PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 3)

Discussion in 'Cisco' started by Michiel, Aug 23, 2006.

  1. Michiel

    Michiel Guest

    Hello,

    I have this strange problem and i can't seem to understand it. I have the
    following situation, i have been posting here before under the same name and
    subject. So you can read back. Though probably that is not needed.

    Internet (Zyxel P660HW)
    WAN : Public IP (natted)
    LAN : 192.168.168.1 subnet 255.255.255.252

    Cisco Pix 506e
    WAN : 192.168.168.2 subnet 255.255.255.252 (natted)
    LAN : 192.168.68.8 subnet 255.255.255.0

    Internal PC
    LAN 192.168.68.1 subnet 255.255.255.0

    Now what i want is to run several services on my PC (server) DNS, HTTP,
    HTTPS, RDP, VPN, FTP, SMTP, POP3. Below is the config and it is not working
    properly. When i want to connect from the internet wan side to my public ip
    address everything is dead/denied. Stealth firewalled... so nothing is
    responding. What i have tested and wich worked perfect, was instead of the
    internet router a normal pc with an webserver and ftp server running ip
    192.168.168.1 subnet 255.255.255.252. From my lan i am able to open the
    website on the webserver and also ftp is ok. When i connect with that pc to
    the 192.168.168.2 on the ports like ftp, http, etc. it is connecting fine!
    No problems at all. I am sure it is not the Zyxel router what seems to be
    wrong, but when i put in place of the cisco pix a normal cable router with
    the same configuration it is working.

    Anyone any idea...??? Or do i need to bridge the connection to give the PIX
    a public IP...? I prefer not to do that, because of the more network/unlogic
    configuration...

    Sincerely,
    Michiel

    Config :
    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ************passwd ************ encrypted
    hostname firewall
    domain-name test.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.68.1 PC1
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in remark UDP - DNS
    access-list outside_access_in permit udp any any eq domain
    access-list outside_access_in remark TCP - DNS
    access-list outside_access_in permit tcp any any eq domain
    access-list outside_access_in remark TCP - FTP Data
    access-list outside_access_in permit tcp any any eq ftp-data
    access-list outside_access_in remark TCP - FTP
    access-list outside_access_in permit tcp any any eq ftp
    access-list outside_access_in remark TCP - HTTP
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in remark TCP - HTTPS
    access-list outside_access_in permit tcp any any eq https
    access-list outside_access_in remark TCP - SMTP
    access-list outside_access_in permit tcp any any eq smtp
    access-list outside_access_in remark TCP - RDP
    access-list outside_access_in permit tcp any any eq 3389
    access-list outside_access_in remark TCP - Webbased / Remote Admin
    access-list outside_access_in permit tcp any any range 7698 7704
    access-list outside_access_in remark IP - GRE
    access-list outside_access_in permit tcp any any eq pptp
    access-list outside_access_in remark TCP - PPTP
    access-list outside_access_in permit gre any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.168.2 255.255.255.252
    ip address inside 192.168.68.8 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location PC1 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    static (inside,outside) tcp interface pptp PC1 pptp netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface 7700 PC1 7700 netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface 7701 PC1 7701 netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface 7699 PC1 7699 netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface smtp PC1 smtp netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface www PC1 www netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface domain PC1 domain netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface domain PC1 domain netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface ftp PC1 ftp netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface ftp-data PC1 ftp-data netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface https PC1 https netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 3389 PC1 3389 netmask 255.255.255.255
    0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.168.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.68.0 255.255.255.0 inside
    floodguard enable
    telnet 192.168.68.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    : end
    [OK]
    Michiel, Aug 23, 2006
    #1
    1. Advertising

  2. Michiel

    Michiel Guest

    One thing more...
    When i connect to the internet from lan to pix to zyxel it is also working
    fine! Only the traffic from the internet to the local network is not
    working.

