Get from outside through Cisco 827, PIX 501 to Server. Urgent.pls help

Discussion in 'Cisco' started by Marc, Jan 15, 2004.

  1. Marc

    Marc Guest

    I bought a Wireless camera about 2 months ago. It is set up to use port 81
    and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type [the IP
    address of Dialer1 in my Cisco 827]:81 or :8482. It always times out.

    My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every day for
    what I want to do)
    Cisco 827 10.1.1.1
    PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway obviously)
    Inside network 192.168.1.X

    Also, I can ping my 827 from my inside network. But when I telnet into the
    router from my inside network and ping my inside network, it times out too.
    The farthest I can get is the inside interface of the PIX. I thought Chap
    may have something to do with all of this, but I'm not sure. I know if I
    could just ping my inside network from my router, that would probably solve
    most of this.

    I've been at this for 2 months, and have tried everything. NG searches, Port
    forwarding, access-lists. Nothing seems to work. I had port forwarding and
    access-lists specifically for ports www, 81 and 8482 on my router, but I
    removed them, because they didn't make a difference. I'm sure the answer
    lies in my firewall, but no matter what I do, I can't get to my inside
    network from the outside. Not even a ping from the router. I'm not an expert
    like a lot of you, so I hope this is not too rudimentary. But I'm all out of
    ideas.Any help would be greatly appreciated. My configs are below:

    PIX 501:
    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 0JeJdBKOXHOPaqYc encrypted
    passwd 0JeJdBKOXHOPaqYc encrypted
    hostname pixfirewall
    domain-name blabla.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 66.0.0.0 DNS
    name 10.1.1.35 PIX_OUTSIDE
    name 192.168.1.1 PIX_INSIDE
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in permit tcp any any eq 81
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in permit tcp any any eq 8481
    access-list outside_access_in deny ip any any
    access-list inside_access_in permit ip any any
    access-list inbound permit tcp any any eq 8482
    no pager
    logging on
    logging timestamp
    logging trap warnings
    logging host inside 192.168.1.17 format emblem
    mtu outside 1492
    mtu inside 1492
    ip address outside PIX_OUTSIDE 255.0.0.0
    ip address inside PIX_INSIDE 255.255.255.0
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.0.0 255.255.255.0 inside
    pdm location DNS 255.255.255.0 inside
    pdm location DNS 255.255.255.255 outside
    pdm location PIX_OUTSIDE 255.255.255.255 outside
    pdm location 10.0.0.0 255.0.0.0 inside
    pdm location PIX_OUTSIDE 255.255.255.255 inside
    pdm location 192.168.1.17 255.255.255.255 inside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm location 192.168.1.50 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface www 192.168.1.50 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    255.255.255.255 0 0
    static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 15
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 66.228.128.70 66.228.128.202
    dhcpd lease 259200
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    terminal width 80
    Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
    : end
    [OK]

    Cisco 827:
    Using 2038 out of 131072 bytes
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname DSLrouter
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    !
    username blabla password 7 010409160A0D030B
    username CRWS_Kannan privilege 15 password 7
    015757406C5A002E65431F062A2007135A5
    F527E7F7D78656775
    no aaa new-model
    ip subnet-zero
    ip name-server 66.228.128.70
    ip name-server 66.228.128.69
    ip dhcp excluded-address 10.1.1.1
    ip dhcp excluded-address 10.0.0.33 10.255.255.254
    !
    ip dhcp pool CLIENT
    import all
    network 10.0.0.0 255.0.0.0
    default-router 10.1.1.1
    lease 0 2
    !
    ip ssh break-string
    !
    !
    interface Ethernet0
    description CRWS Generated text. Please do not delete
    this:10.1.1.1-255.0.0.0
    ip address 10.1.1.1 255.0.0.0 secondary
    ip address 10.10.10.1 255.255.255.0
    ip mtu 1452
    ip nat inside
    ip tcp adjust-mss 1452
    ipv6 mtu 1452
    hold-queue 100 out
    !
    interface Virtual-Template1
    no ip address
    !
    interface ATM0
    mtu 1492
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    dsl operating-mode auto
    !
    interface Dialer1
    mtu 1492
    ip address negotiated
    ip nat outside
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname blabla
    ppp chap password 7 07182E5E1F0F1C01
    ppp pap sent-username blabla password 7 131218005A0A012E
    ppp ipcp dns request
    ppp ipcp wins request
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    ip http secure-server
    !
    access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    dialer-list 1 protocol ip permit
    !
    !
    line con 0
    exec-timeout 120 0
    transport preferred all
    transport output all
    stopbits 1
    line vty 0 4
    exec-timeout 120 0
    login local
    length 0
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    !
    end
     
