PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 3)

Discussion in 'Cisco' started by Michiel, Aug 23, 2006.

  1. Michiel

    Michiel Guest

    Hello,

    I have this strange problem and i can't seem to understand it. I have the
    following situation, i have been posting here before under the same name and
    subject. So you can read back. Though probably that is not needed.

    Internet (Zyxel P660HW)
    WAN : Public IP (natted)
    LAN : 192.168.168.1 subnet 255.255.255.252

    Cisco Pix 506e
    WAN : 192.168.168.2 subnet 255.255.255.252 (natted)
    LAN : 192.168.68.8 subnet 255.255.255.0

    Internal PC
    LAN 192.168.68.1 subnet 255.255.255.0

    Now what i want is to run several services on my PC (server) DNS, HTTP,
    HTTPS, RDP, VPN, FTP, SMTP, POP3. Below is the config and it is not working
    properly. When i want to connect from the internet wan side to my public ip
    address everything is dead/denied. Stealth firewalled... so nothing is
    responding. What i have tested and wich worked perfect, was instead of the
    internet router a normal pc with an webserver and ftp server running ip
    192.168.168.1 subnet 255.255.255.252. From my lan i am able to open the
    website on the webserver and also ftp is ok. When i connect with that pc to
    the 192.168.168.2 on the ports like ftp, http, etc. it is connecting fine!
    No problems at all. I am sure it is not the Zyxel router what seems to be
    wrong, but when i put in place of the cisco pix a normal cable router with
    the same configuration it is working.

    Anyone any idea...??? Or do i need to bridge the connection to give the PIX
    a public IP...? I prefer not to do that, because of the more network/unlogic
    configuration...

    Sincerely,
    Michiel

    Config :
    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ************passwd ************ encrypted
    hostname firewall
    domain-name test.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.68.1 PC1
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in remark UDP - DNS
    access-list outside_access_in permit udp any any eq domain
    access-list outside_access_in remark TCP - DNS
    access-list outside_access_in permit tcp any any eq domain
    access-list outside_access_in remark TCP - FTP Data
    access-list outside_access_in permit tcp any any eq ftp-data
    access-list outside_access_in remark TCP - FTP
    access-list outside_access_in permit tcp any any eq ftp
    access-list outside_access_in remark TCP - HTTP
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in remark TCP - HTTPS
    access-list outside_access_in permit tcp any any eq https
    access-list outside_access_in remark TCP - SMTP
    access-list outside_access_in permit tcp any any eq smtp
    access-list outside_access_in remark TCP - RDP
    access-list outside_access_in permit tcp any any eq 3389
    access-list outside_access_in remark TCP - Webbased / Remote Admin
    access-list outside_access_in permit tcp any any range 7698 7704
    access-list outside_access_in remark IP - GRE
    access-list outside_access_in permit tcp any any eq pptp
    access-list outside_access_in remark TCP - PPTP
    access-list outside_access_in permit gre any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.168.2 255.255.255.252
    ip address inside 192.168.68.8 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location PC1 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.68.0 255.255.255.0 0 0
    static (inside,outside) tcp interface pptp PC1 pptp netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface 7700 PC1 7700 netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface 7701 PC1 7701 netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface 7699 PC1 7699 netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface smtp PC1 smtp netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface www PC1 www netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface domain PC1 domain netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface domain PC1 domain netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface ftp PC1 ftp netmask 255.255.255.255 0
    0
    static (inside,outside) tcp interface ftp-data PC1 ftp-data netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface https PC1 https netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 3389 PC1 3389 netmask 255.255.255.255
    0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.168.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.68.0 255.255.255.0 inside
    floodguard enable
    telnet 192.168.68.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    : end
    [OK]
     
    Michiel, Aug 23, 2006
    #1
    1. Advertisements

  2. Michiel

    Michiel Guest

    One thing more...
    When i connect to the internet from lan to pix to zyxel it is also working
    fine! Only the traffic from the internet to the local network is not
    working.

    Thanks,
    Michiel


     
    Michiel, Aug 23, 2006
    #2
    1. Advertisements

  3. Michiel

    James Guest

    You can't use the Static commands Interface keyword in this way.

    The Interface keyword is used for PAT only i.e. for users from the
    inside going to the outside. PAT on the PIX can be done in two ways:-

    global (outside) 1 interface
    nat (inside) 1 192.168.68.0 255.255.255.0 0 0

    Like you have done, or like this:-

    static (inside,outside) interface 192.168.68.0 netmask 255.255.255.0


    To do what you need to do create a translation on your Modem to another
    IP - you can't use the PIX's outside interface address for this.

    James
     
    James, Aug 23, 2006
    #3
  4. Michiel

    SAto Guest

    James skrev:
    Actually you can and looking over the config I think this should work.
    Didn't you successfully do this with smtp and http in a previous post?

    I have several setups using the outside address for the pix as a PATed
    address.
    Or you could just set up the pix to NAT the inside host as
    192.168.168.3 but then you'd need to change the netmask on the pix and
    the router as well.

    -SAto
     
    SAto, Aug 23, 2006
    #4
  5. Michiel

    James Guest


    Really?

    OK :)
     
    James, Aug 23, 2006
    #5
  6. Michiel

    Michiel Guest

    Yes i tested it in a previous post, but there was instead of the zyxel
    router a normal computer running a webserver and ftpserver. That had as
    gateway the WAN ip of the PIX, and that worked fine, but now changing the
    situation to zyxel... it is not...

    What i think in logical thins...

