smokey7244521
IS-IT--Management
I have a Pix 515 configured with no outside internet access, the main thing that Pix is used for is vpn between 2 remote branch offices.
*I need to open outbound traffic on workstation 10.10.200.201 to use telnet to public ip XX.XX.XX.XX port7571 Any help would be appreciated. Thanks in advance.
The computer that I am telnetting to is using port 7571, (c:\telnet > open xx.xx.xx.xx 7571)
(previously posted and answered, but I did explain my situation correctly)
Do I need to add a 2nd NAT entry, & should it look like this?
nat (inside) 0 10.10.200.201 255.255.255.255 0 0
Here is a copy of my config
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ********** encrypted
passwd ************** encrypted
hostname SIBWF
domain-name SIB
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.12.0.0 SIBZ
name 10.10.70.41 Syslog
access-list outside_cryptomap_20 permit ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list inside_nat0_outbound permit ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list inside_nat0_outbound permit ip 10.10.0.0 255.255.0.0 SIBZ 255.255.0.0
access-list outside_cryptomap_40 permit ip 10.10.0.0 255.255.0.0 SIBZ 255.255.0.0
access-list inside_out permit ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list inside_out permit ip 10.10.0.0 255.255.0.0 SIBZ 255.255.0.0
access-list inside_out permit tcp host 10.10.200.201 eq telnet host 66.226.244.10 any
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside Syslog
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xx.xx.xx.xx xx.xx.xx.xx
ip address inside 10.10.17.77 255.255.0.0
no ip address intf2
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_out in interface inside
route outside 0.0.0.0 0.0.0.0 65.171.233.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 65.171.233.118
crypto map outside_map 20 set transform-set ESP-AES-192-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 12.215.167.245
crypto map outside_map 40 set transform-set ESP-AES-192-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 65.171.233.118 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 12.215.167.245 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-192
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
username cetech password 9mkZbXIoADkTdnyW encrypted privilege 15
terminal width 80
banner exec SIBWF
banner login SIB
Cryptochecksum:e222f8b3572764bcc556e1214b2ddf90
: end
[OK]
*I need to open outbound traffic on workstation 10.10.200.201 to use telnet to public ip XX.XX.XX.XX port7571 Any help would be appreciated. Thanks in advance.
The computer that I am telnetting to is using port 7571, (c:\telnet > open xx.xx.xx.xx 7571)
(previously posted and answered, but I did explain my situation correctly)
Do I need to add a 2nd NAT entry, & should it look like this?
nat (inside) 0 10.10.200.201 255.255.255.255 0 0
Here is a copy of my config
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ********** encrypted
passwd ************** encrypted
hostname SIBWF
domain-name SIB
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.12.0.0 SIBZ
name 10.10.70.41 Syslog
access-list outside_cryptomap_20 permit ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list inside_nat0_outbound permit ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list inside_nat0_outbound permit ip 10.10.0.0 255.255.0.0 SIBZ 255.255.0.0
access-list outside_cryptomap_40 permit ip 10.10.0.0 255.255.0.0 SIBZ 255.255.0.0
access-list inside_out permit ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list inside_out permit ip 10.10.0.0 255.255.0.0 SIBZ 255.255.0.0
access-list inside_out permit tcp host 10.10.200.201 eq telnet host 66.226.244.10 any
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside Syslog
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xx.xx.xx.xx xx.xx.xx.xx
ip address inside 10.10.17.77 255.255.0.0
no ip address intf2
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_out in interface inside
route outside 0.0.0.0 0.0.0.0 65.171.233.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 65.171.233.118
crypto map outside_map 20 set transform-set ESP-AES-192-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 12.215.167.245
crypto map outside_map 40 set transform-set ESP-AES-192-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 65.171.233.118 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 12.215.167.245 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-192
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
username cetech password 9mkZbXIoADkTdnyW encrypted privilege 15
terminal width 80
banner exec SIBWF
banner login SIB
Cryptochecksum:e222f8b3572764bcc556e1214b2ddf90
: end
[OK]