    Marc, Jan 15, 2004
    #1
    1. Advertisements

  2. Marc,

    Doesn't the configuration have to have the following properties:
    1. A public address on the outside interface of the 827 router (a static
    address would be perferable)
    2. A private IP address on the inside of the 827 router
    3. NAT is performed for all traffic entering the 827's Ethernet interface
    and leaving the PPPoE circuit.
    4. A private IP address is on the PIX's outside interface
    5. A (different) private network is on the PIX's inside interface
    6. NAT is being performed for all traffic leaving the PIX to the web

    For this to work you need a configuration that:
    1. Translates ports 81 and 8482 on the 827 public address into a private
    address (one that is not defined on the PIX)
    2. The PIX needs to translate these addresses to the real internal (PIX
    inside) addresses/ports.

    I have made the following assumpotions:
    1. Both port 81 and 8482 goto the same box and the same ports.

    Here is the config changes:

    name 10.1.1.36 WEBSERVER
    no static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    255.255.255.255
    no static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    255.255.255.255
    no static (inside,outside) tcp interface www 192.168.1.50 www netmask
    255.255.255.255
    no static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    255.255.255.255
    no static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255
    static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255

    no access-list outside_access_in
    access-list outside_access_in permit tcp any 10.1.1.36 eq 81
    access-list outside_access_in permit tcp any 10.1.1.36 eq 8481
    access-list outside_access_in deny ip any any
    access-group outside_access_in in interface outside
    no route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    route outside 0.0.0.0 0.0.0.0 10.10.10.1

    no ip dhcp excluded-address 10.1.1.1
    no ip dhcp excluded-address 10.0.0.33 10.255.255.254
    no ip dhcp pool CLIENT


    Cisco 827 Changes
    ====================
    interface Ethernet0
    no ip address 10.1.1.1 255.0.0.0 secondary
    exit
    ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    extendable no-alias
    ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    extendable no-alias


    Afterwards, can you do a 'show ip nat translations' and on the pix 'show
    xlate' and repost this data and the new configs :)

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


     
    scott enwright, Jan 15, 2004
    #2
    1. Advertisements

  3. too.

    Right, that's what you want the 501 doing. Allow outbound, stop inbound.
    You need to punch a hole through the 501 to allow inbound traffic.

    That is a feature. If you want pings answered from the routide, you'd need
    to add
    access-list outside_access_in permit icmp any any echo-request

    Couple things:

    0) You really want a static address service for this job.
    0a) Or a DDNS service (most webcams support that these days... which webcam?
    Linksys does DDNS :cool:

    1) If you are trying to attach TO the webcam, you will need a translation
    for the 827 of the form
    ip nat inside source static tcp y.y.y.y 81 x.x.x.x 81 extendable
    ip nat inside source static tcp y.y.y.y 8483 5900 x.x.x.x 8483 extendable

    Where y.y.y.y is the inside address and x.x.x.x is the public IP.

    BUT since your public IP is dynamic, you can't do that.

    I'm not sure there is a way to allow thes emaps to learn and use the dynamic
    address, inless the form

    ip nat inside source static tcp y.y.y.y 81 interface dialer 0 81 extendable
    ip nat inside source static tcp y.y.y.y 8483 5900 interface dialer 0 8483
    extendable

    is accepted by the parser, which I think it is not.

    Why do you have the 827 involved at all? Just as an (expensive) DSL modem?
    You might prefer getting an RFC1483 bridge (cheap!) and using the PPPOE
    feature of the 501.

    Or better, get a static address.

    Double NAT is too painful even for the heartiest of folks.

    This application begs for a static address.

    If you just need simple NAT services, you might consider a Linksys in this
    application.
     
    Phillip Remaker, Jan 15, 2004
    #3
  4. Marc

    Marc Guest

    Thank you for the config. I changed it. The new configs are below, as well
    as the xlate and ip nat translations It looks like port 80, 81, 8481 and
    8482 are still blank. Can you determine what I did wrong? Thanks.

