Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Forward all traffic for specific external IP

Status
Not open for further replies.

snyperx3

Programmer
May 31, 2005
467
US
Our main office has several public IPs available that are being managed by a PIX-501. We recently added a device inside the network and we would like to have a single IP send all traffic to the device without filtering any ports. These are the commands that I setup on the PIX (xxx.xxx.xxx.xxx is the public IP):

Code:
static (inside,outside) xxx.xxx.xxx.xxx 192.168.3.33 netmask 255.255.255.255 0 0
pdm location 192.168.3.33 255.255.255.255 inside
access-list outside_access_in permit udp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit esp any host xxx.xxx.xxx.xxx

To test this I enabled telnet on the new device. From inside the network I can connect to it via its internal ip (192.168.3.33), but from outside the network I cannot connect via its external IP. Am I missing a command?

-Pete
 
Yes, you are missing a nat translation.

But be aware, that is a very bad idea you have there.
 
It's not like its going to a server. It's going to a firewall that is controlled by an outside company.

What is the nat translation that I am missing?

-Pete
 
1. You need to clear the xlates for that ip address

"clear xlate local 192.168.3.33"


2. You only need to specify IP in your access list.


3. Are you sure that access list is applied to the interface?
 
Thanks for the suggestions brianinms, but that still hasn't resolved my problem.

The access list is applied to the interface

-Pete
 
Code:
nat (inside) 10 192.168.3.33
global (outside) 10 x.x.x.x !replace x.x.x.x with your public ip thats in the static
 
Are you using that in addition to the static? Post your whole configuration instead of snips so we can get the total picture.
 
brianinms: I'm the OP, not baddos. My config has too much public info to scrub. Is there any settings in particular you would like to see?

I did not add the nat and global commands that baddos suggested yet.

One thing that concerns me:

I have this static route set because of VPN configurations:
Code:
route inside 192.168.0.0 255.255.248.0 192.168.3.253 1

Will this effect the route of the public->192.16.3.33? The PIX I am working from is 192.168.3.254, and the device at 192.168.3.33 has the PIX set as its default route.

-Pete
 
Sorry Pete, its been one of those mornings. I would like to see the current static and acl as in your firewall. Reason I was asking for the whole configuration is sometimes there is a conflict somewhere and its hard to understand without the total picture.
 
I did not add the nat and global commands that baddos suggested yet.
Then you need to, as you aren't perforing nat on that address with that or similar statements.

Will this effect the route of the public->192.16.3.33? The PIX I am working from is 192.168.3.254, and the device at 192.168.3.33 has the PIX set as its default route.

Couldn't accurately answer this question without knowing your network layout. But remember that the most specific route is always taken. You can have a generic supernet route to a specific router, but then have a subnet route to another router. This is normal behavior.
 
Just wanted to let you guys know that this is working now. The problem was not with the configuration, it was with the public IP address I was assigning to it. Apparently some undocumented device is using the IP, or the ISP screwed up and gave it to someone else. I just changed the IP, and it immediately started working.

Thanks for your help guys.

-Pete
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top