Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

natted computers cannot get out

Status
Not open for further replies.
didoo007

didoo007

Programmer
Apr 29, 2003
12
US
as the tittle says,
I have configured my pix, and all my workstations that have an intrenal ip can go out to the internet, but all the machines that have a nat on the pix cannot go out the the internet..
any ideas???
thanks a bunch in advance
cheers
Damien
 
Sort by date Sort by votes
have you set up the appropriate inbound ACL for the statics?
 
Upvote 0 Downvote
no need for ACLs
I am just trying to get out..
and it works fine for the not natted machines...
any other ideas?
 
Upvote 0 Downvote
here is the config

show config
: Saved
: Written by enable_15 at 16:27:33.908 UTC Mon Apr 28 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 577ue2UsN1E8CMPR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pugcopixbk
domain-name pugco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
no fixup protocol ils 389
no fixup protocol rtsp 554
no fixup protocol sip 5060
names
name 192.168.11.254 server02
name 192.168.11.109 ffms
name 192.168.11.148 sambdc
<--- More --->

name 192.168.11.140 srvth01
name 192.168.11.252 mail
name 192.168.11.95 ns1
name 192.168.11.246 brass_ftp
name 192.168.11.110 fftc
name 192.168.11.80 kzpsrv1
name 192.168.11.102 pcmsvr2
pager lines 24
logging on
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 56.56.56.223 255.255.255.224
ip address inside 192.168.11.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location ns1 255.255.255.255 inside
pdm location 192.168.11.99 255.255.255.255 inside
<--- More --->

pdm location 192.168.11.98 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
static (inside,outside) 56.56.56.41 ns1 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.40 mail netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.34 server02 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.38 srvth01 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.36 sambdc netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.35 ffms netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.44 brass_ftp netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.226 fftc netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.227 kzpsrv1 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.231 pcmsvr2 netmask 255.255.255.255 0 0
conduit permit tcp host ns1 eq conduit permit tcp host ns1 eq smtp any
conduit permit tcp host ns1 eq pcanywhere-data any
conduit permit udp host ns1 eq pcanywhere-status any
conduit permit tcp host sambdc eq smtp any
conduit permit tcp host pcmsvr2 eq conduit permit tcp host pcmsvr2 eq smtp any
conduit permit tcp host pcmsvr2 eq 1723 any
<--- More --->

conduit permit gre host pcmsvr2 any
conduit permit tcp host kzpsrv1 eq smtp any
conduit permit gre host kzpsrv1 any
conduit permit tcp host kzpsrv1 eq 1723 any
conduit permit gre host ffms any
conduit permit tcp host ffms eq conduit permit tcp host ffms eq smtp any
conduit permit tcp host ffms eq 1723 any
conduit permit tcp host mail eq 1723 any
conduit permit gre host mail any
conduit permit tcp host fftc eq pcanywhere-data any
conduit permit udp host fftc eq pcanywhere-status any
conduit permit tcp host server02 eq conduit permit tcp host server02 eq smtp any
conduit permit tcp host server02 eq pop3 any
conduit permit tcp host srvth01 eq smtp any
conduit permit tcp host srvth01 eq 1723 any
conduit permit gre host srvth01 any
route outside 0.0.0.0 0.0.0.0 56.56.56.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
<--- More --->

aaa-server LOCAL protocol local
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ntp server 192.5.41.209 source outside prefer
http server enable
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
no sysopt route dnat
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:0873ccb615f15e365522f73fe10d011c

pugcopixbk(config)# show config      running
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 577ue2UsN1E8CMPR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pugcopixbk
domain-name pugco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
no fixup protocol ils 389
no fixup protocol rtsp 554
no fixup protocol sip 5060
names
name 192.168.11.254 server02
name 192.168.11.109 ffms
name 192.168.11.148 sambdc
<--- More --->

