Of Memes
     
    Walter Roberson, Feb 19, 2005
    #2
    1. Advertising

  3. Guest

    Thanks for the tip about source-quench' I ahve removed that
    access-list. I have also added the two access-lists that you suggested
    without any luck. I am trying to set this up to forward any Http or
    Https requests to an internal web server.
     
    , Feb 19, 2005
    #3
  4. In article <>,
    <> wrote:
    :I have also added the two access-lists that you suggested
    :without any luck.

    Are you certain that your ISP allows those packets through?
    Some ISPs, especially residential ISPs, block common ports
    as destinations, to make it more difficult for people to run
    servers on their residential accounts.
    --
    Tenser, said the Tensor.
    Tenser, said the Tensor.
    Tension, apprehension,
    And dissension have begun. -- Alfred Bester (tDM)
     
    Walter Roberson, Feb 19, 2005
    #4
  5. Guest

    My ISP allows those packets through. I have been running a similiar
    configuration for a few years now with a linksys router in place. I
    just wanted to upgrade to a cisco since the linksys is getting flaky.
     
    , Feb 19, 2005
    #5
  6. Access-list 101 doesn't permit either TCP 80 or 8080.

    You should upgrade to 6.3.4... It is pretty solid, IMO.


    On 02/19/2005 01:32 PM, in article
    ,
    "" <> wrote:

    > I am trying to set up PAT for port 80 on my PIX 501 and it's not
    > working. I have followed the instructions on Cisco.com without success.
    > I was hoping someone could look at my config as let me know what is
    > wrong.
    >
    > Building configuration...
    > : Saved
    > :
    > PIX Version 6.1(4)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password <...> encrypted
    > passwd <...> encrypted
    > hostname pixfirewall
    > domain-name pix.firewall
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 1720
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > access-list 101 permit icmp any any echo-reply
    > access-list 101 permit icmp any any unreachable
    > access-list 101 permit icmp any any source-quench
    > access-list 101 permit icmp any any traceroute
    > access-list 101 permit icmp any any time-exceeded
    > pager lines 24
    > logging on
    > logging buffered errors
    > logging trap notifications
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 64.140.81.226 255.255.255.224
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location 192.168.1.50 255.255.255.255 inside
    > pdm location 192.165.1.2 255.255.255.255 inside
    > pdm location 192.165.1.0 255.255.255.0 inside
    > pdm location 64.140.81.226 255.255.255.255 outside
    > pdm location 192.168.1.243 255.255.255.255 inside
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface www 192.168.1.243 www netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 8080 192.168.1.243 8080 netmask
    > 255.255.255.255 0 0
    > access-group 101 in interface outside
    > route outside 0.0.0.0 0.0.0.0 64.140.81.225 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > no sysopt route dnat
    > telnet timeout 5
    > ssh timeout 5
    > dhcpd address 192.168.1.25-192.168.1.56 inside
    > dhcpd dns 64.140.81.231 170.147.45.165
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:165f5e29369450e5da581ea6eb1c6a16
    > : end
    > [OK]
    >
     
    Brant I. Stevens, Feb 19, 2005
    #6
  7. Ivan Ostreš Guest

    In article <>,
    says...
    > Thanks for the tip about source-quench' I ahve removed that
    > access-list. I have also added the two access-lists that you suggested
    > without any luck. I am trying to set this up to forward any Http or
    > Https requests to an internal web server.
    >


    There's actually a question, how did you tested to prove it's not
    working. I've tried by simply adding your ip address to internet
    explorer and it opens WebForm1....


    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Feb 20, 2005
    #7
  8. Guest

    I had to have access to the internal web server so I put my old router
    back in place (a linksys). It can be flaky but when it is up, it allows
    access to the web server.
     
    , Feb 20, 2005
    #8
  9. Ivan Ostreš Guest

    In article <>,
    says...
    >
    > I had to have access to the internal web server so I put my old router
    > back in place (a linksys). It can be flaky but when it is up, it allows
    > access to the web server.
    >


    Well, that would explain it :). How did you tested your PIX config?
    When trying to access a web server behind pix, what logs say? What 'show
    xlate' says?

