|
Posted by Brian V on September 22, 2007, 6:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hello all,
>
> I have spent a lot of time on this and seem to be missing something.
> Any technical knowledge and help will be greatly appreciated.
>
> I have pasted our PIX config below. You see three static NATs
> configured. The first two work great. The 3rd static NAT is new, and
> the config below isn't working right, and actually causes the internal
> host to lose Internet connectivity. The new static NAT is the one for
> global IP 216.xxx.xxx.243. What is wrong?
>
>
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password o6XhYX4TSmjifHY0 encrypted
> passwd o6XhYX4TSmjifHY0 encrypted
> hostname PIX
> domain-name xxx
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> no fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 192.168.2.2 server
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq smtp
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq 3389
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq pop3
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq www
> access-list inetACL permit udp any host 66.xxx.xxx.150 eq domain
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq domain
> access-list inetACL permit icmp any host 66.xxx.xxx.150
> access-list inetACL permit tcp any host 66.xxx.xxx.187 eq 3389
> access-list inetACL permit tcp any host 66.xxx.xxx.150 eq https
> access-list inetACL permit tcp any host 216.xxx.xxx.243 eq 3389
> access-list inetACL permit icmp any host 216.xxx.xxx.243
> pager lines 24
> logging on
> logging buffered informational
> logging trap debugging
> logging facility 16
> logging device-id hostname
> logging host inside server 17/1025 format emblem
> mtu outside 1500
> mtu inside 1500
> ip address outside 66.xxx.xxx.186 255.255.255.0
> ip address inside 192.168.2.253 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm location server 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) 66.xxx.xxx.150 server netmask 255.255.255.255
> 0 0
> static (inside,outside) 66.xxx.xxx.187 192.168.2.9 netmask
> 255.255.255.255 0 0
> static (inside,outside) 216.xxx.xxx.243 192.168.2.7 netmask
> 255.255.255.255 0 0
> access-group inetACL in interface outside
> route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.193 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.2.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet 192.168.2.0 255.255.255.0 inside
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> terminal width 80
>
Where are you getting the 216.X..243 address from? Did your ISP just give it
to you? If they just gave it to you are you routing it on your internet
router to the Pix? There is nothing wrong with the Pix config IF that is
your address and is being routed properly to the Pix.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map