name 192.168.11.140 srvth01
name 192.168.11.252 mail
name 192.168.11.95 ns1
name 192.168.11.246 brass_ftp
name 192.168.11.110 fftc
name 192.168.11.80 kzpsrv1
name 192.168.11.102 pcmsvr2
pager lines 24
logging on
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 56.56.56.233 255.255.255.224
ip address inside 192.168.11.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location ns1 255.255.255.255 inside
pdm location 192.168.11.99 255.255.255.255 inside
<--- More --->

pdm location 192.168.11.98 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
static (inside,outside) 56.56.56.41 ns1 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.40 mail netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.34 server02 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.38 srvth01 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.36 sambdc netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.35 ffms netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.44 brass_ftp netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.226 fftc netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.227 kzpsrv1 netmask 255.255.255.255 0 0
static (inside,outside) 56.56.56.231 pcmsvr2 netmask 255.255.255.255 0 0
conduit permit tcp host ns1 eq conduit permit tcp host ns1 eq smtp any
conduit permit tcp host ns1 eq pcanywhere-data any
conduit permit udp host ns1 eq pcanywhere-status any
conduit permit tcp host sambdc eq smtp any
conduit permit tcp host pcmsvr2 eq conduit permit tcp host pcmsvr2 eq smtp any
conduit permit tcp host pcmsvr2 eq 1723 any
<--- More --->

conduit permit gre host pcmsvr2 any
conduit permit tcp host kzpsrv1 eq smtp any
conduit permit gre host kzpsrv1 any
conduit permit tcp host kzpsrv1 eq 1723 any
conduit permit gre host ffms any
conduit permit tcp host ffms eq conduit permit tcp host ffms eq smtp any
conduit permit tcp host ffms eq 1723 any
conduit permit tcp host mail eq 1723 any
conduit permit gre host mail any
conduit permit tcp host fftc eq pcanywhere-data any
conduit permit udp host fftc eq pcanywhere-status any
conduit permit tcp host server02 eq conduit permit tcp host server02 eq smtp any
conduit permit tcp host server02 eq pop3 any
conduit permit tcp host srvth01 eq smtp any
conduit permit tcp host srvth01 eq 1723 any
conduit permit gre host srvth01 any
route outside 0.0.0.0 0.0.0.0 56.56.56.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
<--- More --->

aaa-server LOCAL protocol local
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ntp server 192.5.41.209 source outside prefer
http server enable
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
no sysopt route dnat
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:0873ccb615f15e365522f73fe10d011c
: end

pugcopixbk(config)#
 
Upvote 0 Downvote
Hi Damien,
It looks like all your NATed devices are all on net 192.168.11.0, what about those devices that can't get to the internet, what net are they on. If they are on a separate net like 192.168.12.0, then yes, your config won't work.
Look at your global nat statements:
global (outside) 1 interface
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
This allows ONLY devices in net 192.168.11.0 to nat and overload to the outside interface, no other traffic will be able to talk to the internet.
Usually, that statement is configured as:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Why not try this....it allowa any device from the inside networks to nat and reach the outside interface and internet.
Keith


 
Upvote 0 Downvote
Damien,
One more comment on the side.......I would start to move away and refrain from using the conduit statement as it has been replaced by using access-lists now. Cisco has indicated that most likely the conduit command will be obsoleted so I would start getting into the habit of configuring your PIXs with the new method.
Keith
 
Upvote 0 Downvote
I do not have machines on the subnet 192.168.12.0 for now
it the machines on the subnet 192.168.11.0 to which i have assigned a NAT that do not got out
thanks
Damien
 
Upvote 0 Downvote
A question. Your config states:

Code: 
ip address outside 56.56.56.223 255.255.255.224

and later

Code: 
static (inside,outside) 56.56.56.41 ns1 netmask 255.255.255.255 0 0 
static (inside,outside) 56.56.56.40 mail netmask 255.255.255.255 0 0 
static (inside,outside) 56.56.56.34 server02 netmask 255.255.255.255 0 0 
static (inside,outside) 56.56.56.38 srvth01 netmask 255.255.255.255 0 0 
static (inside,outside) 56.56.56.36 sambdc netmask 255.255.255.255 0 0 
static (inside,outside) 56.56.56.35 ffms netmask 255.255.255.255 0 0 
static (inside,outside) 56.56.56.44 brass_ftp netmask 255.255.255.255 0 0 
static (inside,outside) 56.56.56.226 fftc netmask 255.255.255.255 0 0 
static (inside,outside) 56.56.56.227 kzpsrv1 netmask 255.255.255.255 0 0 
static (inside,outside) 56.56.56.231 pcmsvr2 netmask 255.255.255.255 0 0

Since your subnet mask is .224, and your ip address it means you should have IP addresses 56.56.56.192 through 56.56.56.223. Btw, this means you've got your outside interface set to the broadcast.

Additionally, your setting up those translations to outside ip addresses that you don't own. For example, 56.56.56.35 belongs to another subnet, and if you've got your subnet mask correct, odds are your upstream router is throwing those packets away as being incorrect.




 
Upvote 0 Downvote
I have to subnets of external IP's this is whyyou see it configured this way
 
Upvote 0 Downvote
So what is the subnets you have?
Whats the subnet for your upstream router?
 
Upvote 0 Downvote
And are saying the ones that are nat'd using the statics can't get out, or that the ones PAT'd using the interface can't get out?
 
Upvote 0 Downvote
I have two ranges:
56.56.56.32/28
and
56.56.56.224/27
 
Upvote 0 Downvote
quote:&quot;And are saying the ones that are nat'd using the statics can't get out, or that the ones PAT'd using the interface can't get out?&quot;

absolutly...
weird isn't it...
 
Upvote 0 Downvote
What? which one is it? the question was an either or question.

All of the computers are either nat'd through the statics, or Pat'd through the interface. Which ones can not get out?
 
Upvote 0 Downvote
ok guys...
Let me put clear again:
I have to ranges of addresses on my router:
205.242.197.32/28
and
205.244.53.224/27

I was trying to ocmpletly change the IP adresses used so not everyone can se my real conf... but well

here is the configuration

note once again:
the machines that do not have a NAT to a fixed external IP can go out
the machines that do Have a NAT CANNOT go out



nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 577ue2UsN1E8CMPR encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname blahblah

domain-name pugco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol skinny 2000

no fixup protocol h323 ras 1718-1719

no fixup protocol ils 389

no fixup protocol rtsp 554

no fixup protocol sip 5060

names

name 192.168.11.254 server02

name 192.168.11.109 ffms

name 192.168.11.148 sambdc

<--- More --->

name 192.168.11.140 srvth01

name 192.168.11.252 mail

name 192.168.11.95 ns1

name 192.168.11.246 brass_ftp

name 192.168.11.110 fftc

name 192.168.11.80 kzpsrv1

name 192.168.11.102 pcmsvr2

pager lines 24

logging on

interface ethernet0 100full

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside 205.244.53.233 255.255.255.224

ip address inside 192.168.11.250 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location ns1 255.255.255.255 inside

pdm location 192.168.11.99 255.255.255.255 inside

<--- More --->

pdm location 192.168.11.98 255.255.255.255 inside

pdm logging notifications 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

static (inside,outside) 205.242.197.41 ns1 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.40 mail netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.34 server02 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.38 srvth01 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.36 sambdc netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.35 ffms netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.44 brass_ftp netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.226 fftc netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.227 kzpsrv1 netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.231 pcmsvr2 netmask 255.255.255.255 0 0