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Feb 20, 2005
    #9
  10. Guest

    Show Xlate shows
    PAT Global 64.140.81.226(1107) Local 192.168.1.222(3291)
    PAT Global 64.140.81.226(1106) Local 192.168.1.222(3290)
    PAT Global 64.140.81.226(1105) Local 192.168.1.222(3289)
    PAT Global 64.140.81.226(1114) Local 192.168.1.222(3298)
    PAT Global 64.140.81.226(1119) Local 192.168.1.222(3303)
    PAT Global 64.140.81.226(1118) Local 192.168.1.222(3302)
    PAT Global 64.140.81.226(1117) Local 192.168.1.222(3301)
    PAT Global 64.140.81.226(1116) Local 192.168.1.222(3300)
    PAT Global 64.140.81.226(1090) Local 192.168.1.222(3273)
    PAT Global 64.140.81.226(1089) Local 192.168.1.222(3272)
    PAT Global 64.140.81.226(1093) Local 192.168.1.222(3276)
    PAT Global 64.140.81.226(1097) Local 192.168.1.222(3280)
    PAT Global 64.140.81.226(1139) Local 192.168.1.222(3322)
    PAT Global 64.140.81.226(1138) Local 192.168.1.222(3321)
    PAT Global 64.140.81.226(1137) Local 192.168.1.222(3319)
    PAT Global 64.140.81.226(1136) Local 192.168.1.222(3317)
    PAT Global 64.140.81.226(1140) Local 192.168.1.222(3324)
    PAT Global 64.140.81.226(1123) Local 192.168.1.222(3307)
    PAT Global 64.140.81.226(1122) Local 192.168.1.222(3306)
    PAT Global 64.140.81.226(1121) Local 192.168.1.222(3305)
    PAT Global 64.140.81.226(1120) Local 192.168.1.222(3304)
    PAT Global 64.140.81.226(1127) Local 192.168.1.222(3311)
    PAT Global 64.140.81.226(1126) Local 192.168.1.222(3310)
    PAT Global 64.140.81.226(1125) Local 192.168.1.222(3309)
    PAT Global 64.140.81.226(1124) Local 192.168.1.222(3308)
    PAT Global 64.140.81.226(1131) Local 192.168.1.26(2900)
    PAT Global 64.140.81.226(1130) Local 192.168.1.26(2899)
    PAT Global 64.140.81.226(1129) Local 192.168.1.29(1262)
    PAT Global 64.140.81.226(1128) Local 192.168.1.222(3312)
    PAT Global 64.140.81.226(1135) Local 192.168.1.222(3316)
    PAT Global 64.140.81.226(1134) Local 192.168.1.222(3315)
    PAT Global 64.140.81.226(1133) Local 192.168.1.222(3314)
    PAT Global 64.140.81.226(1132) Local 192.168.1.26(2901)
    PAT Global 64.140.81.226(1042) Local 192.168.1.222(3323)
    PAT Global 64.140.81.226(1041) Local 192.168.1.222(3320)
    PAT Global 64.140.81.226(1040) Local 192.168.1.222(3318)
    PAT Global 64.140.81.226(1027) Local 192.168.1.28(1271)
    PAT Global 64.140.81.226(1031) Local 192.168.1.28(1275)
    PAT Global 64.140.81.226(1030) Local 192.168.1.28(1274)
    PAT Global 64.140.81.226(1034) Local 192.168.1.28(1281)
    PAT Global 64.140.81.226(1039) Local 192.168.1.222(3313)
    PAT Global 64.140.81.226(1038) Local 192.168.1.29(1261)
    PAT Global 64.140.81.226(1036) Local 192.168.1.26(2823)
    PAT Global 64.140.81.226(1082) Local 192.168.1.222(3264)
    PAT Global 64.140.81.226(1) Local 192.168.1.140(137)

    I don't see any attempts to access the web server 192.168.1.243

    My current Config is

    Result of firewall command: "show config"

    : Saved
    : Written by enable_15 at 12:03:36.010 UTC Wed Feb 23 2005
    PIX Version 6.3(4)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewall
    domain-name pix.firewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any unreachable
    access-list 101 permit icmp any any traceroute
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit tcp any any eq www
    access-list 101 permit tcp any any eq 8080
    pager lines 24
    logging on
    logging buffered errors
    logging trap notifications
    mtu outside 1500
    mtu inside 1500
    ip address outside 64.140.81.226 255.255.255.224
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool my-addr-pool 192.168.1.57-192.168.1.100
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface www 192.168.1.243 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 8080 192.168.1.243 8080 netmask
    255.255.255.255 0 0
    access-group 101 in interface outside
    route outside 0.0.0.0 0.0.0.0 64.140.81.225 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:07754cbc61c01f041af44714e1259401
     
    , Feb 23, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ak_father

    PIX501 and Squid

    ak_father, Jul 7, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,533
    Walter Roberson
    Jul 7, 2003
  2. Rik Bain

    Re: Pix501 VPN Woes - help needed

    Rik Bain, Jul 11, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,301
    Ian Easson
    Jul 16, 2003
  3. Greg
    Replies:
    0
    Views:
    475
  4. Paul Hutchings

    PIX501 - bandwidth query?

    Paul Hutchings, Nov 3, 2003, in forum: Cisco
    Replies:
    4
    Views:
    827
    Johnny Bravo
    Nov 3, 2003
  5. BinSur
    Replies:
    4
    Views:
    5,897
    BinSur
    Jan 13, 2006
Loading...

Share This Page