Need help simple PAT on PIX515 (easy config)

[mjoyner]

I can't PAT into inside. Is it because I am using reserved ip??

On the PIX outside is 172.16.1.2 and inside is 192.168.1.1

I needed to set it up, because CHARTER messes up the DHCP discovery with the PIX. I KNOW ACL IS LOOSE AS WELL AS SSH. It made unrestricted to test, but even unrestricted it isnt working.

CABLEMODEM->WIRELESSROUTER->PIX

I have the wireless route routing all ports to PIX

Here's my config. What am I doing wrong?
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2rm.stRg.oi7EtyA encrypted
passwd 2rm.stRg.oi7EtyA encrypted
hostname pix
domain-name pix.localdomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any any
pager lines 100
mtu outside 1500
mtu inside 1500
ip address outside 172.16.1.2 255.255.0.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 172.16.1.2 192.168.1.100 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 66.215.64.14 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 100

THANK YOU!!!!!!!

 

[burtsbees]

I will look at my old config tomorrow---had the same problem with version 6.3

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

1) Are you double-NATing on purpose??
2) Have you verified that the ports are open on the wireless router??
3) Enable logging to see what the PIX sees

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mjoyner]

Burt..... Thanks for being here. I really appreciate the work I see you put in. Cheers and nice signature. I passed 2 of 8 MSCE and said "NAH!"

(x.x.x.x) .... cable modem
|
(x.x.x.x<>172.16.1.1) ...... Wireless router
|
(172.16.1.2<>192.168.1.1) ...... PIX
|
192.168.1.100:80 ......

http://www server

UNCLERICO - Thanks, yes I am double nating because of Charter Cable. I am getting a broadcast storm with the PIX when I set the outside (eth0) to dhcp or set outside to static (my leased IP). I really haven't tapped the wire, but from Google, its DHCP replay.

I have my laptop (172.168.1.3) in between the wireless router and the PIX to port scan ad see if the PIX is putting up the port. I am able to forward SSH (22) all the way up and access from work.

Behind the PIX I have apache on 192.168.1.100.

I have tried this too and it doesnt work:

static (inside,outside) 172.16.1.2

http://www 192.168.1.100

http://www netmask

255.255.255.255 0 0

 

[unclerico]

just to verify again, you have in fact opened/forwarded the tcp/80 to the PIX??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

I had to do a nonat acl and point the NAT to it. The global PAT looks fine...here's my config---this was from a site-to-site lab between a PIX and a router (2620). You can get the idea by looking at the interface, acl, nat, and global config lines, as well as the statics.

PIX# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 10full

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 lan security99

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

enable password uxWwEdchZpppPhh9 encrypted

passwd TdMf.2OhaPbPeCCM encrypted

hostname PIX

domain-name sms.stlouis

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service standard-ports tcp

access-list ping permit icmp any any unreachable

access-list ping permit icmp any any echo

access-list ping permit icmp any any echo-reply

access-list ping permit icmp any any time-exceeded

access-list ping permit icmp any any source-quench

access-list ping permit ip any any

access-list ping permit tcp any any

access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu lan 1500

mtu intf3 1500

mtu intf4 1500

ip address outside 11.1.1.1 255.255.255.248

ip address inside 10.1.1.1 255.255.255.0

ip address lan 192.168.69.94 255.255.255.0

no ip address intf3

no ip address intf4

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address lan

no failover ip address intf3

no failover ip address intf4

pdm location 10.1.1.2 255.255.255.255 inside

pdm location 192.168.69.108 255.255.255.255 lan

pdm history enable

arp timeout 14400

global (outside) 1 11.1.1.3

nat (inside) 0 access-list nonat

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

access-group ping in interface outside

access-group ping in interface inside

access-group ping in interface lan

route outside 0.0.0.0 0.0.0.0 11.1.1.2 1

route outside 12.1.1.0 255.255.255.252 11.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.69.108 255.255.255.255 lan

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set timmay esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map sms 21 ipsec-isakmp

crypto map sms 21 match address ipsec

crypto map sms 21 set peer 13.1.1.2

crypto map sms 21 set transform-set timmay

crypto map sms interface outside

isakmp enable outside

isakmp key ******** address 13.1.1.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 86400

telnet 13.1.1.0 255.255.255.248 outside

telnet 11.1.1.2 255.255.255.255 inside

telnet 192.168.69.108 255.255.255.255 lan

telnet 11.1.1.2 255.255.255.255 lan

telnet 192.168.69.0 255.255.255.0 lan

telnet 11.1.1.2 255.255.255.255 intf3

telnet 11.1.1.2 255.255.255.255 intf4

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 13.1.1.0 255.255.255.248 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 lan

ssh 192.168.69.108 255.255.255.255 lan

ssh 192.168.69.0 255.255.255.0 lan

ssh timeout 5

console timeout 0

username r00t password gmBe62bV3ETKY/fA encrypted privilege 15

username t1mm4y password tO5/7qGtcwh7.m3H encrypted privilege 15

username timm password eM8dEPUywGngFBn8 encrypted privilege 15

terminal width 80

Cryptochecksum:aa1d62e564004d7bfbfeb146ef423d99

: end

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

And BTW,listen to Uncle---he's the one that helped me solve my dillema...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Oh yeah, as Uncle pointed out, set the modem in bridge mode, or do not NAT in the PIX, if the modem is NATting...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[mjoyner]

Thanks BURT!!!!

UNCLE........ I switched to this:

static (inside,outside) 172.16.1.2

http://www 192.168.1.100

http://www netmask

255.255.255.255 0 0

When I PAT'd like this:

static (inside,outside) 172.16.1.2 192.168.1.100 netmask 255.255.255.255 0 0

I lost SSH on outside. I will test it when I get home.

THANKS GUYS!

 

[mjoyner]

UNCLE: Will check that port 80 open on inside. Windows firewall might have it closed.

BURT:
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list nonat

I can see the "nonat", but this will allow the PAT on the outside to the inside on port 80????

I also noticed there is no "access-group" statement for "nonat"...... I am newbie, but just something I saw.

Also observed this:
access-list ping permit tcp any any
You put the ACL on inside outside and lan........... Wouldn't that kindof let TCP's hair down on the firewall.

I don't know if I lost you guys in what I was trying accomplish, I am trying to open 80 from the inside.

Thanks!

 

[burtsbees]

The access-list for nonat is only for NAT/PAT, not to filter traffic. So you will not see a nonat access-group on an interface.

This was in a lab. I was trying ultimately to ping the inside and outside interfaces from their other sides, i.e. ping outside interface from the inside LAN nodes, and vice-versa.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[mjoyner]

I noticed the PING ACL's........hehe......... mine now.

LOL