Hi Andy,
the NAT command of the PIX is not meant to provide an internal
service to the outside. Use the STATIC command instead.
In your case use:
static (inside,outside) w.x.y.190 w.x.y.190 netmask 255.255.255.255
static (inside,outside) w.x.y.140 w.x.y.140 netmask 255.255.255.255
The NAT command only works whenever there has been started an
outbound connection to the outside from your internal server and the
xlate has not timed out yet.
I am sure your configuration will work with statics...
Bye Sascha
-----------------------------------------------------------------------------------------------
Sascha Weigelmann Email: [EMAIL PROTECTED]
-Security Engineer- Tel.: +49 (0) 6172 - 288 383
Fax: +49 (0) 6172 - 288 402
ADS System AG http://www.ads.de
Steinmühlstraße 26
D-61352 Bad Homburg
The Network Service Company
-----------------------------------------------------------------------------------------------
>>> Andy Coates <[EMAIL PROTECTED]> 22.03.2001 11.00 Uhr >>>
Hey,
I'm currently trying to tighten up my PIX 525 v5.1(4), and seeing some
odd problems with my setup.
The function of the firewall is to simply make use of the TCP Intercept
feature, I require nothing else. My current config is somewhat simple,
so I either am missing something really obvious, or it doesn't want to
play with me.
My server has two IPs (one aliased), w.x.y.140 and w.x.y.190
(can't give the full ips sorry, same subnet though)
I am using the nat config of:
nat (inside) 0 w.x.y.190 255.255.255.255 30 20
nat (inside) 0 w.x.y.128 255.255.255.128 300 200
The reason for two nat entries is to allow me to use the other IP in
case the other has a max tcp conns (syn attack, etc..), so I can still
get access to the machine myself. This will be ACL'd so only I can use it.
ip address config on the PIX is:
ip address inside w.x.y.129 255.255.255.128
with a route entry of:
inside w.x.y.128 255.255.255.128 w.x.y.129 1 CONNECT static
My server uses the .129 as its gateway, and thats fine. The problem
is I cannot seem to use the .180 aliased IP.
>From the PIX, I can "ping inside w.x.y.140" which works, and I can
"ping inside w.x.y.190" which also works. So the PIX can see and
get responses from both IPs.
When I try to make a connection from the outside, the .140 IP works
fine as I expected it to, but the .190 IP cannot be reached, with
an error:
%PIX-3-106010: Deny inbound tcp src outside:my.external.ip/3840
dst inside:w.x.y.190/22
(thats an SSH attempt from my machine, and there is a permit
statement allowing it through).
So I'm wondering why one IP (.140) works, and the other (.190) doesn't.
Any ideas please before I go mad? I can supply extra config info if needed.
Cheers,
Andy.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
