Quick help: PIX 501 and Port Forwarding

Discussion in 'Cisco' started by Sascha E. Pollok, Aug 9, 2006.

  1. Folks,

    can someone help me out here quickly, please? PIX 501 running an
    old 6.2(2). It has a single outside public address that should be
    used (beside management of the PIX) for mapping some external ports
    to the inside interface:

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    interface ethernet0 10baset
    interface ethernet1 10full
    icmp permit any outside
    icmp permit any inside
    ip address outside xx.xx.100.50 255.255.255.192
    ip address inside 192.168.1.254 255.255.255.0
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask 255.255.255.255 0 0
    route outside 0.0.0.0 0.0.0.0 xx.xx.100.1 1

    Shouldnt that do it? It does not work. I get a timeout when connecting
    from the external network and do not see packets arriving at the
    internal server 192.168.1.51. I do see translation when doing sh xlate:

    1 in use, 8 most used
    PAT Global xx.xx.100.50(80) Local 192.168.1.51(80)

    Anyone?

    Thanks!
    Sascha
     
    Sascha E. Pollok, Aug 9, 2006
    #1
    1. Advertising

  2. Sascha E. Pollok

    Brian V Guest

    "Sascha E. Pollok" <> wrote in message
    news:ebcdsd$uvt$...
    > Folks,
    >
    > can someone help me out here quickly, please? PIX 501 running an
    > old 6.2(2). It has a single outside public address that should be
    > used (beside management of the PIX) for mapping some external ports
    > to the inside interface:
    >
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > icmp permit any outside
    > icmp permit any inside
    > ip address outside xx.xx.100.50 255.255.255.192
    > ip address inside 192.168.1.254 255.255.255.0
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask
    > 255.255.255.255 0 0
    > route outside 0.0.0.0 0.0.0.0 xx.xx.100.1 1
    >
    > Shouldnt that do it? It does not work. I get a timeout when connecting
    > from the external network and do not see packets arriving at the
    > internal server 192.168.1.51. I do see translation when doing sh xlate:
    >
    > 1 in use, 8 most used
    > PAT Global xx.xx.100.50(80) Local 192.168.1.51(80)
    >
    > Anyone?
    >
    > Thanks!
    > Sascha
    >


    Instead of
    static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask
    255.255.255.255 0 0

    You should use:
    static (inside,outside) tcp interface www 192.168.1.51 www netmask
    255.255.255.255 0 0

    You could also have ACL issues, but where you didn't post your full config
    we can't determine that.
     
    Brian V, Aug 9, 2006
    #2
    1. Advertising

  3. Brian V <die_spammer@no_spam.com> wrote:

    Brian,

    thanks for your reply.

    >> can someone help me out here quickly, please? PIX 501 running an
    >> old 6.2(2). It has a single outside public address that should be
    >> used (beside management of the PIX) for mapping some external ports
    >> to the inside interface:
    >>
    >> nameif ethernet0 outside security0
    >> nameif ethernet1 inside security100
    >> interface ethernet0 10baset
    >> interface ethernet1 10full
    >> icmp permit any outside
    >> icmp permit any inside
    >> ip address outside xx.xx.100.50 255.255.255.192
    >> ip address inside 192.168.1.254 255.255.255.0
    >> global (outside) 1 interface
    >> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >> static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask
    >> 255.255.255.255 0 0
    >> route outside 0.0.0.0 0.0.0.0 xx.xx.100.1 1
    >>
    >> Shouldnt that do it? It does not work. I get a timeout when connecting
    >> from the external network and do not see packets arriving at the
    >> internal server 192.168.1.51. I do see translation when doing sh xlate:
    >>
    >> 1 in use, 8 most used
    >> PAT Global xx.xx.100.50(80) Local 192.168.1.51(80)
    >>
    >> Anyone?
    >>
    >> Thanks!
    >> Sascha
    >>

    >
    > Instead of
    > static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask
    > 255.255.255.255 0 0
    >
    > You should use:
    > static (inside,outside) tcp interface www 192.168.1.51 www netmask
    > 255.255.255.255 0 0
    >
    > You could also have ACL issues, but where you didn't post your full config
    > we can't determine that.


