Re: Can PIX 6.3 achieve this?

From: john matijevic (john.matijevic@gmail.com)
Date: Fri Jul 29 2005 - 09:15:10 GMT-3

Wing,
A couple of things, check the public address 210.1.1.1 <http://210.1.1.1>,
looks like one of the reserved addresses. Also, take a look at the following
nat statement:
nat (inside) 1 0.0.0.0 <http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/> 0 0
It appears to me you are missing an additional NAT statement before that,
that will exclude the VPN internal addresses from being natted, so that your
vpn tunnel will come up. With the configuration that I see, you have some
problems getting your vpn tunnel to come up. I would first troubleshoot and
get the vpn tunnel working before you tackle port redirection. Please
contact me offline to discuss further.
Sincerely,
John

 On 7/29/05, mozbek@secura.com.tr <mozbek@secura.com.tr> wrote:
>
> Hi all,
>
> I think you can not implement such a test because the redirected server is
> at the same interface, so pix will not rule any nat, access-list, routing or
> etc...
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Wing Lam
> Sent: Friday, July 29, 2005 5:30 AM
> To: Chris; john matijevic; miken
> Cc: x-originalarrivaltime
@imsp01appephk.nsc.josworld.com<http://imsp01appephk.nsc.josworld.com>
> >
> Subject: RE: Can PIX 6.3 achieve this?
>
> Dear Chris;
>
> How about if the user want to test telnet 210.1.1.1 <http://210.1.1.1> 25
> instead of using
> DNS lookup?
>
> Thanks,
> Winglam
>
>
> -----Original Message-----
> From: Chris [mailto:clarson52@comcast.net]
> Sent: Friday, July 29, 2005 9:50 AM
> To: Wing Lam; 'john matijevic'; 'miken'
> Cc: 'x-originalarrivaltime
@imsp01appephk.nsc.josworld.com<http://imsp01appephk.nsc.josworld.com>
> >'
> Subject: RE: Can PIX 6.3 achieve this?
>
>
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note
> 0918
> 6a0080094aee.shtml
>
>
>
> --------------------------------------------------
>
> Christopher Larson CCIE#12380, PMP
> Superior Technology Networks Corp
> www.supertechnetworks.com <http://www.supertechnetworks.com> - Consulting
> Services www.ciscoracks.com <http://www.ciscoracks.com> -
> Cisco Rack Rental & Training
>
>
> tel: 703 577 3303
> fax: 703 286 5018
>
> --------------------------------------------------
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Wing
> Lam
> Sent: Thursday, July 28, 2005 9:41 PM
> To: john matijevic; miken
> Cc: x-originalarrivaltime
@imsp01appephk.nsc.josworld.com<http://imsp01appephk.nsc.josworld.com>
> >
> Subject: RE: Can PIX 6.3 achieve this?
>
> Dear John;
>
> Here you're, sorry that I just want to know whether inside hosts can
> connect
> to the outside virtual IP address of the PIX which also static
> translated
> into another inside host.
>
> Thanks,
> Winglam
>
>
> ________________________________
>
> From: john matijevic [mailto:john.matijevic@gmail.com]
> Sent: Thursday, July 28, 2005 7:21 PM
> To: miken
> Cc:
> "<ccielab@groupstudy.com>x-originalarrivaltime"@imsp01appephk.nsc.joswor
> ld.com <http://ld.com>; Wing Lam
> Subject: Re: Can PIX 6.3 achieve this?
>
>
> Hello Wing,
> Can you please post your config?
> Sincerely,
> John
>
>
> On 7/28/05, miken <miken@mail.sisna.com> wrote:
>
> Configure DNS doctoring in your static statement.
>
> Thanks
> MikeN
>
>
> ---------- Original Message ----------------------------------
> From: "Wing Lam" <wing.lam@jossynergy.com>
> Reply-To: "Wing Lam" <wing.lam@jossynergy.com>
> Date: Thu, 28 Jul 2005 11:18:30 +0800
>
> >Dear Group;
> >
> >-----internal 10.0.0.1-----[PIX]----external 210.1.1.1--------
> >
> >I have a internal PC 10.1.1.2 <http://10.1.1.2> and server
10.1.1.1<http://10.1.1.1>and external
> IP
> is
> >210.1.1.1 <http://210.1.1.1>.
> >
> >I have configured port forwarding for 210.1.1.1 <http://210.1.1.1> SMTP
> forward to
> internal
> >server 10.1.1.1 <http://10.1.1.1>, it works for any PC in outside
> >
> >But the internal PC 10.1.1.2 <http://10.1.1.2> cannot get a success SMTP
> connection
> to the
> >external IP port 25 ( i.e. telnet 210.1.1.1 <http://210.1.1.1> 25 from
> 10.1.1.2 <http://10.1.1.2>).
> >
> >Just want to confirm whether this is possible in 6.3? how about
> 7.0?
> >
> >Thanks,
> >BBD
> >
>
> >______________________________________________________________________
> >This email has been scanned by the MessageLabs Email Security
> System.
> >For more information please visit
> http://www.messagelabs.com/email
>
> >______________________________________________________________________
> >
>
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
>
>
> _________________________________
> SISNA...more service, less money.
> http://www.sisna.com/exclusive/
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