    DSL Router:
    DSLrouter#sh ip nat translations
    Pro Inside global Inside local Outside local Outside global
    tcp 24.155.75.86:64436 10.1.1.35:64436 24.167.56.193:1949
    24.167.56.193:1949
    tcp 24.155.75.86:1 10.1.1.1:23 10.1.1.35:64336 10.1.1.35:64336
    tcp 24.155.75.86:64495 10.1.1.35:64495 64.157.107.71:80
    64.157.107.71:80
    tcp 24.155.75.86:64496 10.1.1.35:64496 64.157.107.71:80
    64.157.107.71:80
    tcp 24.155.75.86:80 192.1.2.14:80 --- ---
    tcp 24.155.75.86:81 192.1.2.14:81 --- ---
    tcp 24.155.75.86:64498 10.1.1.35:64498 209.11.131.36:80
    209.11.131.36:80
    tcp 24.155.75.86:64521 10.1.1.35:64521 24.165.151.247:1077
    24.165.151.247:107
    7
    tcp 24.155.75.86:64522 10.1.1.35:64522 24.165.151.247:1077
    24.165.151.247:107
    7
    tcp 24.155.75.86:64523 10.1.1.35:64523 24.165.151.247:1077
    24.165.151.247:107
    7
    tcp 24.155.75.86:8481 192.1.2.14:8481 --- ---
    tcp 24.155.75.86:8482 192.1.2.14:8482 --- ---
    tcp 24.155.75.86:64361 10.1.1.35:64361 216.155.193.167:5050
    216.155.193.167:5
    050
    tcp 24.155.75.86:64501 10.1.1.35:64501 67.23.182.154:3531
    67.23.182.154:3531
    tcp 24.155.75.86:64487 10.1.1.35:64487 66.135.211.87:443
    66.135.211.87:443

    PIX 501

    pixfirewall# sh xlate
    12 in use, 318 most used
    PAT Global PIX_OUTSIDE(64501) Local 192.168.1.101(2734)
    PAT Global PIX_OUTSIDE(64496) Local 192.168.1.102(4160)
    PAT Global PIX_OUTSIDE(64495) Local 192.168.1.102(4159)
    PAT Global PIX_OUTSIDE(64487) Local 192.168.1.102(4153)
    PAT Global PIX_OUTSIDE(64436) Local 192.168.1.101(2723)
    PAT Global PIX_OUTSIDE(64361) Local 192.168.1.102(4035)
    PAT Global PIX_OUTSIDE(64353) Local 192.168.1.102(4010)
    PAT Global PIX_OUTSIDE(64336) Local 192.168.1.102(3996)
    PAT Global PIX_OUTSIDE(64523) Local 192.168.1.101(2741)
    PAT Global PIX_OUTSIDE(64522) Local 192.168.1.101(2740)
    PAT Global PIX_OUTSIDE(64521) Local 192.168.1.101(2739)
    PAT Global PIX_OUTSIDE(64514) Local 192.168.1.102(4173)

    Current Configs
    PIX 501
    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 0JeJdBKOXHOPaqYc encrypted
    passwd 0JeJdBKOXHOPaqYc encrypted
    hostname pixfirewall
    domain-name blabla.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 66.0.0.0 DNS
    name 10.1.1.35 PIX_OUTSIDE
    name 192.168.1.1 PIX_INSIDE
    name 10.1.1.36 WEBSERVER
    access-list outside_access_in deny ip any any
    access-list outside_access_in permit tcp any host WEBSERVER eq 81
    access-list outside_access_in permit tcp any host WEBSERVER eq www
    access-list outside_access_in permit tcp any host WEBSERVER eq 8481
    access-list outside_access_in permit tcp any host WEBSERVER eq 8482
    access-list inside_access_in permit ip any any
    access-list inbound permit tcp any any eq 8482
    no pager
    logging on
    logging timestamp
    logging trap warnings
    logging host inside 192.168.1.17 format emblem
    mtu outside 1492
    mtu inside 1492
    ip address outside PIX_OUTSIDE 255.0.0.0
    ip address inside PIX_INSIDE 255.255.255.0
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.0.0 255.255.255.0 inside
    pdm location DNS 255.255.255.0 inside
    pdm location DNS 255.255.255.255 outside
    pdm location PIX_OUTSIDE 255.255.255.255 outside
    pdm location 10.0.0.0 255.0.0.0 inside
    pdm location PIX_OUTSIDE 255.255.255.255 inside
    pdm location 192.168.1.17 255.255.255.255 inside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm location 192.168.1.50 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) WEBSERVER 192.168.1.50 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 15
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 66.228.128.70 66.228.128.202
    dhcpd lease 259200
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    terminal width 80
    Cryptochecksum:91f94940fc2a1e2f45f9b1c901828384

