PIX and NATs Im guessing 2

[OHSR]

Hey all,
This is my first post on this forum, so please go easy. My questions is im guessing related to the NATs setup on the PIX (PIX515). I'm sure this is simple, but I cannot ping they other outside (internet) IPs of other servers in our organization. They all have static setups with their own IPs. I'll try and diagram below:

Server1 internal: 192.168.0.2 Internet IP: 63.63.63.182
Server2 internal: 192.168.0.3 Internet IP: 63.63.63.183

Server1 cannot ping Server2 with "ping 63.63.63.183"

Both are setup as:

static (inside,outside) 63.63.63.182 192.0.0.2 netmask 255.255.255.255 0 0

static (inside,outside) 63.63.63.183 192.0.0.3 netmask 255.255.255.255 0 0

Netiher have any other erros. I am not good at all with understanding static NAT. Any help is appreciated.

Thanks in advance!

 

[UnaBomber]

can you post your "sh tech"?

FYI

on a pix you have to explicitally allow ICMP through... you can use:

conduit permit icmp any any
But cisco doesnt recomend this any more

so you should use an access-list:

access-list 110 permit icmp any any echo-reply

and bind this to your outside interface incoming with

access-group 110 in int outside

 

[OHSR]

its not so much the icmp traffic im worried about, basically im trying to settup another email server for tech users, but it is unable to send to the existing mail server, because of this.

 

[OHSR]

Also, I already tried conduit permit icmp any any just trying to get a ping through.

 

[smikes19]

Unfortunately this is just the way the PIX works. You cannot have a host on the inside access the public IP of another host that is NAT'ed. I'm not sure of the exact reason why, but probably because the outside interface would have to route packets to itself in some weird way.

 

[UnaBomber]

ok, post your access-lists! could be to do with that, AFAIK you Nat config looks ok (bar the IP addresses?)

 

[UnaBomber]

Is that right?

Can you not ping the public IP of a server within a DMZ from inside your trusted network (private ip).

 

[OHSR]

Access-list:
access-list 110 permit ip host 63.63.63.178 10.240.0.0 255.248.0.0

 

[OHSR]

So what other options do i have here. It's not a huge security risk, the new box is simple a xnix apache webserver/postfix mail server, doesnt need to be behind firewall in my opinion. But this is the other way i know of getting it out, since all inet traffic is running throguh pix. any thoughts?

 

[UnaBomber]

Your IP address are all different?
Post your access-group command also

 

[OHSR]

for the sake of the company i change the listed ip in the access-list i posted before. no access groups setup.

we have plenty of extra public ips so i just NAT one to the new server. if it is not possible to hit the public ips using a PIX as smikes stated, then im out of luck here im guessing. Since the PIX is the gateway here.

also, sorry for the typing skill, im to tired to be correct in typing (using shift and such)

 

[UnaBomber]

dont worry about your grammer

ok on you IP address but you private IPs are all different that is what i was currious about!

As for access-groups, you have to bind access-lists to an interface or they become meaningless!

Try this:

access-group 110 in int outside

 

[UnaBomber]

http://www.cisco.com/warp/public/707/28.html

here a good link on NAT... good luck mate!

 

[OHSR]

Thanks for the help.

as for the access-list. its not in use. it was for a VPN no longer existant

 

[OHSR]

smikes??? got any thought?

 

[UnaBomber]

yeh... read the link,

you need access lists or you can not do what you want! As I said before.

" Unfortunately this is just the way the PIX works. You cannot have a host on the inside access the public IP of another host that is NAT'ed. I'm not sure of the exact reason why, but probably because the outside interface would have to route packets to itself in some weird way."

Pixes do not route (generally)!

Pixes stop all traffic as a rule coming into you network if you do not use access list to allow traffic you will not be able to connect at any layer!

 

[UnaBomber]

I would advise you to do a "Sh Tech" and remove your public IP address then post the config here, so we know extacty what you have going rather than guessing, then someone here WILL know the answer!

 

[OHSR]

but by using the accesslist (seebelow)this will still not allow access betweenthe internal server for using public ips. it should just open it wide open throguh the PIX correct?

Applied using addressing in first post:

access-list 101 permit tcp any host 63.63.63.183
access-group 101 in interface outside

with:

static (inside,outside) 63.63.63.183 192.0.0.3 netmask 255.255.255.255 0 0

 

[OHSR]

Not that i true care... but i did snip and changed Public ips, internals are actuals:




Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)

Compiled on Fri 07-Jun-02 17:49 by morlee

becker up 2 days 2 hours

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0050.54ff.7eec, irq 10
1: ethernet1: address is 0050.54ff.7eed, irq 7
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

Serial Number: 480211070 (0x1c9f707e)
Running Activation Key: 0x723141bc 0x56ed6aea 0x1b0deae2 0xef033fb4
Configuration last modified by enable_15 at 20:44:34.986 GMT Wed May 5 2004

