Pix 501 Config issue. NAT I think!!

n0brain3r

Hi all,

I've taken over looking after a PIX501 - I know it's a discontinued baby in the Cisco world but I've limited expierience with them.

The setup is very basic an external range of 4 IP's 2 usable 1 on the router and 1 on the outside of the PIX.

Before I came along not access rules existed there was no remote access and email was POP3.

So I added the following lines to my config (Bear in mind that everything on 192.168.0.0/24 had internet access on all ports before my changes)

static (inside,outside) MY_PUBLIC_IP 192.168.0.3 netmask 255.255.255.255
access-list acl_out permit tcp host SPAM_FILTER1 host MY_PUBLIC_IP eq smtp
access-list acl_out permit tcp host SPAM_FILTER2 host MY_PUBLIC_IP eq smtp
access-list acl_out permit tcp any host MY_PUBLIC_IP eq 1723
access-list acl_out permit gre any host MY_PUBLIC_IP
access-group acl_out in interface outside

Everything worked great I had SMTP only from my external spam filters, PPTP access and could browse the web from the server 192.168.0.3 .

The bad however nothing else on 192.168.0.0/24 could access the net. I removed
static (inside,outside) MY_PUBLIC_IP 192.168.0.3 netmask 255.255.255.255 and happy days my access lists worked and internet access was restored to the local subnet.

Today I rebooted the PIX501 and my ACL's stopped working no mail or pptp connections from what I could see nothing changed. Now for my fix workaround I added and removed the following line
static (inside,outside) MY_PUBLIC_IP 192.168.0.3 netmask 255.255.255.255 and happy days everything was back to the way it was.

I know this isn't right as a reload of the PIX will stop everything again. I have a global NAT setup as follows

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

My best guess is that this conflicts with the STATIC NAT and that when I add the static the acl works and when I remove it the global kicks back in but the static still hangs around somewhere!

n0brain3r

Ok I got it figured out if anyone is interested

I needed to add the static nat entries like this

static (inside,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 1723 192.168.0.3 1723 netmask 255.255.255.255

I'm guessing I could sub my public ip where it says interface above?

and I changed
nat(inside) 1 0.0.0.0 255.255.255.0
to
nat(inside) 1 192.168.0.0 255.255.255.0

The 192.168.0.0/28 subnet still has internet access and SMTP & PPTP still work after a reload

accensi0n

n0brain3r wrote: »

Ok I got it figured out if anyone is interested

I needed to add the static nat entries like this

static (inside,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.3 1723 netmask 255.255.255.255

They're not really true static NAT entries. They're port forwarding requests to the IP address of the outside interface to 192.168.0.3.

Your original entry should work once the public IP address is not one of the address's assigned to the PIX or router.

static (inside,outside) MY_PUBLIC_IP 192.168.0.3 netmask 255.255.255.255

n0brain3r

Thanks for the input.

The site only has 2 usable IP's one for the Router and one for the PIX.

From what your saying if I come across a PIX in future with more available public IP's on its subnet my original STATIC would work to assign a specific Public IP to a Private IP and all ports would be forwarded and only allowed based on access lists?

The STATIC statements I used will work in either case but only to map the PIX's outside to a Private IP but needs the port no specified in the staement too?