    Router 827:

    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname DSLrouter
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    !
    username blabla password 7 010409160A0D030B
    username CRWS_Kannan privilege 15 password 7
    015757406C5A002E65431F062A2007135A5
    F527E7F7D78656775
    no aaa new-model
    ip subnet-zero
    ip name-server 66.228.128.70
    ip name-server 66.228.128.69
    ip dhcp excluded-address 10.1.1.1
    ip dhcp excluded-address 10.0.0.33 10.255.255.254
    !
    ip dhcp pool CLIENT
    import all
    network 10.0.0.0 255.0.0.0
    default-router 10.1.1.1
    lease 0 2
    !
    ip ssh break-string
    !
    !
    !
    !
    !
    !
    interface Ethernet0
    description CRWS Generated text. Please do not delete
    this:10.1.1.1-255.0.0.0
    ip address 10.1.1.1 255.0.0.0
    ip mtu 1452
    ip nat inside
    ip tcp adjust-mss 1452
    ipv6 mtu 1452
    hold-queue 100 out
    !
    interface Virtual-Template1
    no ip address
    !
    interface ATM0
    mtu 1492
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    dsl operating-mode auto
    !
    interface Dialer1
    mtu 1492
    ip address negotiated
    ip nat outside
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname blabla
    ppp chap password 7 07182E5E1F0F1C01
    ppp pap sent-username blabla password 7 131218005A0A012E
    ppp ipcp dns request
    ppp ipcp wins request
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
    ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    ip http secure-server
    !
    access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    dialer-list 1 protocol ip permit
    !
    !
    line con 0
    exec-timeout 120 0
    transport preferred all
    transport output all
    stopbits 1
    line vty 0 4
    exec-timeout 120 0
    login local
    length 0
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    !
    end


     
    Marc, Jan 16, 2004
    #4
  5. Marc

    Marc Guest

    I'm thinking about getting rid of the 827. I won it at a Cisco conference,
    several years ago. I could buy 3 statics, but I want to get it working with
    the dynamic first. The lease for my IP is 3 days, which is enough time to
    test this config. Actually, I'm thinking about getting rid of the PIX too. I
    used to do Cisco, but in my job now, I just do Windows. To me, the PIX is a
    great firewall, but it is not user friendly. It's too complicated to just
    block or open a simple port, as I'm experiencing here. For example. With the
    Linksys, I believe all you have to do is select 'Allow virtual port [port
    number], and that's it. On the other hand, I love a challenge, which is why
    I want to tackle this.
     
    Marc, Jan 16, 2004
    #5
  6. ok,

    the translations got screwed up on the router, enter these lines to correct
    it (you shouldnt get any errors when entering them):

    no ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    no ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    no ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
    no ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
    ip nat inside source static tcp 10.1.1.36 81 interface Dialer1 81
    ip nat inside source static tcp 10.1.1.36 8481 interface Dialer1 8481
    ip nat inside source static tcp 10.1.1.36 80 interface Dialer1 80
    ip nat inside source static tcp 10.1.1.36 482 interface Dialer1 8482


    Correct the PIX's inbound access-list.

    no access-list outside_access_in
    access-list outside_access_in permit tcp any host WEBSERVER eq 81
    access-list outside_access_in permit tcp any host WEBSERVER eq www
    access-list outside_access_in permit tcp any host WEBSERVER eq 8481
    access-list outside_access_in permit tcp any host WEBSERVER eq 8482
    access-list outside_access_in deny ip any any
    access-group outside_access_in in interface outside

    Thats all that looks wrong to me. Please repost the same stuff again :)

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


     
    scott enwright, Jan 16, 2004
    #6
  7. Marc

    Marc Guest

    Scott. It worked!

    This was the key:

    (I left out the other ports in this post to avoid redundancy)

    PIX:

    access-list outside_access_in permit ip any host 10.1.1.36
    access-list inside_access_in permit ip any any
    access-list inbound permit tcp any any eq 81
    access-list outside_access_in deny ip any any (last rule)

    static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255 0 0

    827:
    ip nat inside source static tcp 10.1.1.36 81 interface Dialer1 81

    Now when I get a static IP, I think all I have to do is change "interface
    Dialer1" to the public IP address.

    Not only did this work, but I learned a lot about nat translation as well,
    and it's function.

    Thanks!

     
    Marc, Jan 17, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.