Forward all traffic for specific external IP

[snyperx3]

Our main office has several public IPs available that are being managed by a PIX-501. We recently added a device inside the network and we would like to have a single IP send all traffic to the device without filtering any ports. These are the commands that I setup on the PIX (xxx.xxx.xxx.xxx is the public IP):

static (inside,outside) xxx.xxx.xxx.xxx 192.168.3.33 netmask 255.255.255.255 0 0
pdm location 192.168.3.33 255.255.255.255 inside
access-list outside_access_in permit udp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit ip any host xxx.xxx.xxx.xxx
access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit esp any host xxx.xxx.xxx.xxx

To test this I enabled telnet on the new device. From inside the network I can connect to it via its internal ip (192.168.3.33), but from outside the network I cannot connect via its external IP. Am I missing a command?

-Pete

 

[baddos]

Yes, you are missing a nat translation.

But be aware, that is a very bad idea you have there.

 

[snyperx3]

It's not like its going to a server. It's going to a firewall that is controlled by an outside company.

What is the nat translation that I am missing?

-Pete

 

[brianinms]

1. You need to clear the xlates for that ip address

"clear xlate local 192.168.3.33"


2. You only need to specify IP in your access list.


3. Are you sure that access list is applied to the interface?

 

[snyperx3]

Thanks for the suggestions brianinms, but that still hasn't resolved my problem.

The access list is applied to the interface

-Pete

 

[brianinms]

Post your scrubbed configuration

 

[baddos]

nat (inside) 10 192.168.3.33
global (outside) 10 x.x.x.x !replace x.x.x.x with your public ip thats in the static

 

[brianinms]

Are you using that in addition to the static? Post your whole configuration instead of snips so we can get the total picture.

 

[snyperx3]

brianinms: I'm the OP, not baddos. My config has too much public info to scrub. Is there any settings in particular you would like to see?

I did not add the nat and global commands that baddos suggested yet.

One thing that concerns me:

I have this static route set because of VPN configurations:

route inside 192.168.0.0 255.255.248.0 192.168.3.253 1

Will this effect the route of the public->192.16.3.33? The PIX I am working from is 192.168.3.254, and the device at 192.168.3.33 has the PIX set as its default route.

-Pete

 

[brianinms]

Sorry Pete, its been one of those mornings. I would like to see the current static and acl as in your firewall. Reason I was asking for the whole configuration is sometimes there is a conflict somewhere and its hard to understand without the total picture.

 

[baddos]

I did not add the nat and global commands that baddos suggested yet.

Then you need to, as you aren't perforing nat on that address with that or similar statements.

Will this effect the route of the public->192.16.3.33? The PIX I am working from is 192.168.3.254, and the device at 192.168.3.33 has the PIX set as its default route.

Couldn't accurately answer this question without knowing your network layout. But remember that the most specific route is always taken. You can have a generic supernet route to a specific router, but then have a subnet route to another router. This is normal behavior.

 

[snyperx3]

Just wanted to let you guys know that this is working now. The problem was not with the configuration, it was with the public IP address I was assigning to it. Apparently some undocumented device is using the IP, or the ISP screwed up and gave it to someone else. I just changed the IP, and it immediately started working.

Thanks for your help guys.

-Pete