    No ACL issues. I have removed all ACLs from the interfaces. There is definitely
    nothing left. Although your suggestion looks reasonable, it still does not
    work. Same effect. I heard that there is a bug in this software version which
    causes the following warning when configuring global (outside) 1 interface:

    pix(config)# global (outside) 1 interface
    Warning: Start and End addresses overlap with broadcast address.
    outside interface address added to PAT pool

    I dont know if this bug maybe also causes trouble with the NAT configuration
    I am trying to run? I also did clear xlate and even tried reload after
    applying your suggested change.

    Also: it is maybe interesting to mention that I do not see any packets
    when doing "debug packet inside". Even when doing a ping to the inside
    host at 192.168.1.51 I do not see icmp echo request/reply packets.

    Any more ideas, please? :)

    thanks
    Sascha
     
    Sascha E. Pollok, Aug 9, 2006
    #3
  4. >>> nameif ethernet0 outside security0
    >>> nameif ethernet1 inside security100
    >>> interface ethernet0 10baset
    >>> interface ethernet1 10full
    >>> icmp permit any outside
    >>> icmp permit any inside
    >>> ip address outside xx.xx.100.50 255.255.255.192
    >>> ip address inside 192.168.1.254 255.255.255.0
    >>> global (outside) 1 interface
    >>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >>> static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask
    >>> 255.255.255.255 0 0
    >>> route outside 0.0.0.0 0.0.0.0 xx.xx.100.1 1
    >>>
    >>> Shouldnt that do it? It does not work. I get a timeout when connecting
    >>> from the external network and do not see packets arriving at the
    >>> internal server 192.168.1.51. I do see translation when doing sh xlate:
    >>>
    >>> 1 in use, 8 most used
    >>> PAT Global xx.xx.100.50(80) Local 192.168.1.51(80)
    >>>
    >>> Anyone?
    >>>
    >>> Thanks!
    >>> Sascha
    >>>

    >>
    >> Instead of
    >> static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask
    >> 255.255.255.255 0 0
    >>
    >> You should use:
    >> static (inside,outside) tcp interface www 192.168.1.51 www netmask
    >> 255.255.255.255 0 0
    >>
    >> You could also have ACL issues, but where you didn't post your full config
    >> we can't determine that.

    >
    > No ACL issues. I have removed all ACLs from the interfaces. There is definitely
    > nothing left. Although your suggestion looks reasonable, it still does not
    > work. Same effect. I heard that there is a bug in this software version which
    > causes the following warning when configuring global (outside) 1 interface:
    >
    > pix(config)# global (outside) 1 interface
    > Warning: Start and End addresses overlap with broadcast address.
    > outside interface address added to PAT pool
    >
    > I dont know if this bug maybe also causes trouble with the NAT configuration
    > I am trying to run? I also did clear xlate and even tried reload after
    > applying your suggested change.
    >
    > Also: it is maybe interesting to mention that I do not see any packets
    > when doing "debug packet inside". Even when doing a ping to the inside
    > host at 192.168.1.51 I do not see icmp echo request/reply packets.


    Argh.. I just found it. Apparently the PIX does not forward any static-NATed
    packets when there is no ACL on the outside interface. It does work even if
    this ACL is permit ip any any.

    Thanks!
    Sascha
     
    Sascha E. Pollok, Aug 9, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kirk Goins

    Port forwarding on a PIX 501 at 6.3

    Kirk Goins, Dec 19, 2003, in forum: Cisco
    Replies:
    5
    Views:
    12,636
  2. Paul Hutchings
    Replies:
    6
    Views:
    5,091
  3. Robert McIntosh

    Port Forwarding and PIX 501

    Robert McIntosh, Sep 2, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,209
    Walter Roberson
    Sep 4, 2004
  4. Graeme Geldenhuys
    Replies:
    2
    Views:
    4,417
    Graeme Geldenhuys
    Apr 14, 2005
  5. Replies:
    10
    Views:
    3,076
    dclarolh
    Oct 1, 2006
Loading...

Share This Page