billyakabachi
Technical User
Hi Everyone,
I was wondering if someone can lend a hand and look over this config for me.
The config below appears to work fine, inside network is able to get out to the internet, outside users are able to get to the website hosted in the dmz and internally.
The problem is that the servers with a static NAT translation are unable to get out to the internet(10.0.0.105, 192.168.0.106, 192.168.107). If I removed the static NAT translation than they can get internet access, but then outside can't access the websites.
PIX Version 7.2(2)
hostname FIREWALL
name 10.0.0.105 SYSLOG
name 70.x.x.97 INTERNET
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 70.x.x.98 255.255.255.240
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.1 255.255.252.0
!
interface Ethernet2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.0.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.NET
access-list NONAT extended permit ip 10.0.0.0 255.255.252.0 10.1.0.0 255.255.252.0
access-list DMZ_NONAT extended permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.252.0
access-list SPLIT_TUNNEL_LIST standard permit 10.0.0.0 255.255.252.0
access-list SPLIT_TUNNEL_LIST standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 70.x.x.106 eq ftp
access-list outside_access_in extended permit tcp any host 70.x.x.105 eq www
access-list outside_access_in extended permit tcp any host 70.x.x.106 eq www
access-list outside_access_in extended permit tcp any host 70.x.x.107 eq www
ip local pool VPN_POOL 10.1.0.10-10.1.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 70.x.x.100-70.x.x.101
global (outside) 1 70.x.x.102
global (dmz) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list DMZ_NONAT
nat (dmz) 1 192.168.0.0 255.255.255.0
static (dmz,outside) 70.x.x.106 192.168.0.106 netmask 255.255.255.255
static (inside,outside) 70.x.x.105 SYSLOG netmask 255.255.255.255
static (dmz,outside) 70.x.x.107 192.168.0.107 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 INTERNET 1
group-policy REMOTE_VPN_GP internal
group-policy REMOTE_VPN_GP attributes
dns-server value 10.0.0.100 10.0.0.101
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL_LIST
default-domain value domain.net
crypto ipsec transform-set STRONGER esp-aes esp-sha-hmac
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
crypto ipsec transform-set STRONGEST esp-aes-256 esp-sha-hmac
crypto dynamic-map CLIENT_MAP 1 set transform-set STRONGEST STRONGER STRONG
crypto map VPN_MAP 50 set pfs
crypto map VPN_MAP 50 set transform-set STRONGEST STRONGER STRONG
crypto map VPN_MAP 65535 ipsec-isakmp dynamic CLIENT_MAP
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 150
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group REMOTE_VPN type ipsec-ra
tunnel-group REMOTE_VPN general-attributes
address-pool VPN_POOL
default-group-policy REMOTE_VPN_GP
tunnel-group REMOTE_VPN ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ftp
inspect icmp
!
service-policy global_policy global
I was wondering if someone can lend a hand and look over this config for me.
The config below appears to work fine, inside network is able to get out to the internet, outside users are able to get to the website hosted in the dmz and internally.
The problem is that the servers with a static NAT translation are unable to get out to the internet(10.0.0.105, 192.168.0.106, 192.168.107). If I removed the static NAT translation than they can get internet access, but then outside can't access the websites.
PIX Version 7.2(2)
hostname FIREWALL
name 10.0.0.105 SYSLOG
name 70.x.x.97 INTERNET
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 70.x.x.98 255.255.255.240
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.1 255.255.252.0
!
interface Ethernet2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.0.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.NET
access-list NONAT extended permit ip 10.0.0.0 255.255.252.0 10.1.0.0 255.255.252.0
access-list DMZ_NONAT extended permit ip 192.168.0.0 255.255.255.0 10.1.0.0 255.255.252.0
access-list SPLIT_TUNNEL_LIST standard permit 10.0.0.0 255.255.252.0
access-list SPLIT_TUNNEL_LIST standard permit 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 70.x.x.106 eq ftp
access-list outside_access_in extended permit tcp any host 70.x.x.105 eq www
access-list outside_access_in extended permit tcp any host 70.x.x.106 eq www
access-list outside_access_in extended permit tcp any host 70.x.x.107 eq www
ip local pool VPN_POOL 10.1.0.10-10.1.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 70.x.x.100-70.x.x.101
global (outside) 1 70.x.x.102
global (dmz) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list DMZ_NONAT
nat (dmz) 1 192.168.0.0 255.255.255.0
static (dmz,outside) 70.x.x.106 192.168.0.106 netmask 255.255.255.255
static (inside,outside) 70.x.x.105 SYSLOG netmask 255.255.255.255
static (dmz,outside) 70.x.x.107 192.168.0.107 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 INTERNET 1
group-policy REMOTE_VPN_GP internal
group-policy REMOTE_VPN_GP attributes
dns-server value 10.0.0.100 10.0.0.101
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL_LIST
default-domain value domain.net
crypto ipsec transform-set STRONGER esp-aes esp-sha-hmac
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
crypto ipsec transform-set STRONGEST esp-aes-256 esp-sha-hmac
crypto dynamic-map CLIENT_MAP 1 set transform-set STRONGEST STRONGER STRONG
crypto map VPN_MAP 50 set pfs
crypto map VPN_MAP 50 set transform-set STRONGEST STRONGER STRONG
crypto map VPN_MAP 65535 ipsec-isakmp dynamic CLIENT_MAP
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 150
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group REMOTE_VPN type ipsec-ra
tunnel-group REMOTE_VPN general-attributes
address-pool VPN_POOL
default-group-policy REMOTE_VPN_GP
tunnel-group REMOTE_VPN ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ftp
inspect icmp
!
service-policy global_policy global