------------------ show config (run time) ------------------

:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100


hostname work
domain-name work.com
clock timezone GMT 0
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 110 permit ip host 63.63.63.178 10.240.0.0 255.248.0.0
access-list 101 permit tcp any host 63.63.63.185
pager lines 24
logging on
logging trap emergencies
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 63.63.63.162 255.255.255.224
ip address inside 192.168.10.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.255 inside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 192.168.10.1 255.255.255.255 inside
pdm location 192.168.10.21 255.255.255.255 inside
pdm location 192.168.10.23 255.255.255.255 inside
pdm location 192.168.10.24 255.255.255.255 inside
pdm location 192.168.10.25 255.255.255.255 inside
pdm location 192.168.10.26 255.255.255.255 inside
pdm location 192.168.10.27 255.255.255.255 inside
pdm location 192.168.10.28 255.255.255.255 inside
pdm location 192.168.10.29 255.255.255.255 inside
pdm location 192.168.10.30 255.255.255.255 inside
pdm location 192.168.10.35 255.255.255.255 inside
pdm location 192.168.10.51 255.255.255.255 inside
pdm location 192.168.10.53 255.255.255.255 inside
pdm location 192.168.10.54 255.255.255.255 inside
pdm location 192.168.10.119 255.255.255.255 inside
pdm location 192.168.11.90 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.240.0.0 255.248.0.0 outside
pdm location 192.168.11.0 255.255.255.0 inside
pdm location 192.168.16.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.0.0 outside
pdm location 192.168.16.0 255.255.255.0 outside
pdm location 192.168.11.21 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 63.63.63.190 netmask 255.255.255.224
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (inside,outside) 63.63.63.164 192.168.10.35 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.165 192.168.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.166 192.168.10.23 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.167 192.168.10.24 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.168 192.168.10.25 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.169 192.168.10.26 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.170 192.168.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.171 192.168.10.28 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.172 192.168.10.29 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.174 192.168.10.53 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.175 192.168.10.54 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.178 192.168.10.51 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.179 192.168.11.90 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.180 192.168.10.30 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.163 192.168.10.21 netmask 255.255.255.255 0 0
static (inside,outside) 63.63.63.185 192.168.11.21 netmask 255.255.255.255 0 0
access-group 101 in interface outside
conduit permit udp host 63.63.63.163 eq 3306 any
conduit permit tcp host 63.63.63.163 eq 3306 any
conduit permit tcp host 63.63.63.163 eq

http://www any

conduit permit tcp host 63.63.63.163 eq https any
conduit permit tcp host 63.63.63.163 eq smtp any
conduit permit tcp host 63.63.63.163 eq pop3 any
conduit permit tcp host 63.63.63.165 eq telnet any
conduit permit tcp host 63.63.63.164 eq

http://www any

conduit permit tcp host 63.63.63.164 eq https any
conduit permit tcp host 63.63.63.185 any
route outside 0.0.0.0 0.0.0.0 63.63.63.161 1
route inside 192.168.0.0 255.255.0.0 192.168.10.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 204.123.2.5 source outside prefer
ntp server 192.5.5.250 source outside
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat

telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.1.10 255.255.255.255 inside
telnet 192.168.1.1 255.255.255.255 inside
telnet 192.168.10.1 255.255.255.255 inside
telnet timeout 30
ssh timeout 5
terminal width 80
Cryptochecksum:1453e13btrye4537f856efhb28b67c1ac016d

------------------ show blocks ------------------

SIZE MAX LOW CNT
4 1600 1598 1599
80 400 392 400
256 500 498 500
1550 932 580 674
2560 200 196 199

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0050.54ff.7eec
IP address 63.63.63.162, subnet mask 255.255.255.224
MTU 1500 bytes, BW 10000 Kbit half duplex
2657563 packets input, 1211152522 bytes, 0 no buffer
Received 16722 broadcasts, 0 runts, 0 giants
20 input errors, 0 CRC, 0 frame, 20 overrun, 0 ignored, 0 abort
2059352 packets output, 336105754 bytes, 0 underruns
0 output errors, 2860 collisions, 0 interface resets
0 babbles, 0 late collisions, 31640 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/3)
output queue (curr/max blocks): hardware (0/6) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0050.54ff.7eed
IP address 192.168.10.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
2224895 packets input, 354581841 bytes, 0 no buffer
Received 97515 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2627667 packets output, 1227620889 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/3)
output queue (curr/max blocks): hardware (0/27) software (0/2)

 

[UnaBomber]

k I was wrong... I thought you had a DMZ going (515) but now i see you dont..(smikes was right).... yeh you cant redirect traffic through the same int on a pix, so you cant ping 1 server on private to another on the same private network using public through same interface!!

Sorry mate!

There is a way tho called allias but I am not sure how that works right now