Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trying to set up a configuration for a pix firewall

Status
Not open for further replies.
nlraley

nlraley

Technical User
Sep 21, 2009
36
US
I am trying to set up a pix firewall to take anything from the outside directed to a particular static public ip and forward that traffic to a specific server on the other side of the firewall.

Looking at the server's ip information when it obtains an ip address automatically it is hitting the pix firewall and the pix is performing the dhcp and handing out an ip address from the pool of addresses it is assigned. Looking into the pix settings it is set up as a dhcp server to pull from a pool of ip's.

Now, if I try to manually force an ip address of one of the available ip's, one that the pix had already given the server before, set up the default gateway and everything identical do the way it was set up when it received everything automatically, I have internet connectivity for a few minutes then it drops everything and I just have local connection.

Why am I not able to force the ip of the server to that static IP so I know it has that ip every time? If everything is set up identical to the way it was set up when obtaining everything automatically, why is it not working when I set up the exact same setting with the ip of the server machine being forced?

Is there any way to do this? I thought it would be as simple as going to the server's ip configuration and setting the private IP address, the subnet mask, default gateway and the DNS servers the same as they were when everything was pulled automatically.

If I can figure this last step out, as to why it is behaving this way, the rest of my configurations should be okay.

Any ideas?
 
Sort by date Sort by votes
Make sure your pix config lists the static server IP as excluded from the DHCP pool.
Once that is done and there aren't any ip conflicts, you should be ok.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I am assuming it isn't capable of assigning ip's based on mac addresses or anything like a normal dhcp server would right?

So I'd have to have an entry like:
dhcp address 192.168.1.100-192.168.1.151
dhcp address 192.168.1.153-190

that correct or can I do it all like this:
dhcp address 192.168.1.100-192.168.1.151 192.168.1.153-192.168.1.190

Also, I went through and forced a 152 address and now the connection icon is showing as connected to the internet and it is connecting to the client "login" application like it is supposed to, but the end user cannot connect to the server from the outside. So connection is working fine on the inside out to it but not working properly from the outside in. Any ideas?
 
Upvote 0 Downvote
One other thing.

I realized I had created my access-list but totally forgot to apply it to the outside interface.

Assuming I have this:

access-list outside_access_in
access-list outside_access_in permit tcp any host xxx.xxx.xxx.xxx
access-list outside_access_in permit udp any host xxx.xxx.xxx.xxx

static (inside,outside) xxx.xxx.xxx.xxx aaa.aaa.aaa.aaa netmask 255.255.255.255 0 0

where aaa.aaa.aaa.aaa is the ip of my server, then everything coming from the outside to xxx.xxx.xxx.xxx will be forwarded to the machine at aaa.aaa.aaa.aaa correct?

I need tcp, udp, and html and shtml to be allowed to pass to and from the server machine on the other side of the firewall.
 
Upvote 0 Downvote
This line below is doing nothing.
access-list outside_access_in

I am not sure if that was the line you were trying to apply the access-list with, but try this:

access-group outside_access_in in interface outside.

 
Upvote 0 Downvote
Yea, that was from me copying and pasting the lines. It was listing the access-list's name and then the lines within the access list.

Do I need to the do address range in 2 separate lines or can I do it all in one line.

Also, can you have multiple acl's applied to an interface? I tried adding that line to the inside and outside interfaces and it shut down internet for all the computers inside the firewall. Nothing listed in that acl seems to indicate it would do such a thing.

Also, is there a way to see what acl's are applied to a particular interface?
 
Upvote 0 Downvote
access-list outside_access_in permit tcp any (subnet)

You are only allowing connections from the outside to come back in to two servers...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
That was what I was wanting right?

I'm wanting to allow any connections from the outside directed to that public IP I have set up in to the firewall where I have a static route sending anything directed to that public ip to the private ip of the server machine.
 
Upvote 0 Downvote
This isn't the only access list I have here.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
287
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
237
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
230
Sparrow4
Sparrow4
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
110
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top