    Thanks,
    Michiel


    "Michiel" <> schreef in bericht
    news:44ec05a5$0$16259$4all.nl...
    > Hello,
    >
    > I have this strange problem and i can't seem to understand it. I have the
    > following situation, i have been posting here before under the same name
    > and subject. So you can read back. Though probably that is not needed.
    >
    > Internet (Zyxel P660HW)
    > WAN : Public IP (natted)
    > LAN : 192.168.168.1 subnet 255.255.255.252
    >
    > Cisco Pix 506e
    > WAN : 192.168.168.2 subnet 255.255.255.252 (natted)
    > LAN : 192.168.68.8 subnet 255.255.255.0
    >
    > Internal PC
    > LAN 192.168.68.1 subnet 255.255.255.0
    >
    > Now what i want is to run several services on my PC (server) DNS, HTTP,
    > HTTPS, RDP, VPN, FTP, SMTP, POP3. Below is the config and it is not
    > working properly. When i want to connect from the internet wan side to my
    > public ip address everything is dead/denied. Stealth firewalled... so
    > nothing is responding. What i have tested and wich worked perfect, was
    > instead of the internet router a normal pc with an webserver and ftp
    > server running ip 192.168.168.1 subnet 255.255.255.252. From my lan i am
    > able to open the website on the webserver and also ftp is ok. When i
    > connect with that pc to the 192.168.168.2 on the ports like ftp, http,
    > etc. it is connecting fine! No problems at all. I am sure it is not the
    > Zyxel router what seems to be wrong, but when i put in place of the cisco
    > pix a normal cable router with the same configuration it is working.
    >
    > Anyone any idea...??? Or do i need to bridge the connection to give the
    > PIX a public IP...? I prefer not to do that, because of the more
    > network/unlogic configuration...
    >
    > Sincerely,
    > Michiel
    >
    > Config :
    > Building configuration...
    > : Saved
    > :
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password ************passwd ************ encrypted
    > hostname firewall
    > domain-name test.local
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol pptp 1723
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > no fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 192.168.68.1 PC1
    > access-list outside_access_in permit icmp any any echo-reply
    > access-list outside_access_in remark UDP - DNS
    > access-list outside_access_in permit udp any any eq domain
    > access-list outside_access_in remark TCP - DNS
    > access-list outside_access_in permit tcp any any eq domain
    > access-list outside_access_in remark TCP - FTP Data
    > access-list outside_access_in permit tcp any any eq ftp-data
    > access-list outside_access_in remark TCP - FTP
    > access-list outside_access_in permit tcp any any eq ftp
    > access-list outside_access_in remark TCP - HTTP
    > access-list outside_access_in permit tcp any any eq www
    > access-list outside_access_in remark TCP - HTTPS
    > access-list outside_access_in permit tcp any any eq https
    > access-list outside_access_in remark TCP - SMTP
    > access-list outside_access_in permit tcp any any eq smtp
    > access-list outside_access_in remark TCP - RDP
    > access-list outside_access_in permit tcp any any eq 3389
    > access-list outside_access_in remark TCP - Webbased / Remote Admin
    > access-list outside_access_in permit tcp any any range 7698 7704
    > access-list outside_access_in remark IP - GRE
    > access-list outside_access_in permit tcp any any eq pptp
    > access-list outside_access_in remark TCP - PPTP
    > access-list outside_access_in permit gre any any
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 192.168.168.2 255.255.255.252
    > ip address inside 192.168.68.8 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location PC1 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    > static (inside,outside) tcp interface pptp PC1 pptp netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 7700 PC1 7700 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 7701 PC1 7701 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 7699 PC1 7699 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface smtp PC1 smtp netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface www PC1 www netmask 255.255.255.255
    > 0 0
    > static (inside,outside) tcp interface domain PC1 domain netmask
    > 255.255.255.255 0 0
    > static (inside,outside) udp interface domain PC1 domain netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface ftp PC1 ftp netmask 255.255.255.255
    > 0 0
    > static (inside,outside) tcp interface ftp-data PC1 ftp-data netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface https PC1 https netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 3389 PC1 3389 netmask
    > 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 192.168.168.1 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.68.0 255.255.255.0 inside
    > floodguard enable
    > telnet 192.168.68.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > terminal width 80
    > : end
    > [OK]
    >
    >
    Michiel, Aug 23, 2006
    #2
    1. Advertising

  3. Michiel

    James Guest

    You can't use the Static commands Interface keyword in this way.

    The Interface keyword is used for PAT only i.e. for users from the
    inside going to the outside. PAT on the PIX can be done in two ways:-

    global (outside) 1 interface
    nat (inside) 1 192.168.68.0 255.255.255.0 0 0

    Like you have done, or like this:-

    static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0


    To do what you need to do create a translation on your Modem to another
    IP - you can't use the PIX's outside interface address for this.

    James
    James, Aug 23, 2006
    #3
  4. Michiel

    SAto Guest

    James skrev:
    > You can't use the Static commands Interface keyword in this way.
    >
    > The Interface keyword is used for PAT only i.e. for users from the
    > inside going to the outside. PAT on the PIX can be done in two ways:-
    >
    > global (outside) 1 interface
    > nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    >
    > Like you have done, or like this:-
    >
    > static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0
    >
    >
    > To do what you need to do create a translation on your Modem to another
    > IP - you can't use the PIX's outside interface address for this.


    Actually you can and looking over the config I think this should work.
    Didn't you successfully do this with smtp and http in a previous post?

    I have several setups using the outside address for the pix as a PATed
    address.
    Or you could just set up the pix to NAT the inside host as
    192.168.168.3 but then you'd need to change the netmask on the pix and
    the router as well.

    -SAto
    SAto, Aug 23, 2006
    #4
  5. Michiel

    James Guest

    SAto wrote:
    > James skrev:
    > > You can't use the Static commands Interface keyword in this way.
    > >
    > > The Interface keyword is used for PAT only i.e. for users from the
    > > inside going to the outside. PAT on the PIX can be done in two ways:-
    > >
    > > global (outside) 1 interface
    > > nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    > >
    > > Like you have done, or like this:-
    > >
    > > static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0
    > >
    > >
    > > To do what you need to do create a translation on your Modem to another
    > > IP - you can't use the PIX's outside interface address for this.

    >
    > Actually you can and looking over the config I think this should work.
    > Didn't you successfully do this with smtp and http in a previous post?



    Really?

    OK :)
    James, Aug 23, 2006
    #5
  6. Michiel

    Michiel Guest

    Yes i tested it in a previous post, but there was instead of the zyxel
    router a normal computer running a webserver and ftpserver. That had as
    gateway the WAN ip of the PIX, and that worked fine, but now changing the
    situation to zyxel... it is not...

    What i think in logical thins...

