PIX 501 single outside interface and PAT for inbound connections???

Discussion in 'Cisco' started by Adisegna, Oct 28, 2005.

  1. Adisegna

    Adisegna Guest

    Hello,

    I have a PIX 501 with two interfaces. I am trying to setup a webserver
    behind the internal interface.

    I have a single public IP assigned to the interface.
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    I tried
    static (inside,outside) tcp interface www 192.168.1.2 www netmask
    255.255.255.25
    5 0 0

    and

    static (inside,outside) *.*.*.* 192.168.1.2 netmask 255.255.255.255 0 0

    but still cannot connect to the web server. I can ping the external
    interface.
    I do have access-list and access-group entries for the inbound
    connections

    access-list permit_in permit tcp any host *.*.*.*
    access-group permit_in in interface outside

    Is there an issue with PAT and a single outside interface being the
    same.

    Thanks in advance...
     
    Adisegna, Oct 28, 2005
    #1
    1. Advertisements

  2. :I have a PIX 501 with two interfaces. I am trying to setup a webserver
    :behind the internal interface.

    :I have a single public IP assigned to the interface.
    :global (outside) 1 interface
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    :I tried
    :static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 0 0

    That's the correct form.

    :static (inside,outside) *.*.*.* 192.168.1.2 netmask 255.255.255.255 0 0

    That won't work for you.

    :but still cannot connect to the web server. I can ping the external
    :interface.
    :I do have access-list and access-group entries for the inbound
    :connections

    :access-list permit_in permit tcp any host *.*.*.*

    Change that to

    access-list permit_in permit tcp any interface outside eq www

    :access-group permit_in in interface outside


    :Is there an issue with PAT and a single outside interface being the
    :same.

    Yes in early 6.2 versions, but that was fixed.
     
    Walter Roberson, Oct 28, 2005
    #2
    1. Advertisements

  3. Adisegna

    mostro Guest

    Hi Walter,

    So change all my ACLs to 'interface' instead of the public IP?

    Thanks
     
    mostro, Oct 28, 2005
    #3
  4. :Hi Walter,

    : So change all my ACLs to 'interface' instead of the public IP?

    Depends on the exact PIX software version, but in 6.3 in ACLs, you
    use 'interface outside' to refer to the outside interface IP.
    In 'static' and nat commands, you use just 'interface' without
    the word 'outside': in those commands the interface can be deduced
    based on other information in the command.
     
    Walter Roberson, Oct 28, 2005
    #4
  5. Adisegna

    mostro Guest

    The only change I had to make to the config was replacing the public IP with
    'interface'.

    Thanks
     
    mostro, Oct 29, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.