RE: Pix help needed

From: Larry Roberts (groupstudy@american-hero.com)
Date: Wed Apr 21 2004 - 01:22:38 GMT-3

• Next message: Keith Steller: "RE: Pix help needed"
• Previous message: Kenneth Wygand: "RE: Pix help needed"
• Maybe in reply to: Vazman@aol.com: "Pix help needed"
• Next in thread: Keith Steller: "RE: Pix help needed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

OK, you have have overridden your nat/global combo. What you need to do is
such..

static (inside,outside) tcp interface www <IP OF WWW SERVER> www netmask
255.255.255.255 0 0
static (inside,outside) tcp interface smtp <IP of SMTP SERVER> smtp netmask
255.255.255.255 0 0

If you know the ports for pcanywhere ( I don't ) you would need to do the
same above, but use the TCP/UDP and the actual port number, not the names
that I have used above ( www,smtp )

For example, if pcanywhere uses port TCP 1234, do this.

Static (inside,outside) tcp interface 1234 <IP OF PCANYWHERE SERVER> 1234
netmask 255.255.255.255 0 0

Key things to note. I use the keyword interface, since I receive a dynamic
IP on the outside. IF you know the IP address, AND its static, you could put
it in there, but you don't need to. This just tells the static to use the
outside interface.

Your access-list list on the outside needs to permit the specified traffic
in..

access-list acl_out permit tcp any interface outside eq www
access-list acl_out permit tcp any interface outside eq smtp
access-list acl_out permit <PCANYWHERE TCP/UDP?> any interface outside eq
<PCANYWHERE PORT>

Don't forget to add an entry for icmp and any other stuff you need to be
able to hit.

Hope this helps.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Vazman@aol.com
Sent: Tuesday, April 20, 2004 10:42 PM
To: ccielab@groupstudy.com
Subject: Pix help needed

Hello,

I am trying to setup a Pix501E firewall for a small office. The office has a
DSL line and one public IP address only.

Requirements are
1. All internal hosts should be able to access the Internet. 2. And there is
a server running some apps (www, pcanywhere etc) that needs to be accessible
from the outside.

I configured nat and global commands to satisfy the first requirement.

nat (inside) 1 192.168.1.0 255.255.255.0 global (outside) 1 interface

For the second requirement I configured static nat, created an ACL for the
required ports and applied it to the outside interface.

static (inside, outside) x.x.x.x 192.168.1.100 netmask 255.255.255.255 0 0

Problem is only the server can go out to the Internet and can be accessed
from outside, but other internal hosts cannot go out. I ran a debug on the
pix and was getting some translation errors (don't have the exact message
now)

What am I missing here? Is it the fact that I am using the public address
for static NAT, I cannot use the same address for PAT. This is something
that can be easily done on a linksys but not so straightforward on a pix.

Thanks

• Next message: Keith Steller: "RE: Pix help needed"
• Previous message: Kenneth Wygand: "RE: Pix help needed"
• Maybe in reply to: Vazman@aol.com: "Pix help needed"
• Next in thread: Keith Steller: "RE: Pix help needed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:51 GMT-3