    Internet --> Zyxel WAN --> Zyxel LAN --> PIX WAN --> PIX LAN
    Public IP NATTED --> Zyxel LAN 192.168.168.1 --> PIX WAN 192.168.168.2
    NATTED --> LAN 192.168.68.0 my network

    I am right to see it like this right...? Or am i wrong...?

    Because your thing about chaning inside to NAt as 192.168.168.3 is what i
    don't understand... could you explain me more...?

    Sincerely,
    Michiel


    "SAto" <> schreef in bericht
    news:...
    >
    > James skrev:
    >> You can't use the Static commands Interface keyword in this way.
    >>
    >> The Interface keyword is used for PAT only i.e. for users from the
    >> inside going to the outside. PAT on the PIX can be done in two ways:-
    >>
    >> global (outside) 1 interface
    >> nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    >>
    >> Like you have done, or like this:-
    >>
    >> static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0
    >>
    >>
    >> To do what you need to do create a translation on your Modem to another
    >> IP - you can't use the PIX's outside interface address for this.

    >
    > Actually you can and looking over the config I think this should work.
    > Didn't you successfully do this with smtp and http in a previous post?
    >
    > I have several setups using the outside address for the pix as a PATed
    > address.
    > Or you could just set up the pix to NAT the inside host as
    > 192.168.168.3 but then you'd need to change the netmask on the pix and
    > the router as well.
    >
    > -SAto
    >
    Michiel, Aug 23, 2006
    #6
  7. Michiel

    James Guest

    Is the Public IP natted to the PIX outside IP on the Zyxel?

    James

    Michiel wrote:
    > Yes i tested it in a previous post, but there was instead of the zyxel
    > router a normal computer running a webserver and ftpserver. That had as
    > gateway the WAN ip of the PIX, and that worked fine, but now changing the
    > situation to zyxel... it is not...
    >
    > What i think in logical thins...
    >
    > Internet --> Zyxel WAN --> Zyxel LAN --> PIX WAN --> PIX LAN
    > Public IP NATTED --> Zyxel LAN 192.168.168.1 --> PIX WAN 192.168.168.2
    > NATTED --> LAN 192.168.68.0 my network
    >
    > I am right to see it like this right...? Or am i wrong...?
    >
    > Because your thing about chaning inside to NAt as 192.168.168.3 is what i
    > don't understand... could you explain me more...?
    >
    > Sincerely,
    > Michiel
    >
    >
    > "SAto" <> schreef in bericht
    > news:...
    > >
    > > James skrev:
    > >> You can't use the Static commands Interface keyword in this way.
    > >>
    > >> The Interface keyword is used for PAT only i.e. for users from the
    > >> inside going to the outside. PAT on the PIX can be done in two ways:-
    > >>
    > >> global (outside) 1 interface
    > >> nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    > >>
    > >> Like you have done, or like this:-
    > >>
    > >> static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0
    > >>
    > >>
    > >> To do what you need to do create a translation on your Modem to another
    > >> IP - you can't use the PIX's outside interface address for this.

    > >
    > > Actually you can and looking over the config I think this should work.
    > > Didn't you successfully do this with smtp and http in a previous post?
    > >
    > > I have several setups using the outside address for the pix as a PATed
    > > address.
    > > Or you could just set up the pix to NAT the inside host as
    > > 192.168.168.3 but then you'd need to change the netmask on the pix and
    > > the router as well.
    > >
    > > -SAto
    > >
    James, Aug 23, 2006
    #7
  8. Michiel

    Michiel Guest

    I am not sure about this...

    I don't understand the part

    > To do what you need to do create a translation on your Modem to another
    > IP - you can't use the PIX's outside interface address for this.


    What do you mean with that...?

    Sincerely,
    Michiel


    "James" <> schreef in bericht
    news:...
    > You can't use the Static commands Interface keyword in this way.
    >
    > The Interface keyword is used for PAT only i.e. for users from the
    > inside going to the outside. PAT on the PIX can be done in two ways:-
    >
    > global (outside) 1 interface
    > nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    >
    > Like you have done, or like this:-
    >
    > static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0
    >
    >
    > To do what you need to do create a translation on your Modem to another
    > IP - you can't use the PIX's outside interface address for this.
    >
    > James
    >
    Michiel, Aug 23, 2006
    #8
  9. Michiel

    Michiel Guest

    The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host
    entered to forward all ports to the WAN of the PIX.. This is what you mean
    right...?

