ACL port mapping problems - New to Cisco

[ciscojoe]

Hello everyone,

Many thanks in advance to anyone who can shed some light here. I'm pretty new to working with Cisco equipment and networking in general.

Ultimately I will be setting up VPN access to a Windows 2000 Server environment. Before jumping that far into it I want to simply map an external IP to an internal IP assigned to a web site on our LAN (as a proof of concept).

Here is my current configuration:


PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit icmp any any
access-list 101 permit tcp any host 66.106.12.126 eq www
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 66.106.12.120 255.255.255.248 outside
pdm location 192.168.1.212 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 2 192.168.1.2-192.168.1.100
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.126 192.168.1.212 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.106.12.121 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80

Anything glaring here? I've searched the forums and Cisco's site... I looked over everything as far as I know it should work.

One other question... this may show my ignorance on the spot. I tried to ping the external IP address I'm using here and it doesn't respond. Our PIX is sitting behind a router from our ISP. If my configuration is correct, is it possible the router simply is not configured for this IP or is otherwise blocking it?

The final piece of info I can offer is that we are using MS Small Business Server 2000 which is running Internet Security and Acceleration Server 2000. Would I have to set up any rules here in order for this to work?

Best regards,

CiscoJoe

 

[ciscojoe]

Oh I forgot to mention this. What I am trying to do access the external IP from a web browser and view the internal site. When I do that I get a general "page cannot be displayed" error.

I checked the PDM logs and the following error shows up:

Deny tcp src outside: xxx.xxx.xxx.xxx/xxxx dst inside:xxx.xxx.xxx.xxx/xxx by access group "101"

Hope that helps.

Best regards,

CiscoJoe

 

[neutec]

Ok, Im like you and no an expert here. But I did just setup my own PIX 506E firewall with internal servers. The statis route looks ok but you do not have an ACL allow traffic in. Try adding
access-list outside permit tcp any host xxx.xxx.xxx.126 eq www
If I'm not mistaken, that will allow traffic from your outside ip to enter you inside.

Hope that helps

 

[ciscojoe]

Neutec,

Thank you for the quick response, I'll try this out shortly. I had thought the line:

access-list 101 permit tcp any host xxx.xxx.xxx.126 eq www

Would allow the incoming traffic. Is it no longer necessary to have this line after I implement yours?

Thanks so much,

CiscoJoe

 

[neutec]

Thats where Im a little confused. Your ACL is applied to the access-list where mine is applied to the outside interface. Im erally not sure which is the right on to use. If you still get stuck, let me know and I will call Cisco using my smartnet account to get the answer. I would like to know for myself too.

My network is close to yours. I have a internal server that I allow traffic though. I was told to use the command that you used

static (inside, outside) bla bla bla
but I was also told to add the other ACL line access-list 101 permit tcp any host xxx.xxx.xxx.126 eq www.

I get the answer on way or another

 

[ciscojoe]

Thanks for the update, I am anxious to try this out but ran into another problem. I can't seem to get into the PIX via PDM anymore. I can access the PDM login through

https://192.168.1.1

and enter my login information. However once it lets me through, I get a "page can not be displayed" error where the PDM should be. This has happened in the past and was resolved simply by unplugging the pix and letting it reboot. I've tried that twice to no success. Any clue as to what could be causing this?

Thanks so much,

CiscoJoe

 

[neutec]

Sorry, I cant help you there. I dont use PDM I just use the console to configure my PIX

 

[ciscojoe]

OK, made it into PDM and I put in your line, it still didn't work. I tried just about every combination combining our two lines with no success.

Maybe there is something wrong with my mapping?

static (inside,outside) xxx.xxx.xxx.126 192.168.1.212 netmask 255.255.255.255 0 0

I'm just a little confused on this line here in particular. When (inside,outside) is specified, does that mean you must put the inside IP first in the string, then the outside IP afterwards? That is what I would assume just looking at the string here. However on the example from Cisco.com they put the outside IP first, so that is what I did. I'll try reversing these and see what happens.

Best regards,

CiscoJoe

 

[ciscojoe]

OK tried reversing to no avail. I'm really not sure as to what is going wrong. Maybe if I could just send somebody the IP's I am working with and they send me the strings they would write so I can compare them to my own?

Take care,

CiscoJoe

 

[themut]

Are you trying to access the web server from a host behind the PIX? If so, it will not work as it is... you need the alias command:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

One last thing... you will never be able to ping the outside interface from an internal host, it just isn´t allowed but you can ping the outside router to test connectivity to the outside network.

 

[baddos]

Remove this line and see if you have any more problems.

global (outside) 2 192.168.1.2-192.168.1.100

 

[ciscojoe]

Thanks to all those who have offerened help. I've tried all of the reccomendations here and still have not gotton this to work.

I set up the alias as shown on:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

I also removed the line:
global (outside) 2 192.168.1.2-192.168.1.106

I still cannot access the IP to the web server from inside or outside of the PIX. This is becoming very frustrating =
)

Here is my current config if anybody if anybody can still help:

hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.212 r2sites
access-list 101 permit icmp any any
access-list 101 permit tcp any host 66.106.12.126 eq www
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.122 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location xxx.xxx.xxx.120 255.255.255.248 outside
pdm location r2sites 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) r2sites xxx.xxx.xxx.xxx 255.255.255.255
static (inside,outside) xxx.xxx.xxx.126 r2sites netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 66.106.12.121 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp inside
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80

Much thanks if anybody can continue to help me on this one. I've already learned so much from everyones advice, hopefully this issue can be resolved soon.

Best regards,

CiscoJoe

 

[baddos]

Why do you have sysopt route dnat turned off?

Also.... The aliases are not necessary for a webserver. It's really only used to doctor DNS.

 

[dopehead]

If you don't have your own internal DNS with registration for the private ip of your

http://www.xxxx.whatever

address you will need the DNS keyword at the end of the static command, alias is a command that will dissapear shortly from the command set.

This command will translate DNS records queried from inside through the PIX and direct you to the internal ip address instead of the official ip, which you in a pix setup can't reach from the inside.

JAn

Network Systems Engineer
CCNA/CQS

 

[themut]

Ciscojoe,

The DNS keyword is not an option for you since you are running 6.1, you need 6.2(2) if you want to use the keyword DNS instead of the alias command.

 

[dopehead]

Sorry, missed the software version....anyways you should upgrade

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[neutec]

yea, I had problems with 6.3.1 so updated to 6.3.3 . works fine now. I was not able to use static routes for some reason until I updated. Cisco cound not get it to work either, until the update