conduit permit tcp host ns1 eq
conduit permit tcp host ns1 eq smtp any

conduit permit tcp host ns1 eq pcanywhere-data any

conduit permit udp host ns1 eq pcanywhere-status any

conduit permit tcp host sambdc eq smtp any

conduit permit tcp host pcmsvr2 eq
conduit permit tcp host pcmsvr2 eq smtp any

conduit permit tcp host pcmsvr2 eq 1723 any

<--- More --->

conduit permit gre host pcmsvr2 any

conduit permit tcp host kzpsrv1 eq smtp any

conduit permit gre host kzpsrv1 any

conduit permit tcp host kzpsrv1 eq 1723 any

conduit permit gre host ffms any

conduit permit tcp host ffms eq
conduit permit tcp host ffms eq smtp any

conduit permit tcp host ffms eq 1723 any

conduit permit tcp host mail eq 1723 any

conduit permit gre host mail any

conduit permit tcp host fftc eq pcanywhere-data any

conduit permit udp host fftc eq pcanywhere-status any

conduit permit tcp host server02 eq
conduit permit tcp host server02 eq smtp any

conduit permit tcp host server02 eq pop3 any

conduit permit tcp host srvth01 eq smtp any

conduit permit tcp host srvth01 eq 1723 any

conduit permit gre host srvth01 any

route outside 0.0.0.0 0.0.0.0 205.244.53.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

<--- More --->

aaa-server LOCAL protocol local

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

ntp server 192.5.41.209 source outside prefer

http server enable

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt nodnsalias inbound

sysopt nodnsalias outbound

no sysopt route dnat

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:0873ccb615f15e365522f73fe10d011c


pugcopixbk(config)# show config      running

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 577ue2UsN1E8CMPR encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pugcopixbk

domain-name pugco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol skinny 2000

no fixup protocol h323 ras 1718-1719

no fixup protocol ils 389

no fixup protocol rtsp 554

no fixup protocol sip 5060

names

name 192.168.11.254 server02

name 192.168.11.109 ffms

name 192.168.11.148 sambdc

<--- More --->

name 192.168.11.140 srvth01

name 192.168.11.252 mail

name 192.168.11.95 ns1

name 192.168.11.246 brass_ftp

name 192.168.11.110 fftc

name 192.168.11.80 kzpsrv1

name 192.168.11.102 pcmsvr2

pager lines 24

logging on

interface ethernet0 100full

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside 205.244.53.233 255.255.255.224

ip address inside 192.168.11.250 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location ns1 255.255.255.255 inside

pdm location 192.168.11.99 255.255.255.255 inside

<--- More --->

pdm location 192.168.11.98 255.255.255.255 inside

pdm logging notifications 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

static (inside,outside) 205.242.197.41 ns1 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.40 mail netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.34 server02 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.38 srvth01 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.36 sambdc netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.35 ffms netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.44 brass_ftp netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.226 fftc netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.227 kzpsrv1 netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.231 pcmsvr2 netmask 255.255.255.255 0 0

conduit permit tcp host ns1 eq
conduit permit tcp host ns1 eq smtp any

conduit permit tcp host ns1 eq pcanywhere-data any

conduit permit udp host ns1 eq pcanywhere-status any

conduit permit tcp host sambdc eq smtp any

conduit permit tcp host pcmsvr2 eq
conduit permit tcp host pcmsvr2 eq smtp any

conduit permit tcp host pcmsvr2 eq 1723 any

<--- More --->

conduit permit gre host pcmsvr2 any

conduit permit tcp host kzpsrv1 eq smtp any

conduit permit gre host kzpsrv1 any

conduit permit tcp host kzpsrv1 eq 1723 any

conduit permit gre host ffms any

conduit permit tcp host ffms eq
conduit permit tcp host ffms eq smtp any

conduit permit tcp host ffms eq 1723 any

conduit permit tcp host mail eq 1723 any

conduit permit gre host mail any

conduit permit tcp host fftc eq pcanywhere-data any

conduit permit udp host fftc eq pcanywhere-status any

conduit permit tcp host server02 eq
conduit permit tcp host server02 eq smtp any

conduit permit tcp host server02 eq pop3 any

conduit permit tcp host srvth01 eq smtp any

conduit permit tcp host srvth01 eq 1723 any

conduit permit gre host srvth01 any

route outside 0.0.0.0 0.0.0.0 205.244.53.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

<--- More --->

aaa-server LOCAL protocol local

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

ntp server 192.5.41.209 source outside prefer

http server enable

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt nodnsalias inbound

sysopt nodnsalias outbound

no sysopt route dnat

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:0873ccb615f15e365522f73fe10d011c

: end


pugcopixbk(config)#
 
Upvote 0 Downvote
Ok.