    Sincerely,
    Michiel

    "James" <> schreef in bericht
    news:...
    > Is the Public IP natted to the PIX outside IP on the Zyxel?
    >
    > James
    >
    > Michiel wrote:
    >> Yes i tested it in a previous post, but there was instead of the zyxel
    >> router a normal computer running a webserver and ftpserver. That had as
    >> gateway the WAN ip of the PIX, and that worked fine, but now changing the
    >> situation to zyxel... it is not...
    >>
    >> What i think in logical thins...
    >>
    >> Internet --> Zyxel WAN --> Zyxel LAN --> PIX WAN --> PIX LAN
    >> Public IP NATTED --> Zyxel LAN 192.168.168.1 --> PIX WAN 192.168.168.2
    >> NATTED --> LAN 192.168.68.0 my network
    >>
    >> I am right to see it like this right...? Or am i wrong...?
    >>
    >> Because your thing about chaning inside to NAt as 192.168.168.3 is what i
    >> don't understand... could you explain me more...?
    >>
    >> Sincerely,
    >> Michiel
    >>
    >>
    >> "SAto" <> schreef in bericht
    >> news:...
    >> >
    >> > James skrev:
    >> >> You can't use the Static commands Interface keyword in this way.
    >> >>
    >> >> The Interface keyword is used for PAT only i.e. for users from the
    >> >> inside going to the outside. PAT on the PIX can be done in two ways:-
    >> >>
    >> >> global (outside) 1 interface
    >> >> nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    >> >>
    >> >> Like you have done, or like this:-
    >> >>
    >> >> static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0
    >> >>
    >> >>
    >> >> To do what you need to do create a translation on your Modem to
    >> >> another
    >> >> IP - you can't use the PIX's outside interface address for this.
    >> >
    >> > Actually you can and looking over the config I think this should work.
    >> > Didn't you successfully do this with smtp and http in a previous post?
    >> >
    >> > I have several setups using the outside address for the pix as a PATed
    >> > address.
    >> > Or you could just set up the pix to NAT the inside host as
    >> > 192.168.168.3 but then you'd need to change the netmask on the pix and
    >> > the router as well.
    >> >
    >> > -SAto
    >> >

    >
    Michiel, Aug 23, 2006
    #9
  10. Michiel

    Michiel Guest

    Is it not like this that the PIX is only accepting incomming connections
    from network 192.168.168.0/255.255.255.252...? and not from outside that
    network...? I mean something default in the accesslist of the PIX...? This
    is the first time i've ben working with an PIX of cisco... I used to be
    working with Zyxel's Zywall's... wich are pretty much working fine, though i
    wanted to try Cisco... ;)...



    "James" <> schreef in bericht
    news:...
    > Is the Public IP natted to the PIX outside IP on the Zyxel?
    >
    > James
    >
    > Michiel wrote:
    >> Yes i tested it in a previous post, but there was instead of the zyxel
    >> router a normal computer running a webserver and ftpserver. That had as
    >> gateway the WAN ip of the PIX, and that worked fine, but now changing the
    >> situation to zyxel... it is not...
    >>
    >> What i think in logical thins...
    >>
    >> Internet --> Zyxel WAN --> Zyxel LAN --> PIX WAN --> PIX LAN
    >> Public IP NATTED --> Zyxel LAN 192.168.168.1 --> PIX WAN 192.168.168.2
    >> NATTED --> LAN 192.168.68.0 my network
    >>
    >> I am right to see it like this right...? Or am i wrong...?
    >>
    >> Because your thing about chaning inside to NAt as 192.168.168.3 is what i
    >> don't understand... could you explain me more...?
    >>
    >> Sincerely,
    >> Michiel
    >>
    >>
    >> "SAto" <> schreef in bericht
    >> news:...
    >> >
    >> > James skrev:
    >> >> You can't use the Static commands Interface keyword in this way.
    >> >>
    >> >> The Interface keyword is used for PAT only i.e. for users from the
    >> >> inside going to the outside. PAT on the PIX can be done in two ways:-
    >> >>
    >> >> global (outside) 1 interface
    >> >> nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    >> >>
    >> >> Like you have done, or like this:-
    >> >>
    >> >> static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0
    >> >>
    >> >>
    >> >> To do what you need to do create a translation on your Modem to
    >> >> another
    >> >> IP - you can't use the PIX's outside interface address for this.
    >> >
    >> > Actually you can and looking over the config I think this should work.
    >> > Didn't you successfully do this with smtp and http in a previous post?
    >> >
    >> > I have several setups using the outside address for the pix as a PATed
    >> > address.
    >> > Or you could just set up the pix to NAT the inside host as
    >> > 192.168.168.3 but then you'd need to change the netmask on the pix and
    >> > the router as well.
    >> >
    >> > -SAto
    >> >

    >
    Michiel, Aug 23, 2006
    #10
  11. Michiel

    James Guest

    >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host
    >entered to forward all ports to the WAN of the PIX.. This is what you mean
    >right...?


    I don't know the Zyxel device at all however if it was a Cisco device I
    would NAT the Public IP to the PIX's Outside Interface IP.
    James, Aug 23, 2006
    #11
  12. Michiel

    Michiel Guest

    Yes i understand you, that is what i have done... so you are sure that the
    PIX is configured correctly...? Because then i really have to get in hard
    discussion with Valadis/Zyxel Netherlands, because of the not good working
    DMZ (NAT) function in combination of an PIX... because the strange thing is
    here, that when i have an cable router in the network instead of the PIX
    then it is working good... so my logic was it is the PIX not functioning
    good.

    I will post again when i have more info... wich will probably later on the
    day... ;)...

    Thanks for your time!

    Suncerely,
    Michiel


    "James" <> schreef in bericht
    news:...
    > >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host
    >>entered to forward all ports to the WAN of the PIX.. This is what you mean
    >>right...?

    >
    > I don't know the Zyxel device at all however if it was a Cisco device I
    > would NAT the Public IP to the PIX's Outside Interface IP.
    >
    Michiel, Aug 23, 2006
    #12
  13. Michiel

    James Guest

    Can you connect a hub or switch between the Zyxel and PIX and use
    Ethereal or similar to see if traffic is even arriving at the PIX? If
    you use a switch remember that you will have to use the Span / Port
    Mirror feature.

    Alternatively, the PIX has some sort of packet capture feature which
    can be used:-

    http://www.cisco.com/en/US/products..._guide_chapter09186a0080172797.html#wp1038055

    I haven't tried it though.

