From: Clubb, Steven (sclubb@kpmg.com)
Date: Mon Dec 02 2002 - 15:50:14 GMT-3
Are the internal users trying to get to the Lotus Notes Server via
202.104.158.134 or 192.168.3.12? If via the 202 address, you'll need an
alias command.
-----Original Message-----
From: George Louis [mailto:jlouis08@yahoo.com]
Sent: Monday, December 02, 2002 11:34 AM
To: ccielab@groupstudy.com
Subject: NAT Problem on PIX 515 Firewall
I have NAT configrued on a Pix 515 which is NAT'ing 1 server 202.104.158.134
to internal ip 192.168.3.12.
The nating works fine when coming into the network from outside accessing
lotus notes server 202.104.158.134.
However, Users on the inside (192.168.0.0) cannot access the lotus notes
server at all. Anyone already figured this one out before?
Config:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.0.0 255.255.0.0 any
access-list 102 permit tcp any host 202.104.158.134 eq smtp
access-list 102 permit tcp any host 202.104.158.134 eq lotusnotes
access-list 102 permit tcp any host 202.104.158.134 eq gopher
access-list 102 permit tcp any host 202.104.158.134 eq citrix-ica
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
icmp permit 192.168.3.0 255.255.255.0 echo-reply outside
icmp permit 202.104.158.0 255.255.255.0 echo-reply outside
icmp permit 192.168.3.0 255.255.255.0 echo-reply inside
icmp permit 202.104.158.0 255.255.255.0 echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 202.104.158.135 255.255.255.128
ip address inside 192.168.3.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.168.5.0 255.255.255.0 inside
pdm location 192.168.3.69 255.255.255.255 inside
pdm location 192.168.48.0 255.255.255.0 inside
pdm location 192.168.3.12 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 202.104.158.140
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
nat (inside) 1 192.168.48.0 255.255.255.0 0 0
static (inside,outside) 202.104.158.134 192.168.3.12 netmask 255.255.255.255
0 0
static (outside,inside) 192.168.3.12 202.104.158.134 netmask 255.255.255.255
0 0
access-group 102 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 202.104.158.254 1
route inside 192.168.5.0 255.255.255.0 192.168.3.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.3.69 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:38 GMT-3