#1) First debugging step. Remove all of the conduits. The interact strangely. The default routing and access-lists will permit data out. I'd say one of the conduits is misconfigured, but I don't know enough about them. since the should only be allowing traffic back in, this is not a big deal.

#2) Have you tried using the PDM?
 
Upvote 0 Downvote
ok guys...
Let me put clear again:
I have to ranges of addresses on my router:
205.242.197.32/28
and
205.244.53.224/27

I was trying to ocmpletly change the IP adresses used so not everyone can se my real conf... but well

here is the configuration

note once again:
the machines that do not have a NAT to a fixed external IP can go out
the machines that do Have a NAT CANNOT go out



nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 577ue2UsN1E8CMPR encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname blahblah

domain-name pugco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol skinny 2000

no fixup protocol h323 ras 1718-1719

no fixup protocol ils 389

no fixup protocol rtsp 554

no fixup protocol sip 5060

names

name 192.168.11.254 server02

name 192.168.11.109 ffms

name 192.168.11.148 sambdc

<--- More --->

name 192.168.11.140 srvth01

name 192.168.11.252 mail

name 192.168.11.95 ns1

name 192.168.11.246 brass_ftp

name 192.168.11.110 fftc

name 192.168.11.80 kzpsrv1

name 192.168.11.102 pcmsvr2

pager lines 24

logging on

interface ethernet0 100full

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside 205.244.53.233 255.255.255.224

ip address inside 192.168.11.250 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location ns1 255.255.255.255 inside

pdm location 192.168.11.99 255.255.255.255 inside

<--- More --->

pdm location 192.168.11.98 255.255.255.255 inside

pdm logging notifications 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

static (inside,outside) 205.242.197.41 ns1 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.40 mail netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.34 server02 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.38 srvth01 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.36 sambdc netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.35 ffms netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.44 brass_ftp netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.226 fftc netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.227 kzpsrv1 netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.231 pcmsvr2 netmask 255.255.255.255 0 0

conduit permit tcp host ns1 eq
conduit permit tcp host ns1 eq smtp any

conduit permit tcp host ns1 eq pcanywhere-data any

conduit permit udp host ns1 eq pcanywhere-status any

conduit permit tcp host sambdc eq smtp any

conduit permit tcp host pcmsvr2 eq
conduit permit tcp host pcmsvr2 eq smtp any

conduit permit tcp host pcmsvr2 eq 1723 any

<--- More --->

conduit permit gre host pcmsvr2 any

conduit permit tcp host kzpsrv1 eq smtp any

conduit permit gre host kzpsrv1 any

conduit permit tcp host kzpsrv1 eq 1723 any

conduit permit gre host ffms any

conduit permit tcp host ffms eq
conduit permit tcp host ffms eq smtp any

conduit permit tcp host ffms eq 1723 any

conduit permit tcp host mail eq 1723 any

conduit permit gre host mail any

conduit permit tcp host fftc eq pcanywhere-data any

conduit permit udp host fftc eq pcanywhere-status any

conduit permit tcp host server02 eq
conduit permit tcp host server02 eq smtp any

conduit permit tcp host server02 eq pop3 any

conduit permit tcp host srvth01 eq smtp any

conduit permit tcp host srvth01 eq 1723 any

conduit permit gre host srvth01 any

route outside 0.0.0.0 0.0.0.0 205.244.53.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