    Also enable logging to the PIX's internal buffer, you may get a message
    indicating the problem.

    James

    Michiel wrote:
    > Yes i understand you, that is what i have done... so you are sure that the
    > PIX is configured correctly...? Because then i really have to get in hard
    > discussion with Valadis/Zyxel Netherlands, because of the not good working
    > DMZ (NAT) function in combination of an PIX... because the strange thing is
    > here, that when i have an cable router in the network instead of the PIX
    > then it is working good... so my logic was it is the PIX not functioning
    > good.
    >
    > I will post again when i have more info... wich will probably later on the
    > day... ;)...
    >
    > Thanks for your time!
    >
    > Suncerely,
    > Michiel
    >
    >
    > "James" <> schreef in bericht
    > news:...
    > > >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host
    > >>entered to forward all ports to the WAN of the PIX.. This is what you mean
    > >>right...?

    > >
    > > I don't know the Zyxel device at all however if it was a Cisco device I
    > > would NAT the Public IP to the PIX's Outside Interface IP.
    > >
    James, Aug 23, 2006
    #13
  14. Michiel

    SAto Guest

    Michiel skrev:
    > I am not sure about this...
    >
    > I don't understand the part
    >
    > > To do what you need to do create a translation on your Modem to another
    > > IP - you can't use the PIX's outside interface address for this.


    You could change the network between the pix and the zyxel to be a /29
    network instead of a /30 that way you could static nat a new ip address
    for the server, instead of pat'ing the pix outside address. that way
    the only thing you'd have to worry about would be access rules working
    and not the pating.

    -SAto
    SAto, Aug 23, 2006
    #14
  15. Michiel

    Michiel Guest

    Ok! Thanks!

    I just called Zyxel, and they have another option wich is to not use the DMZ
    but simply forward the portrange of 1 to 65535. So i will try that first...
    ;) then i will try your option using packet sniffer to see if in deed the
    data is getting to the PIX...

    Thanks!... ;)

    Sincerely,
    Michiel


    "James" <> schreef in bericht
    news:...
    > Can you connect a hub or switch between the Zyxel and PIX and use
    > Ethereal or similar to see if traffic is even arriving at the PIX? If
    > you use a switch remember that you will have to use the Span / Port
    > Mirror feature.
    >
    > Alternatively, the PIX has some sort of packet capture feature which
    > can be used:-
    >
    > http://www.cisco.com/en/US/products..._guide_chapter09186a0080172797.html#wp1038055
    >
    > I haven't tried it though.
    >
    > Also enable logging to the PIX's internal buffer, you may get a message
    > indicating the problem.
    >
    > James
    >
    > Michiel wrote:
    >> Yes i understand you, that is what i have done... so you are sure that
    >> the
    >> PIX is configured correctly...? Because then i really have to get in hard
    >> discussion with Valadis/Zyxel Netherlands, because of the not good
    >> working
    >> DMZ (NAT) function in combination of an PIX... because the strange thing
    >> is
    >> here, that when i have an cable router in the network instead of the PIX
    >> then it is working good... so my logic was it is the PIX not functioning
    >> good.
    >>
    >> I will post again when i have more info... wich will probably later on
    >> the
    >> day... ;)...
    >>
    >> Thanks for your time!
    >>
    >> Suncerely,
    >> Michiel
    >>
    >>
    >> "James" <> schreef in bericht
    >> news:...
    >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ
    >> > >host
    >> >>entered to forward all ports to the WAN of the PIX.. This is what you
    >> >>mean
    >> >>right...?
    >> >
    >> > I don't know the Zyxel device at all however if it was a Cisco device I
    >> > would NAT the Public IP to the PIX's Outside Interface IP.
    >> >

    >
    Michiel, Aug 23, 2006
    #15
  16. Michiel

    Michiel Guest

    I forgot to tell something very important in the situation...

    I said that no traffic is comming through nat at the server... only 1 thing
    is working good VPN... VPN is no problem... i forgot this because another
    server was already connected through VPN without me testing it, because the
    other things like WEB SMTP etc. were not working...

    That is also the reason why i still have the feeling the problem should be
    in the PIX...

    Anyone knows a logic explenation for this...? ;)...

    Sincerely,
    Michiel


    "James" <> schreef in bericht
    news:...
    > Can you connect a hub or switch between the Zyxel and PIX and use
    > Ethereal or similar to see if traffic is even arriving at the PIX? If
    > you use a switch remember that you will have to use the Span / Port
    > Mirror feature.
    >
    > Alternatively, the PIX has some sort of packet capture feature which
    > can be used:-
    >
    > http://www.cisco.com/en/US/products..._guide_chapter09186a0080172797.html#wp1038055
    >
    > I haven't tried it though.
    >
    > Also enable logging to the PIX's internal buffer, you may get a message
    > indicating the problem.
    >
    > James
    >
    > Michiel wrote:
    >> Yes i understand you, that is what i have done... so you are sure that
    >> the
    >> PIX is configured correctly...? Because then i really have to get in hard
    >> discussion with Valadis/Zyxel Netherlands, because of the not good
    >> working
    >> DMZ (NAT) function in combination of an PIX... because the strange thing
    >> is
    >> here, that when i have an cable router in the network instead of the PIX
    >> then it is working good... so my logic was it is the PIX not functioning
    >> good.
    >>
    >> I will post again when i have more info... wich will probably later on
    >> the
    >> day... ;)...
    >>
    >> Thanks for your time!
    >>
    >> Suncerely,
    >> Michiel
    >>
    >>
    >> "James" <> schreef in bericht
    >> news:...
    >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ
    >> > >host
    >> >>entered to forward all ports to the WAN of the PIX.. This is what you
    >> >>mean
    >> >>right...?
    >> >
    >> > I don't know the Zyxel device at all however if it was a Cisco device I
    >> > would NAT the Public IP to the PIX's Outside Interface IP.
    >> >

    >
    Michiel, Aug 23, 2006
    #16
  17. Michiel

    James Guest

    Strange....

