Re: NAT Problem on PIX 515 Firewall

From: Neil Moore (neil@droopy.com)
Date: Mon Dec 02 2002 - 16:13:44 GMT-3

Hey there,
try using the Alias command to map the public address to the private for
internal users.
----------------------------------------
Neil Moore CCIE#10044
----- Original Message -----
From: "George Louis" <jlouis08@yahoo.com>
To: <ccielab@groupstudy.com>
Sent: Monday, December 02, 2002 1:34 PM
Subject: NAT Problem on PIX 515 Firewall

> I have NAT configrued on a Pix 515 which is NAT'ing 1 server
202.104.158.134
> to internal ip 192.168.3.12.
>
> The nating works fine when coming into the network from outside accessing
> lotus notes server 202.104.158.134.
>
> However, Users on the inside (192.168.0.0) cannot access the lotus notes
> server at all. Anyone already figured this one out before?
>
> Config:
>
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
>
> names
>
> access-list 101 permit ip 192.168.0.0 255.255.0.0 any
> access-list 102 permit tcp any host 202.104.158.134 eq smtp
> access-list 102 permit tcp any host 202.104.158.134 eq lotusnotes
> access-list 102 permit tcp any host 202.104.158.134 eq gopher
> access-list 102 permit tcp any host 202.104.158.134 eq citrix-ica
>
> pager lines 24
> logging buffered debugging
> interface ethernet0 auto
> interface ethernet1 auto
> icmp permit 192.168.3.0 255.255.255.0 echo-reply outside
> icmp permit 202.104.158.0 255.255.255.0 echo-reply outside
> icmp permit 192.168.3.0 255.255.255.0 echo-reply inside
> icmp permit 202.104.158.0 255.255.255.0 echo-reply inside
> mtu outside 1500
> mtu inside 1500
> ip address outside 202.104.158.135 255.255.255.128
> ip address inside 192.168.3.5 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> no failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
>
> pdm location 192.168.5.0 255.255.255.0 inside
> pdm location 192.168.3.69 255.255.255.255 inside
> pdm location 192.168.48.0 255.255.255.0 inside
> pdm location 192.168.3.12 255.255.255.255 inside
> pdm history enable
> arp timeout 14400
> global (outside) 1 202.104.158.140
> nat (inside) 1 192.168.3.0 255.255.255.0 0 0
> nat (inside) 1 192.168.5.0 255.255.255.0 0 0
> nat (inside) 1 192.168.48.0 255.255.255.0 0 0
> static (inside,outside) 202.104.158.134 192.168.3.12 netmask
255.255.255.255
> 0 0
> static (outside,inside) 192.168.3.12 202.104.158.134 netmask
255.255.255.255
> 0 0
> access-group 102 in interface outside
> access-group 101 in interface inside
> route outside 0.0.0.0 0.0.0.0 202.104.158.254 1
> route inside 192.168.5.0 255.255.255.0 192.168.3.2 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
>
> http server enable
>
> http 192.168.3.0 255.255.255.0 inside
>
> http 192.168.3.69 255.255.255.255 inside
>
> no snmp-server location
>
> no snmp-server contact
>
> snmp-server community public
>
> no snmp-server enable traps
>
> floodguard enable
>
> no sysopt route dnat
>
> telnet 192.168.3.0 255.255.255.0 inside
>
> telnet timeout 5
>
> ssh timeout 5
>
> terminal width 80

This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:38 GMT-3