Need help configuring PIX 515e for static mapping PAT 1

[NeoMatrix835]

Hello,

I am new to configuring this kind of equipment. I have a PIX 515e with 3 PC's behind it that I need to open up access to for PC Anywhere.

I plan on using non-standard ports for data and status for each of the 3 different PCs and have three IP addresses I can use on the external side of the PIX, however I would prefer to use one address with PAT to the three machines.

I have attempted to configure it several different ways in the PIX and ran into problems after configuring it for the first IP address.

Here is what works for me to get one of the PC's mapped to the external IP.

static (inside,outside) x.x.x.80 192.168.0.180 netmask 255.255.255.255
access-list acl_out permit tcp any host x.x.x.80 range 11111 11112
access-list acl_out permit udp any host x.x.x.80 range 11111 11112
access-group acl_out in interface outside

Now that worked fine for one PC. Now I went to setup a 2nd PC by adding the following commands and had no success...

static (inside,outside) x.x.x.81 192.168.0.181 netmask 255.255.255.255
access-list acl_out permit tcp any host x.x.x.81 range 11111 11112
access-list acl_out permit udp any host x.x.x.81 range 11111 11112

I then attempted to configure the PIX to do PAT to one PC using static commands but had no success there either. I did clear out all the previous changes I had made to the configuraton before attempting this.

static (inside,outside) tcp x.x.x.80 11111 192.168.0.180 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.80 11112 192.168.0.180 netmask 255.255.255.255
static (inside,outside) udp x.x.x.80 11111 192.168.0.180 netmask 255.255.255.255
static (inside,outside) udp x.x.x.80 11112 192.168.0.180 netmask 255.255.255.255

access-list acl_out permit tcp any host x.x.x.80 range 11111 11112
access-list acl_out permit udp any host x.x.x.80 range 11111 11112

Can anyone give me a hand and explain what I am doing wrong? Any help would be greatly appreciated.

 

[NeoMatrix835]

Really looking for any advice that might be helpful

 

[Lockdown]

two things that spring to mind

1) Use the clear xlate command, this clears all translation and rebuilds its table

2) Have you been given this address range to use, if you can test tracerouting these addresses from an external address to see if they will hit your firewall. I've had problems in the past with ISP's saying that they have given me a range of addresses just to found they are routing them elsewhere.

 

[NeoMatrix835]

When i was testing the configurations I entered I was able to see the access-list hit count increasing for the corresponding item. So I believe the IP range I was given is valid. However, I am still unable to hit the PCs behind the firewall. If I attempt to access them locally I have no problems at all.

 

[308win]

I think you need to state the port on both the real and mapped address

static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}

static (inside,outside) tcp x.x.x.80 11111 192.168.0.180 11111 netmask 255.255.255.255

 

[NeoMatrix835]

Woops,

Yea I actually did type in the port in both spots.. in my haste while typing the thread I must have missed it.

 

[308win]

so you really have these commands?

static (inside,outside) tcp x.x.x.80 11111 192.168.0.180 11111 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.80 11112 192.168.0.181 11112 netmask 255.255.255.255
static (inside,outside) udp x.x.x.80 11111 192.168.0.180 11111 netmask 255.255.255.255
static (inside,outside) udp x.x.x.80 11112 192.168.0.181 11112 netmask 255.255.255.255

try doing a capture to see the traffic going through the firewall.

access-list test line 1 permit tcp any any eq 11111
access-list test line 2 permit tcp any any eq 11112
access-list test line 3 permit udp any any eq 11112
access-list test line 4 permit udp any any eq 11111
access-l test permit tcp any eq 11111 any
access-l test permit tcp any eq 11112 any
access-l test permit udp any eq 11111 any
access-l test permit udp any eq 11112 any

capture test access-l test interface inside (or outside, or specify no interface at all and see the traffic cross both interfaces)

"sho capture test" will show you the packets that traversed the interface(s) that you capture on.

 

[NeoMatrix835]

Actually I entered

static (inside,outside) tcp x.x.x.80 11111 192.168.0.180 11111 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.80 11112 192.168.0.180 11112 netmask 255.255.255.255
static (inside,outside) udp x.x.x.80 11111 192.168.0.180 11111 netmask 255.255.255.255
static (inside,outside) udp x.x.x.80 11112 192.168.0.180 11112 netmask 255.255.255.255

this is because PC Anywhere uses 2 UDP and 2 TCP ports. I will set it up to monitor tomorrow if rebuilding the tables does not work and let you know. Thanks much for the help

 

[NeoMatrix835]

Thanks for all the help

However, I am still running into some problems.

The following I did get to work by itself:

static (inside,outside) tcp x.x.x.80 11111 192.168.0.180 11111
static (inside,outside) tcp x.x.x.80 11112 192.168.0.180 11112
static (inside,outside) udp x.x.x.80 11111 192.168.0.180 11111
static (inside,outside) udp x.x.x.80 11111 192.168.0.180 11112

access-list test permit tcp any any eq 11111
access-list test permit tcp any any eq 11112
access-list test permit udp any any eq 11111
access-list test permit udp any any eq 11112
access-list test permit tcp any eq 11111 any
access-list test permit tcp any eq 11112 any
access-list test permit udp any eq 11111 any
access-list test permit udp any eq 11112 any
access-group test in interface outside

Now that worked great :-D.

I went on to try to add a second PAT as follows off the same IP address.

static (inside,outside) tcp x.x.x.80 12111 192.168.0.206 12111
static (inside,outside) tcp x.x.x.80 12112 192.168.0.206 12112
static (inside,outside) udp x.x.x.80 12111 192.168.0.206 12111
static (inside,outside) udp x.x.x.80 12112 192.168.0.206 12112

access-list test permit tcp any any eq 12111
access-list test permit tcp any any eq 12112
access-list test permit udp any any eq 12111
access-list test permit udp any any eq 12112
access-list test permit tcp any eq 12111 any
access-list test permit tcp any eq 12112 any
access-list test permit udp any eq 12111 any
access-list test permit udp any eq 12112 any

After adding those commands I was still able to get to the first PAT I set up just fine and login to the machine using hte x.x.x.80 address. However, I was UNABLE to get to the second one I just entered above. So I attempted to login to that PC across the LAN and it worked fine. Next, I removed all the entries I made and just put in the configuration for the 2nd PAT I entered above, however I was still UNABLE to get access to the 2nd machine using the x.x.x.80 address on 12111 & 12112 for both TCP/UDP. I did "clear xlate" after entering the new information for the 2nd machine and still got nothing.

Any ideas on what would be causing this to happen? Am I using ports that the box simply won't forward for some odd reason or ?

Once again any help you can give is greatly appreciated

 

[NeoMatrix835]

Thanks alot for the help.

I got everything up and running just fine now. The problem ended up being something awkward with the network topology and a DHCP server.