<--- More --->

aaa-server LOCAL protocol local

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

ntp server 192.5.41.209 source outside prefer

http server enable

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt nodnsalias inbound

sysopt nodnsalias outbound

no sysopt route dnat

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:0873ccb615f15e365522f73fe10d011c


pugcopixbk(config)# show config      running

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 577ue2UsN1E8CMPR encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pugcopixbk

domain-name pugco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol skinny 2000

no fixup protocol h323 ras 1718-1719

no fixup protocol ils 389

no fixup protocol rtsp 554

no fixup protocol sip 5060

names

name 192.168.11.254 server02

name 192.168.11.109 ffms

name 192.168.11.148 sambdc

<--- More --->

name 192.168.11.140 srvth01

name 192.168.11.252 mail

name 192.168.11.95 ns1

name 192.168.11.246 brass_ftp

name 192.168.11.110 fftc

name 192.168.11.80 kzpsrv1

name 192.168.11.102 pcmsvr2

pager lines 24

logging on

interface ethernet0 100full

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside 205.244.53.233 255.255.255.224

ip address inside 192.168.11.250 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location ns1 255.255.255.255 inside

pdm location 192.168.11.99 255.255.255.255 inside

<--- More --->

pdm location 192.168.11.98 255.255.255.255 inside

pdm logging notifications 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

static (inside,outside) 205.242.197.41 ns1 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.40 mail netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.34 server02 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.38 srvth01 netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.36 sambdc netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.35 ffms netmask 255.255.255.255 0 0

static (inside,outside) 205.242.197.44 brass_ftp netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.226 fftc netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.227 kzpsrv1 netmask 255.255.255.255 0 0

static (inside,outside) 205.244.53.231 pcmsvr2 netmask 255.255.255.255 0 0

conduit permit tcp host ns1 eq
conduit permit tcp host ns1 eq smtp any

conduit permit tcp host ns1 eq pcanywhere-data any

conduit permit udp host ns1 eq pcanywhere-status any

conduit permit tcp host sambdc eq smtp any

conduit permit tcp host pcmsvr2 eq
conduit permit tcp host pcmsvr2 eq smtp any

conduit permit tcp host pcmsvr2 eq 1723 any

<--- More --->

conduit permit gre host pcmsvr2 any

conduit permit tcp host kzpsrv1 eq smtp any

conduit permit gre host kzpsrv1 any

conduit permit tcp host kzpsrv1 eq 1723 any

conduit permit gre host ffms any

conduit permit tcp host ffms eq
conduit permit tcp host ffms eq smtp any

conduit permit tcp host ffms eq 1723 any

conduit permit tcp host mail eq 1723 any

conduit permit gre host mail any

conduit permit tcp host fftc eq pcanywhere-data any

conduit permit udp host fftc eq pcanywhere-status any

conduit permit tcp host server02 eq
conduit permit tcp host server02 eq smtp any

conduit permit tcp host server02 eq pop3 any

conduit permit tcp host srvth01 eq smtp any

conduit permit tcp host srvth01 eq 1723 any

conduit permit gre host srvth01 any

route outside 0.0.0.0 0.0.0.0 205.244.53.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

<--- More --->

aaa-server LOCAL protocol local

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

ntp server 192.5.41.209 source outside prefer

http server enable

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt nodnsalias inbound

sysopt nodnsalias outbound

no sysopt route dnat

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:0873ccb615f15e365522f73fe10d011c

: end


pugcopixbk(config)#
 
Upvote 0 Downvote
Dido, please quit posting 2 copies of your configuration. Its making this topic hard to read.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
73
ISDPCMAN
ISDPCMAN
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
78
DivemasterBill
DivemasterBill
quazimotto
  • Locked
  • Question
Can't get Out
Replies
1
Views
164
quazimotto
quazimotto
Photogregor
  • Locked
  • Question
SSLVPN traffice gets filtered out
Replies
2
Views
92
smah
smah
ttrsux
  • Locked
  • Question
Error opening IKE port 4500 on Interface outside
Replies
0
Views
124
ttrsux
ttrsux

Part and Inventory Search

Sponsor

Back
Top