    Have you turned on the PIX's logging? If so do a show log and paste
    the results here.

    Try "clear xlate" and see if that helps at all. Cisco recommend that
    you do a clear xlate after every change to the PIX config.

    Failing that if you let me know the Public IP I can run some tests from
    here.

    James

    Michiel wrote:

    > I forgot to tell something very important in the situation...
    >
    > I said that no traffic is comming through nat at the server... only 1 thing
    > is working good VPN... VPN is no problem... i forgot this because another
    > server was already connected through VPN without me testing it, because the
    > other things like WEB SMTP etc. were not working...
    >
    > That is also the reason why i still have the feeling the problem should be
    > in the PIX...
    >
    > Anyone knows a logic explenation for this...? ;)...
    >
    > Sincerely,
    > Michiel
    >
    >
    > "James" <> schreef in bericht
    > news:...
    > > Can you connect a hub or switch between the Zyxel and PIX and use
    > > Ethereal or similar to see if traffic is even arriving at the PIX? If
    > > you use a switch remember that you will have to use the Span / Port
    > > Mirror feature.
    > >
    > > Alternatively, the PIX has some sort of packet capture feature which
    > > can be used:-
    > >
    > > http://www.cisco.com/en/US/products..._guide_chapter09186a0080172797.html#wp1038055
    > >
    > > I haven't tried it though.
    > >
    > > Also enable logging to the PIX's internal buffer, you may get a message
    > > indicating the problem.
    > >
    > > James
    > >
    > > Michiel wrote:
    > >> Yes i understand you, that is what i have done... so you are sure that
    > >> the
    > >> PIX is configured correctly...? Because then i really have to get in hard
    > >> discussion with Valadis/Zyxel Netherlands, because of the not good
    > >> working
    > >> DMZ (NAT) function in combination of an PIX... because the strange thing
    > >> is
    > >> here, that when i have an cable router in the network instead of the PIX
    > >> then it is working good... so my logic was it is the PIX not functioning
    > >> good.
    > >>
    > >> I will post again when i have more info... wich will probably later on
    > >> the
    > >> day... ;)...
    > >>
    > >> Thanks for your time!
    > >>
    > >> Suncerely,
    > >> Michiel
    > >>
    > >>
    > >> "James" <> schreef in bericht
    > >> news:...
    > >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ
    > >> > >host
    > >> >>entered to forward all ports to the WAN of the PIX.. This is what you
    > >> >>mean
    > >> >>right...?
    > >> >
    > >> > I don't know the Zyxel device at all however if it was a Cisco device I
    > >> > would NAT the Public IP to the PIX's Outside Interface IP.
    > >> >

    > >
    James, Aug 23, 2006
    #17
  18. Michiel

    Michiel Guest

    Ok right now i am not able to change cables phisical, so later on the day i
    could change the things... i am able to connect to turn on the logging.

    Wich logging should i enable...? because i am mostly configuring it from
    PDM... wich seems to be very simple and straight... though some things i
    change through the console...

    Sincerely,
    Michiel

    "James" <> schreef in bericht
    news:...
    > Strange....
    >
    > Have you turned on the PIX's logging? If so do a show log and paste
    > the results here.
    >
    > Try "clear xlate" and see if that helps at all. Cisco recommend that
    > you do a clear xlate after every change to the PIX config.
    >
    > Failing that if you let me know the Public IP I can run some tests from
    > here.
    >
    > James
    >
    > Michiel wrote:
    >
    >> I forgot to tell something very important in the situation...
    >>
    >> I said that no traffic is comming through nat at the server... only 1
    >> thing
    >> is working good VPN... VPN is no problem... i forgot this because another
    >> server was already connected through VPN without me testing it, because
    >> the
    >> other things like WEB SMTP etc. were not working...
    >>
    >> That is also the reason why i still have the feeling the problem should
    >> be
    >> in the PIX...
    >>
    >> Anyone knows a logic explenation for this...? ;)...
    >>
    >> Sincerely,
    >> Michiel
    >>
    >>
    >> "James" <> schreef in bericht
    >> news:...
    >> > Can you connect a hub or switch between the Zyxel and PIX and use
    >> > Ethereal or similar to see if traffic is even arriving at the PIX? If
    >> > you use a switch remember that you will have to use the Span / Port
    >> > Mirror feature.
    >> >
    >> > Alternatively, the PIX has some sort of packet capture feature which
    >> > can be used:-
    >> >
    >> > http://www.cisco.com/en/US/products..._guide_chapter09186a0080172797.html#wp1038055
    >> >
    >> > I haven't tried it though.
    >> >
    >> > Also enable logging to the PIX's internal buffer, you may get a message
    >> > indicating the problem.
    >> >
    >> > James
    >> >
    >> > Michiel wrote:
    >> >> Yes i understand you, that is what i have done... so you are sure that
    >> >> the
    >> >> PIX is configured correctly...? Because then i really have to get in
    >> >> hard
    >> >> discussion with Valadis/Zyxel Netherlands, because of the not good
    >> >> working
    >> >> DMZ (NAT) function in combination of an PIX... because the strange
    >> >> thing
    >> >> is
    >> >> here, that when i have an cable router in the network instead of the
    >> >> PIX
    >> >> then it is working good... so my logic was it is the PIX not
    >> >> functioning
    >> >> good.
    >> >>
    >> >> I will post again when i have more info... wich will probably later on
    >> >> the
    >> >> day... ;)...
    >> >>
    >> >> Thanks for your time!
    >> >>
    >> >> Suncerely,
    >> >> Michiel
    >> >>
    >> >>
    >> >> "James" <> schreef in bericht
    >> >> news:...
    >> >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is
    >> >> > >DMZ
    >> >> > >host
    >> >> >>entered to forward all ports to the WAN of the PIX.. This is what
    >> >> >>you
    >> >> >>mean
    >> >> >>right...?
    >> >> >
    >> >> > I don't know the Zyxel device at all however if it was a Cisco
    >> >> > device I
    >> >> > would NAT the Public IP to the PIX's Outside Interface IP.
    >> >> >
    >> >

