PIX 501 single outside interface and PAT for inbound connections???

Discussion in 'Cisco' started by Adisegna@gmail.com, Oct 28, 2005.

  1. Guest

    Hello,

    I have a PIX 501 with two interfaces. I am trying to setup a webserver
    behind the internal interface.

    I have a single public IP assigned to the interface.
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    I tried
    static (inside,outside) tcp interface www 192.168.1.2 www netmask
    255.255.255.25
    5 0 0

    and

    static (inside,outside) *.*.*.* 192.168.1.2 netmask 255.255.255.255 0 0

    but still cannot connect to the web server. I can ping the external
    interface.
    I do have access-list and access-group entries for the inbound
    connections

    access-list permit_in permit tcp any host *.*.*.*
    access-group permit_in in interface outside

    Is there an issue with PAT and a single outside interface being the
    same.

    Thanks in advance...
     
    , Oct 28, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :I have a PIX 501 with two interfaces. I am trying to setup a webserver
    :behind the internal interface.

    :I have a single public IP assigned to the interface.
    :global (outside) 1 interface
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    :I tried
    :static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 0 0

    That's the correct form.

    :static (inside,outside) *.*.*.* 192.168.1.2 netmask 255.255.255.255 0 0

    That won't work for you.

    :but still cannot connect to the web server. I can ping the external
    :interface.
    :I do have access-list and access-group entries for the inbound
    :connections

    :access-list permit_in permit tcp any host *.*.*.*

    Change that to

    access-list permit_in permit tcp any interface outside eq www

    :access-group permit_in in interface outside


    :Is there an issue with PAT and a single outside interface being the
    :same.

    Yes in early 6.2 versions, but that was fixed.
    --
    "It is important to remember that when it comes to law, computers
    never make copies, only human beings make copies. Computers are given
    commands, not permission. Only people can be given permission."
    -- Brad Templeton
     
    Walter Roberson, Oct 28, 2005
    #2
    1. Advertising

  3. mostro Guest

    Hi Walter,

    So change all my ACLs to 'interface' instead of the public IP?

    Thanks


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:djrr7i$456$...
    > In article <>,
    > <> wrote:
    > :I have a PIX 501 with two interfaces. I am trying to setup a webserver
    > :behind the internal interface.
    >
    > :I have a single public IP assigned to the interface.
    > :global (outside) 1 interface
    > :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > :I tried
    > :static (inside,outside) tcp interface www 192.168.1.2 www netmask
    > 255.255.255.255 0 0
    >
    > That's the correct form.
    >
    > :static (inside,outside) *.*.*.* 192.168.1.2 netmask 255.255.255.255 0 0
    >
    > That won't work for you.
    >
    > :but still cannot connect to the web server. I can ping the external
    > :interface.
    > :I do have access-list and access-group entries for the inbound
    > :connections
    >
    > :access-list permit_in permit tcp any host *.*.*.*
    >
    > Change that to
    >
    > access-list permit_in permit tcp any interface outside eq www
    >
    > :access-group permit_in in interface outside
    >
    >
    > :Is there an issue with PAT and a single outside interface being the
    > :same.
    >
    > Yes in early 6.2 versions, but that was fixed.
    > --
    > "It is important to remember that when it comes to law, computers
    > never make copies, only human beings make copies. Computers are given
    > commands, not permission. Only people can be given permission."
    > -- Brad Templeton
     
    mostro, Oct 28, 2005
    #3
  4. In article <>,
    mostro <> wrote:
    :Hi Walter,

    : So change all my ACLs to 'interface' instead of the public IP?

    Depends on the exact PIX software version, but in 6.3 in ACLs, you
    use 'interface outside' to refer to the outside interface IP.
    In 'static' and nat commands, you use just 'interface' without
    the word 'outside': in those commands the interface can be deduced
    based on other information in the command.
    --
    Chocolate is "more than a food but less than a drug" -- RJ Huxtable
     
    Walter Roberson, Oct 28, 2005
    #4
  5. mostro Guest

    The only change I had to make to the config was replacing the public IP with
    'interface'.

    Thanks


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:djta7d$5pt$...
    > In article <>,
    > mostro <> wrote:
    > :Hi Walter,
    >
    > : So change all my ACLs to 'interface' instead of the public IP?
    >
    > Depends on the exact PIX software version, but in 6.3 in ACLs, you
    > use 'interface outside' to refer to the outside interface IP.
    > In 'static' and nat commands, you use just 'interface' without
    > the word 'outside': in those commands the interface can be deduced
    > based on other information in the command.
    > --
    > Chocolate is "more than a food but less than a drug" -- RJ Huxtable
     
    mostro, Oct 29, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex

    PIX 501 and inbound NAT/PAT

    Alex, Aug 10, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,143
  2. Ender
    Replies:
    4
    Views:
    538
  3. Jack
    Replies:
    0
    Views:
    743
  4. Paul Smedshammer
    Replies:
    6
    Views:
    782
    Tilman Schmidt
    May 9, 2008
  5. Giuen
    Replies:
    0
    Views:
    1,524
    Giuen
    Sep 12, 2008
Loading...

Share This Page