    Internet --> Zyxel WAN --> Zyxel LAN --> PIX WAN --> PIX LAN
    Public IP NATTED --> Zyxel LAN 192.168.168.1 --> PIX WAN 192.168.168.2
    NATTED --> LAN 192.168.68.0 my network

    I am right to see it like this right...? Or am i wrong...?

    Because your thing about chaning inside to NAt as 192.168.168.3 is what i
    don't understand... could you explain me more...?

    Sincerely,
    Michiel
     
    Michiel, Aug 23, 2006
    #6
  7. Michiel

    James Guest

    Is the Public IP natted to the PIX outside IP on the Zyxel?

    James
     
    James, Aug 23, 2006
    #7
  8. Michiel

    Michiel Guest

    I am not sure about this...

    I don't understand the part
    What do you mean with that...?

    Sincerely,
    Michiel
     
    Michiel, Aug 23, 2006
    #8
  9. Michiel

    Michiel Guest

    The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host
    entered to forward all ports to the WAN of the PIX.. This is what you mean
    right...?

    Sincerely,
    Michiel
     
    Michiel, Aug 23, 2006
    #9
  10. Michiel

    Michiel Guest

    Is it not like this that the PIX is only accepting incomming connections
    from network 192.168.168.0/255.255.255.252...? and not from outside that
    network...? I mean something default in the accesslist of the PIX...? This
    is the first time i've ben working with an PIX of cisco... I used to be
    working with Zyxel's Zywall's... wich are pretty much working fine, though i
    wanted to try Cisco... ;)...
     
    Michiel, Aug 23, 2006
    #10
  11. Michiel

    James Guest

    The public ip zyxel WAN is natted on the zyxel LAN, and there is DMZ host
    I don't know the Zyxel device at all however if it was a Cisco device I
    would NAT the Public IP to the PIX's Outside Interface IP.
     
    James, Aug 23, 2006
    #11
  12. Michiel

    Michiel Guest

    Yes i understand you, that is what i have done... so you are sure that the
    PIX is configured correctly...? Because then i really have to get in hard
    discussion with Valadis/Zyxel Netherlands, because of the not good working
    DMZ (NAT) function in combination of an PIX... because the strange thing is
    here, that when i have an cable router in the network instead of the PIX
    then it is working good... so my logic was it is the PIX not functioning
    good.

    I will post again when i have more info... wich will probably later on the
    day... ;)...

    Thanks for your time!

    Suncerely,
    Michiel
     
    Michiel, Aug 23, 2006
    #12
  13. Michiel

    James Guest

    Can you connect a hub or switch between the Zyxel and PIX and use
    Ethereal or similar to see if traffic is even arriving at the PIX? If
    you use a switch remember that you will have to use the Span / Port
    Mirror feature.

    Alternatively, the PIX has some sort of packet capture feature which
    can be used:-

    http://www.cisco.com/en/US/products..._guide_chapter09186a0080172797.html#wp1038055

    I haven't tried it though.

    Also enable logging to the PIX's internal buffer, you may get a message
    indicating the problem.

    James
     
    James, Aug 23, 2006
    #13
  14. Michiel

    SAto Guest

    Michiel skrev:
    You could change the network between the pix and the zyxel to be a /29
    network instead of a /30 that way you could static nat a new ip address
    for the server, instead of pat'ing the pix outside address. that way
    the only thing you'd have to worry about would be access rules working
    and not the pating.

    -SAto
     
    SAto, Aug 23, 2006
    #14
  15. Michiel

    Michiel Guest

    Ok! Thanks!

    I just called Zyxel, and they have another option wich is to not use the DMZ
    but simply forward the portrange of 1 to 65535. So i will try that first...
    ;) then i will try your option using packet sniffer to see if in deed the
    data is getting to the PIX...

    Thanks!... ;)

    Sincerely,
    Michiel
     
    Michiel, Aug 23, 2006
    #15
  16. Michiel

    Michiel Guest

    I forgot to tell something very important in the situation...

    I said that no traffic is comming through nat at the server... only 1 thing
    is working good VPN... VPN is no problem... i forgot this because another
    server was already connected through VPN without me testing it, because the
    other things like WEB SMTP etc. were not working...

    That is also the reason why i still have the feeling the problem should be
    in the PIX...

    Anyone knows a logic explenation for this...? ;)...

    Sincerely,
    Michiel
     
    Michiel, Aug 23, 2006
    #16
  17. Michiel

    James Guest

    Strange....

    Have you turned on the PIX's logging? If so do a show log and paste
    the results here.

    Try "clear xlate" and see if that helps at all. Cisco recommend that
    you do a clear xlate after every change to the PIX config.

    Failing that if you let me know the Public IP I can run some tests from
    here.

    James
     
    James, Aug 23, 2006
    #17
  18. Michiel

    Michiel Guest

    Ok right now i am not able to change cables phisical, so later on the day i
    could change the things... i am able to connect to turn on the logging.

    Wich logging should i enable...? because i am mostly configuring it from
    PDM... wich seems to be very simple and straight... though some things i
    change through the console...

    Sincerely,
    Michiel
     
    Michiel, Aug 23, 2006
    #18
  19. Michiel

    James Guest

    logging on
    logging timestamp
    logging buffered notifications

    should do it. If it is a translation problem then the PIX should log
    it.
     
    James, Aug 23, 2006
    #19
  20. Michiel

    Michiel Guest

    Hello James and everyone...

    I finally managed to get the PIX to work with the Zyxel... the problem was
    in the Zyxel, somehow with some answerring IP's it is not forwarding the
    ports but stealths them...

    I am glad that the Zyxel will be replaced by an Cisco 876... ;)...

    Thanks and many Thanks for all the good input!

    Michiel
     
    Michiel, Aug 24, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.