    >
    Michiel, Aug 23, 2006
    #18
  19. Michiel

    James Guest

    logging on
    logging timestamp
    logging buffered notifications

    should do it. If it is a translation problem then the PIX should log
    it.



    Michiel wrote:

    > Ok right now i am not able to change cables phisical, so later on the day i
    > could change the things... i am able to connect to turn on the logging.
    >
    > Wich logging should i enable...? because i am mostly configuring it from
    > PDM... wich seems to be very simple and straight... though some things i
    > change through the console...
    >
    > Sincerely,
    > Michiel
    >
    > "James" <> schreef in bericht
    > news:...
    > > Strange....
    > >
    > > Have you turned on the PIX's logging? If so do a show log and paste
    > > the results here.
    > >
    > > Try "clear xlate" and see if that helps at all. Cisco recommend that
    > > you do a clear xlate after every change to the PIX config.
    > >
    > > Failing that if you let me know the Public IP I can run some tests from
    > > here.
    > >
    > > James
    > >
    > > Michiel wrote:
    > >
    > >> I forgot to tell something very important in the situation...
    > >>
    > >> I said that no traffic is comming through nat at the server... only 1
    > >> thing
    > >> is working good VPN... VPN is no problem... i forgot this because another
    > >> server was already connected through VPN without me testing it, because
    > >> the
    > >> other things like WEB SMTP etc. were not working...
    > >>
    > >> That is also the reason why i still have the feeling the problem should
    > >> be
    > >> in the PIX...
    > >>
    > >> Anyone knows a logic explenation for this...? ;)...
    > >>
    > >> Sincerely,
    > >> Michiel
    > >>
    > >>
    > >> "James" <> schreef in bericht
    > >> news:...
    > >> > Can you connect a hub or switch between the Zyxel and PIX and use
    > >> > Ethereal or similar to see if traffic is even arriving at the PIX? If
    > >> > you use a switch remember that you will have to use the Span / Port
    > >> > Mirror feature.
    > >> >
    > >> > Alternatively, the PIX has some sort of packet capture feature which
    > >> > can be used:-
    > >> >
    > >> > http://www.cisco.com/en/US/products..._guide_chapter09186a0080172797.html#wp1038055
    > >> >
    > >> > I haven't tried it though.
    > >> >
    > >> > Also enable logging to the PIX's internal buffer, you may get a message
    > >> > indicating the problem.
    > >> >
    > >> > James
    > >> >
    > >> > Michiel wrote:
    > >> >> Yes i understand you, that is what i have done... so you are sure that
    > >> >> the
    > >> >> PIX is configured correctly...? Because then i really have to get in
    > >> >> hard
    > >> >> discussion with Valadis/Zyxel Netherlands, because of the not good
    > >> >> working
    > >> >> DMZ (NAT) function in combination of an PIX... because the strange
    > >> >> thing
    > >> >> is
    > >> >> here, that when i have an cable router in the network instead of the
    > >> >> PIX
    > >> >> then it is working good... so my logic was it is the PIX not
    > >> >> functioning
    > >> >> good.
    > >> >>
    > >> >> I will post again when i have more info... wich will probably later on
    > >> >> the
    > >> >> day... ;)...
    > >> >>
    > >> >> Thanks for your time!
    > >> >>
    > >> >> Suncerely,
    > >> >> Michiel
    > >> >>
    > >> >>
    > >> >> "James" <> schreef in bericht
    > >> >> news:...
    > >> >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is
    > >> >> > >DMZ
    > >> >> > >host
    > >> >> >>entered to forward all ports to the WAN of the PIX.. This is what
    > >> >> >>you
    > >> >> >>mean
    > >> >> >>right...?
    > >> >> >
    > >> >> > I don't know the Zyxel device at all however if it was a Cisco
    > >> >> > device I
    > >> >> > would NAT the Public IP to the PIX's Outside Interface IP.
    > >> >> >
    > >> >

    > >
    James, Aug 23, 2006
    #19
  20. Michiel

    Michiel Guest

    Hello James and everyone...

