NAT & STATIC

[khaledeshah]

Hi
I have a PIX506 5.2 & I want to put my LAN behind it & also a server
so I add the following :
nat (inside) 1 0 0
global(outside) 1 interface
dhcpd address 192.168.1.128-192.168.1.137
dhcpd dns x.x.x.x
dhcpd enbale
to let my LAN connect to INTERNET
Now I want to outsiders connect to my WEB server
static (inside,outside) x.x.x.x 192.168.1.10 netmask 255.255.255.255
where x.x.x.x is the outside interface address
access-list acl_out permit tcp any host x.x.x.x eq www
access-group acl_out in interface outside
but what I get is that if my LAN connect first to the INTERNET, the outsiders can't access my web server & if outsiders connect first to my web server, The LAN can't connect to the INTERNET
so What is wrong?

 

[gbiello]

Try replacing your static line with this:

static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255 0 0

-gbiello

 

[khaledeshah]

this is not posible coz the syntax of static command doesn't accept what you said.

 

[CripTiK]

global(outside) 1 interface

Is that the command you have in there?

Try assigning an external IP address to that global command. example: global (outside) 1 xx.xx.xx.xx xx.xx.xx.xx

Basically, you would be using PAT (port address translation) all internal clients will use that global address. PIX will translate each local address to the same global address but assign a unique port to create a session. If you use a range of IPs in the global statement then that is considered NAT.

 

[khaledeshah]

can you explain more coz I didn't get what u want clearly ?

 

[gbiello]

The IOS you are using (5.2) is quite old, and probably doesn't recognize the syntax. I would recommend an upgrade to the latest version. Contact your vendor.
-gbiello

 

[khaledeshah]

Can I get a solution without software upgrde, what I need is to let my server be acessible & my LAN access to INTERNET with the min no of IP addresses ?

 

[yizhar]

HI.

The "static tcp" command is available from version 6.x only,
so you have 2 options:
1) Use an additional ip address for the static command (not the interface of the pix).
2) Upgrade pix OS.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[khaledeshah]

Hi
Thks for ur help, I have a question : If I use another IP address which is from a different subnet used in the interface address, is that possible ? & why If I use the same IP address not working?

 

[yizhar]

HI.

If the other IP address is a real one - registered, valid and routed by the ISP to your pix, then it should work.

The normal "static" command maps a whole ip address to an internal one for all ports, therefor it can only be good for exclusive use and can not overlap with other use like PAT or other clients.
The "static tcp" command maps a single port but again this is available only with newer versions.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[khaledeshah]

Hi
thks for ur help, All is OK except that I can't access INTERNET from my server.
how can make this ?