Pix 501 nat transversal 2 IP addresses

[Rookcr]

Good morning,

I have a Pix 501 and my ISP has given me 2 IP addresses. I have a webserver/email server that I would like to allow traffic to.

I gave the outside interface on the pix the IP address of my webserver and used the 2nd address for the global out. I am able to leave from inside the firewall and I am able to VPN into the firewall and connect to a box on the inside of my network but I am unable to access my website or send e-mail.

x.x.x.x = address of my webserver registered in DNS as well as the outside interface of my Pix.

I have the following:
access-list acl_in permit tcp any host x.x.x.x eq pop3
access-list acl_in permit tcp any host x.x.x.x eq smtp
access-list acl_in permit tcp any host x.x.x.x eq ftp
access-list acl_in permit tcp any host x.x.x.x eq pptp
access-list acl_in permit tcp any host x.x.x.x eq 1604

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0

Thank you

 

[ChrisAC]

Can you should us the config? Generally the first address would be configured on the outside interface and outbound traffic PATed to that and then any additional IP addresses could be configured for static NAT. I'm not sure why you've configured the outside with the address of your web server?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[Rookcr]

I will get it and post shortly.

Thanks Chris

 

[ChrisAC]

I'm off out but I'll try and post an example either tonight or tomorrow.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[Rookcr]

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Cisco
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.x.x xyz.com
name 172.16.1.0 vpnclient
access-list acl_in permit tcp any host x.x.x.x eq pop3
access-list acl_in permit tcp any host x.x.x.x eq smtp
access-list acl_in permit tcp any host x.x.x.x eq pptp
access-list acl_in permit tcp any host x.x.x.x eq 1604
access-list acl_in permit tcp any host x.x.x.x eq ftp
access-list acl_in permit tcp any host x.x.x.x eq www
access-list outside_cryptomap_dyn_10 remark VPN Client
access-list outside_cryptomap_dyn_10 permit ip xyz.com 255.255.255.0 vpnc
lient 255.255.255.0
access-list is_splitTunnelAcl permit ip xyz.com 255.255.255.0 any
access-list inside_nat0_outbound remark V
access-list inside_nat0_outbound remark VPN Client
access-list inside_nat0_outbound permit ip xyz.com 255.255.255.0 vpnclien
t 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.0
ip address inside x.x.x.x 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 172.16.1.1-172.16.1.5
pdm location x.x.x.x. 255.255.255.255 inside
pdm location
pdm location vpnclient 255.255.255.0 outside
pdm location xyz.com 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0
0
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host x.x.x.x test timeout 5
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime
aaa-server partnerauth (inside) host x.x.x.x test timeout 5
aaa authentication http console LOCAL
aaa authentication telnet console partnerauth LOCAL
http server enable
http xyz.com 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1100
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 10 4
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup csd address-pool vpnclient
vpngroup csd dns-server x.x.x.x
vpngroup csd split-tunnel is_splitTunnelAcl
vpngroup csd split-dns local.comsoftdev.com
vpngroup csd idle-time 1800
vpngroup csd password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
management-access outside
console timeout 0
username *******
terminal width 80
Cryptochecksum:631c306eb2ae13d59652684fac0b26e6
Cisco#