    I finally managed to get the PIX to work with the Zyxel... the problem was
    in the Zyxel, somehow with some answerring IP's it is not forwarding the
    ports but stealths them...

    I am glad that the Zyxel will be replaced by an Cisco 876... ;)...

    Thanks and many Thanks for all the good input!

    Michiel




    "James" <> wrote in message
    news:...
    > logging on
    > logging timestamp
    > logging buffered notifications
    >
    > should do it. If it is a translation problem then the PIX should log
    > it.
    >
    >
    >
    > Michiel wrote:
    >
    >> Ok right now i am not able to change cables phisical, so later on the day
    >> i
    >> could change the things... i am able to connect to turn on the logging.
    >>
    >> Wich logging should i enable...? because i am mostly configuring it from
    >> PDM... wich seems to be very simple and straight... though some things i
    >> change through the console...
    >>
    >> Sincerely,
    >> Michiel
    >>
    >> "James" <> schreef in bericht
    >> news:...
    >> > Strange....
    >> >
    >> > Have you turned on the PIX's logging? If so do a show log and paste
    >> > the results here.
    >> >
    >> > Try "clear xlate" and see if that helps at all. Cisco recommend that
    >> > you do a clear xlate after every change to the PIX config.
    >> >
    >> > Failing that if you let me know the Public IP I can run some tests from
    >> > here.
    >> >
    >> > James
    >> >
    >> > Michiel wrote:
    >> >
    >> >> I forgot to tell something very important in the situation...
    >> >>
    >> >> I said that no traffic is comming through nat at the server... only 1
    >> >> thing
    >> >> is working good VPN... VPN is no problem... i forgot this because
    >> >> another
    >> >> server was already connected through VPN without me testing it,
    >> >> because
    >> >> the
    >> >> other things like WEB SMTP etc. were not working...
    >> >>
    >> >> That is also the reason why i still have the feeling the problem
    >> >> should
    >> >> be
    >> >> in the PIX...
    >> >>
    >> >> Anyone knows a logic explenation for this...? ;)...
    >> >>
    >> >> Sincerely,
    >> >> Michiel
    >> >>
    >> >>
    >> >> "James" <> schreef in bericht
    >> >> news:...
    >> >> > Can you connect a hub or switch between the Zyxel and PIX and use
    >> >> > Ethereal or similar to see if traffic is even arriving at the PIX?
    >> >> > If
    >> >> > you use a switch remember that you will have to use the Span / Port
    >> >> > Mirror feature.
    >> >> >
    >> >> > Alternatively, the PIX has some sort of packet capture feature which
    >> >> > can be used:-
    >> >> >
    >> >> > http://www.cisco.com/en/US/products..._guide_chapter09186a0080172797.html#wp1038055
    >> >> >
    >> >> > I haven't tried it though.
    >> >> >
    >> >> > Also enable logging to the PIX's internal buffer, you may get a
    >> >> > message
    >> >> > indicating the problem.
    >> >> >
    >> >> > James
    >> >> >
    >> >> > Michiel wrote:
    >> >> >> Yes i understand you, that is what i have done... so you are sure
    >> >> >> that
    >> >> >> the
    >> >> >> PIX is configured correctly...? Because then i really have to get
    >> >> >> in
    >> >> >> hard
    >> >> >> discussion with Valadis/Zyxel Netherlands, because of the not good
    >> >> >> working
    >> >> >> DMZ (NAT) function in combination of an PIX... because the strange
    >> >> >> thing
    >> >> >> is
    >> >> >> here, that when i have an cable router in the network instead of
    >> >> >> the
    >> >> >> PIX
    >> >> >> then it is working good... so my logic was it is the PIX not
    >> >> >> functioning
    >> >> >> good.
    >> >> >>
    >> >> >> I will post again when i have more info... wich will probably later
    >> >> >> on
    >> >> >> the
    >> >> >> day... ;)...
    >> >> >>
    >> >> >> Thanks for your time!
    >> >> >>
    >> >> >> Suncerely,
    >> >> >> Michiel
    >> >> >>
    >> >> >>
    >> >> >> "James" <> schreef in bericht
    >> >> >> news:...
    >> >> >> > >The public ip zyxel WAN is natted on the zyxel LAN, and there is
    >> >> >> > >DMZ
    >> >> >> > >host
    >> >> >> >>entered to forward all ports to the WAN of the PIX.. This is what
    >> >> >> >>you
    >> >> >> >>mean
    >> >> >> >>right...?
    >> >> >> >
    >> >> >> > I don't know the Zyxel device at all however if it was a Cisco
    >> >> >> > device I
    >> >> >> > would NAT the Public IP to the PIX's Outside Interface IP.
    >> >> >> >
    >> >> >
    >> >

    >
    Michiel, Aug 24, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michiel
    Replies:
    4
    Views:
    4,630
    Michiel
    Aug 22, 2006
  2. Michiel
    Replies:
    2
    Views:
    762
    Michiel
    Aug 22, 2006
  3. Michiel
    Replies:
    0
    Views:
    2,266
    Michiel
    Aug 25, 2006
  4. dgr7
    Replies:
    0
    Views:
    477
  5. kasonne

    PAT and NAT Pix 506E

    kasonne, Dec 2, 2009, in forum: Cisco
    Replies:
    1
    Views:
    625
    kasonne
    Dec 9, 2009
Loading...

Share This Page