> --
> John Matijevic, CCIE #13254
> U.S. Installation Group
> Senior Network Engineer
> 954-969-7160 ext. 1147 (office)
> 305-321-6232 (cell)
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> pix01# sh run
> : Saved
> :
> PIX Version 6.3(4)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password DjGOaLXBWWiqnfoU encrypted passwd 2KFQnbNIdI.2KYOU
> encrypted
> hostname pix01 domain-name corp.jjj.com <http://corp.jjj.com> clock
> timezone HKST 8 fixup
> protocol
> dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225
> 1720
> fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol
> rsh
> 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip
> udp
> 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol
> sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in
> permit udp any interface outside eq domain log access-list
> outside_access_in
> permit tcp any interface outside eq smtp log access-list
> outside_access_in
> permit tcp any interface outside eq pop3 log access-list
> outside_access_in
> permit tcp any interface outside eq ftp log access-list
> outside_access_in
> permit icmp any any echo-reply log access-list outside_access_in permit
> icmp
> any any time-exceeded log access-list inside_access_in permit tcp any
> any eq
> www log access-list inside_access_in permit tcp any any eq https log
> access-list inside_access_in permit udp 10.0.0.0 <http://10.0.0.0>
> 255.0.0.0 <http://255.0.0.0> any eq domain
> log
> access-list inside_access_in permit tcp 10.0.0.0 <http://10.0.0.0>
> 255.0.0.0 <http://255.0.0.0> any eq ftp
> log
> access-list inside_access_in permit tcp any any eq pop3 log access-list
> inside_access_in permit tcp any any eq smtp log access-list
> inside_access_in
> permit tcp 10.0.0.0 <http://10.0.0.0> 255.0.0.0 <http://255.0.0.0> any eq
> 3389 log access-list
> inside_access_in
> permit tcp 10.0.0.0 <http://10.0.0.0> 255.0.0.0 <http://255.0.0.0> any eq
> 3390 log access-list
> inside_access_in
> permit icmp 10.0.0.0 <http://10.0.0.0> 255.0.0.0 <http://255.0.0.0> any
> echo log access-list inside_access_in
> permit tcp 10.0.0.0 <http://10.0.0.0> 255.0.0.0 <http://255.0.0.0> any eq
> telnet log access-list
> inside_access_in
> permit tcp 10.0.0.0 <http://10.0.0.0> 255.0.0.0 <http://255.0.0.0> any eq
> pcanywhere-data log access-list
> inside_access_in permit udp 10.0.0.0 <http://10.0.0.0>
255.0.0.0<http://255.0.0.0>any eq pcanywhere-status
> log
> pager lines 24 logging on logging timestamp logging buffered
> informational
> logging history informational mtu outside 1500 mtu inside 1500 ip
> address
> outside 210.1.1.1 <http://210.1.1.1> 255.255.255.0 <http://255.255.255.0>ip
address inside
> 10.0.0.1 <http://10.0.0.1> 255.0.0.0 <http://255.0.0.0> ip
> verify reverse-path interface outside ip verify reverse-path interface
> inside ip audit info action alarm ip audit attack action alarm pdm
> logging
> informational 100 pdm history enable arp timeout 14400 global (outside)
> 1
> interface nat (inside) 1 0.0.0.0 <http://0.0.0.0> 0.0.0.0 <http://0.0.0.0>0
0 static (inside,outside) tcp
> interface pop3 10.1.1.1 <http://10.1.1.1> pop3 netmask
255.255.255.255<http://255.255.255.255>0 0 static
> (inside,outside) tcp interface smtp 10.1.1.1 <http://10.1.1.1> smtp
> netmask
> 255.255.255.255 <http://255.255.255.255> 0
> 0 static (inside,outside) udp interface domain 10.1.1.1
<http://10.1.1.1>domain netmask
> 255.255.255.255 <http://255.255.255.255> 0 0 static (inside,outside) tcp
> interface ftp 10.1.1.1 <http://10.1.1.1>
> ftp
> netmask 255.255.255.255 <http://255.255.255.255> 0 0 access-group
> outside_access_in in interface
> outside access-group inside_access_in in interface inside route outside
> 0.0.0.0 <http://0.0.0.0> 0.0.0.0 <http://0.0.0.0>
210.1.1.2<http://210.1.1.2>1 timeout xlate 0:05:00 timeout conn 1:00:00
> half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323
> 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00
> absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+
> max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS
> protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server
> RADIUS
> deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh
> console
> LOCAL ntp server 137.189.8.174 <http://137.189.8.174> source outside
> prefer floodguard enable
> sysopt connection permit-pptp management-access inside console timeout 0
> dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside
> terminal
> width 80 pix01#
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> 

--
John Matijevic, CCIE #13254
U.S. Installation Group
Senior Network Engineer
954-969-7160 ext. 1147 (office)
305-321-6232 (cell)

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:32 GMT-3