Cisco 506e - Public IP and NAT

Discussion in 'Cisco' started by ticktock, Jul 7, 2006.

  1. ticktock


    Jul 7, 2006
    Likes Received:

    I have reccently purchased a 506e for my organisation and I am trying to set it up so that I can access services external such as webmail.

    I have a range of 8 public IP's from my ADSL providor. 3 of these used by the ADSL modem (Router IP, network and broadcast address). I have then assigned one of my 5 remaing public IP's to the external interface of the 506.

    The internal port of the 506 then connects to the rest of the network. The 506 is configured with a dynamic translation rule to allow any internal machines to establish and outgoing connection using the external interface IP.

    I have then added a static NAT entry with the command static (inside, outside) external IP internal IP netmask 0 0. The external IP I have used is one of my remaing public IPs.

    There is an access rule that permits requests from the external IP(for the NAT not the interface) to the internal IP for TCP.

    Despite all of the above I am unable to connect to the server using the external IP. This is trying from a seperate network that does not use the PIX as the gateway so the loopback isn't an issue (I think).

    Any thoughts or advice on the issue would be greatly appreciated.

    Many Thanks

    ticktock, Jul 7, 2006
    1. Advertisements

  2. ticktock


    Jun 6, 2006
    Likes Received:
    Post your config file after removing passwords and ip's

    This would help us to debug further
    keshav, Jul 8, 2006
    1. Advertisements

  3. ticktock


    Jul 7, 2006
    Likes Received:

    Here is the config file, hope this helps.

    Thanks for the help.


    Building configuration...
    : Saved
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname CFW
    domain-name xxxxxxxxx
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name xxxxxxx Zen
    name xxxxxxx BSMH
    name xxxxxxx Guardian
    name xxxxxxx Mercury
    name xxxxxxx Webmail
    access-list inside_access_in remark Allow outbound connections
    access-list inside_access_in permit ip any any
    access-list outside_access_in permit tcp host Webmail host Webmail
    access-list outside_access_in deny icmp any any
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside xxxxxxxxxxxxxxxxxxxx
    ip address inside xxxxxxxxxxxxxxxxxxxx
    ip audit info action alarm
    ip audit attack action alarm
    pdm location Guardian xxxxxxxxxx inside
    pdm location Mercury xxxxxxxxxx inside
    pdm location Webmail xxxxxxxxxx outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) xxxxxxxxxxxxxx
    static (inside,outside) Webmail Mercury netmask xxxxxxxxxx 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside xxxxxxxxxxxxxxxxxxxxx
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http BSMH xxxxxxxx inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80

    : end
    Last edited: Jul 8, 2006
    ticktock, Jul 8, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.