Quick help: PIX 501 and Port Forwarding

Discussion in 'Cisco' started by Sascha E. Pollok, Aug 9, 2006.

  1. Folks,

    can someone help me out here quickly, please? PIX 501 running an
    old 6.2(2). It has a single outside public address that should be
    used (beside management of the PIX) for mapping some external ports
    to the inside interface:

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    interface ethernet0 10baset
    interface ethernet1 10full
    icmp permit any outside
    icmp permit any inside
    ip address outside xx.xx.100.50 255.255.255.192
    ip address inside 192.168.1.254 255.255.255.0
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask 255.255.255.255 0 0
    route outside 0.0.0.0 0.0.0.0 xx.xx.100.1 1

    Shouldnt that do it? It does not work. I get a timeout when connecting
    from the external network and do not see packets arriving at the
    internal server 192.168.1.51. I do see translation when doing sh xlate:

    1 in use, 8 most used
    PAT Global xx.xx.100.50(80) Local 192.168.1.51(80)

    Anyone?

    Thanks!
    Sascha
     
    Sascha E. Pollok, Aug 9, 2006
    #1
    1. Advertisements

  2. Sascha E. Pollok

    Brian V Guest

    Instead of
    static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask
    255.255.255.255 0 0

    You should use:
    static (inside,outside) tcp interface www 192.168.1.51 www netmask
    255.255.255.255 0 0

    You could also have ACL issues, but where you didn't post your full config
    we can't determine that.
     
    Brian V, Aug 9, 2006
    #2
    1. Advertisements

  3. Brian,

    thanks for your reply.
    No ACL issues. I have removed all ACLs from the interfaces. There is definitely
    nothing left. Although your suggestion looks reasonable, it still does not
    work. Same effect. I heard that there is a bug in this software version which
    causes the following warning when configuring global (outside) 1 interface:

    pix(config)# global (outside) 1 interface
    Warning: Start and End addresses overlap with broadcast address.
    outside interface address added to PAT pool

    I dont know if this bug maybe also causes trouble with the NAT configuration
    I am trying to run? I also did clear xlate and even tried reload after
    applying your suggested change.

    Also: it is maybe interesting to mention that I do not see any packets
    when doing "debug packet inside". Even when doing a ping to the inside
    host at 192.168.1.51 I do not see icmp echo request/reply packets.

    Any more ideas, please? :)

    thanks
    Sascha
     
    Sascha E. Pollok, Aug 9, 2006
    #3
  4. nameif ethernet0 outside security0
    Argh.. I just found it. Apparently the PIX does not forward any static-NATed
    packets when there is no ACL on the outside interface. It does work even if
    this ACL is permit ip any any.

    Thanks!
    Sascha
     
    Sascha E. Pollok, Aug 9, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.