Hmm.. that didn't seem to work. The thing is, internal users have connections to two different networks. One network is an ipsec tunnel. This tunnel works grand. I can do any ip over that link. The other link is just to the internet. To avoid (maybe) some confusion, I will use the term I am familiar with as NAT. So loosers like me who don't have a /* can access the internet and piss my isp off at the same time :) At current, nothing is wrong with my config in this regard. What I want is one of my rfc1918 hosts's web servers to be accessable to the public internet. To do this there has to be some sort of reverse translation. Pix's are awful awkward at such a task. I'm used to using cisco routers with overload port mappings, but now I'm given a pix to fiddle with.
So, when I try any of the commands publicly available, it totally kills my NAT to the internet (That should be illegal!) and it also Denies my ipsec protos. I've tried quite a few different commands for this, static backwards, forwards, ACLs and conduits in all sorts of arrangments. To clarify things, I will paste my config in this email and I appologize for the long email in advance but I hope it will help to see what I'm doing. This config is sans static and acls for it (otherwise you wouldn't see this email at all) note: Host that is to be used as a www server is 10.251.35.5 (Watch the wrap) : Saved : Written by enable_15 at 15:16:02.285 UTC Tue Jul 2 2002 PIX Version 6.2(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password FlkeSLjlkjRjskF encrypted passwd kl3kmFKekCskE encrypted hostname eo domain-name ciscophile.org fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit ip 10.251.35.0 255.255.255.0 10.7.0.0 255.255.255.0 access-list 101 permit ip 10.251.35.0 255.255.255.0 10.4.0.0 255.255.0.0 pager lines 24 logging on logging console debugging logging monitor debugging logging buffered debugging logging trap debugging interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 10.251.35.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.251.35.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 101 crypto map newmap 10 set peer 6.6.6.6 crypto map newmap 10 set transform-set myset crypto map newmap interface outside isakmp enable outside isakmp key d8kk4k.4e address 6.6.6.6 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 telnet 10.0.0.0 255.0.0.0 outside telnet 10.251.35.0 255.255.255.0 inside telnet timeout 30 ssh 10.251.35.0 255.255.255.0 inside ssh timeout 5 vpdn group pppoe_group request dialout pppoe vpdn group pppoe_group localname [EMAIL PROTECTED] vpdn group pppoe_group ppp authentication pap vpdn username [EMAIL PROTECTED] password m0r0n dhcpd address 10.251.35.11-10.251.35.42 inside dhcpd dns 10.4.2.22 207.69.188.185 dhcpd wins 10.4.2.1 10.4.2.29 dhcpd lease 292000 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Thanks again for the intrest. eo On Tuesday 16 July 2002 03:56 am, Ciaron Gogarty wrote: > Hi, > > Assuming you only have one IP on the external interface try the following > > Global (outside) 10 interface > Nat (inside) 10 0 0 > static (inside,outside) tcp interface www www > netmask 255.255.255.255 > > access-list out-in permit tcp any host eq www > > Of course this would be to allow people on the Internet to access a WWW > server on the external IP address, which is your single routable IP. > > But it sounds like the trouble your having is with user's reaching your web > server over a vpn tunnel?? Is this correct? If so I would suspect you > haven't got a "NAT 0" statement to not nat packets from your web server to > the far side of the tunnel... basically, without seeing your config you > need to have a line of code that tells the PIX what traffic not to nat, > specifically traffic that is going into the vpn tunnel to the far side. > This can be the same access-list that you define for traffic that will > bring up the tunnel - using the line of code like such: > > nat (inside) 0 access-list NONAT > access-list NONAT permit ip mask mask > > hope this helps. > > C > > -----Original Message----- > From: eo [mailto:[EMAIL PROTECTED]] > Sent: 16 July 2002 04:56 > To: [EMAIL PROTECTED] > Subject: Pix internal access [7:48886] > > > Hello, > > Normally I wouldn't ask this but cisco's documentation on pix is far > from > acceptable. > > What I am trying to do is simple. I have a pix 501 here with a single > public > static ip on outside and a private network in the range of 10.251.35.0/24. > > The pix is setup to nat the internal network out to the internet... This > works > fine. It also has a functional ipsec tunnel to a cisco vpn concentrator > which > works just dandy. The folks at the main site have requested that I open > port > > 80 for web access internally. Noting that the network inside is PAT'd, > there > > will have to be a 'static' map to make this function... right.. > > I wont paste the entire config here unless requested but will give you the > basic rundown. > > I use access-list 101 to define two different subnets just to define > interesting traffic for my crypto map. That works just fine. > > if my external IP is 192.168.1.1, I (according to CCO and Pix configuration > books) have to: > > Add a static mapping as such: > > static (inside,outside) 192.168.1.1 10.251.35.1 (I've done a few variants > of > > this) > > Then enforce this with an acl as such: > > access-list 102 permit tcp any host 192.168.1.1 eq www > > then > > access-group 102 in interface outside to apply it > > Now if I do this, it drops everything. I run logging console debugging and > see > tons and tons of drops for tcp, udp and ipsec. All network conectivity > comes > > to a total halt. > > So I tried to implement the acl like the old way I do my ciscos to make > sure > > by allowing ip any any and protocol 50 any any. - Nothing > > I also get a huge mess of errors stating that port mapping has failed, both > IP's are correct and reachable. > > I've tried every thing I can think of but the thing will not behave. > Conduits > and acl's. Once again, I wont touch my crypto map acl because I don't want > it > futzing with my tunnel and makes very little sense to me. > > Has anyone gotten this kind of "Static" mapping working in a Pat'd/ipsec'd > system? If so, how? > > I will provide any needed information upon request. > > Thanks a bunch in advance for any interest. > > > eo > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept for the > presence of computer viruses. > > For more information contact [EMAIL PROTECTED] > > phone + 353 1 4093000 > > fax + 353 1 4093001 > > ********************************************************************** > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48895&t=48886 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
