Static NAT Help (506E) 2

[hise]

Hi:

I've had a task dumped on me (a programmer) that was started by someone who is no longer available. I've gotten together my game-plan based on Cisco documentation only to find out it's apprently done already in the PIX 506E. However, I need help double-checking this info.

Objective:
To permit HTTP traffic going to 65.175.63.107 to an internal IP of 192.168.1.39.

Current Relevant Firewall info:
static (inside,outside) 65.175.63.107 192.168.1.39 netmask 255.255.255.255 0 0

access-list 100 line 6 permit tcp any host 65.175.63.107 eq

http://www (hitcnt=10)

access-group 100 in interface outside

There is additional displayed when I run show access-list, but I don't know if it's important.

When I try to hit that public IP from the outside, it just times out.

Any help would greatly be appreciated!!!!

Thanks,

Jeremy

 

[horus42]

When I scanned the above IP with NMAP I don't see any ports open, I would first make sure that I can actually browse to the internal IP from with in the network just to make sure that the server is actually still up and listening on port 80.

nmap -sP 65.175.63.107

Starting Nmap 4.00 (

http://www.insecure.org/nmap/

) at 2006-10-30 17:14 GMT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 2.206 seconds. You also need to make sure that your IPS is still routing this IP to you


messiah:~ # nmap -sS -O -PI -PT 65.175.63.107

Starting Nmap 4.00 (

http://www.insecure.org/nmap/

) at 2006-10-30 17:15 GMT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 2.195 seconds

 

[hise]

Hi:

It's definatly up and running as I can browse to the application (port 80). When I run the nmap command you have listed above internally, I get this:

[root@arigold bluelink]# nmap -sS -O -PI -PT 65.175.63.107

Starting Nmap 4.00 (

http://www.insecure.org/nmap/

) at 2006-10-30 12:36 EST
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1672 scanned ports on 65.175.63.107 are: filtered
Device type: broadband router|printer|bridge|load balancer|switch|general purpose
Running: Billion embedded, Canon embedded, Cisco embedded, Cisco IOS 12.X, Linux 2.4.X|2.6.X, Microsoft Windows 2003/.NET|NT/2K/XP, Sun Solaris 8|9
Too many fingerprints match this host to give specific OS details

Nmap finished: 1 IP address (1 host up) scanned in 37.429 seconds

Also, that firewall, I believe, has a VPN connection with a client. I don't know if this would matter though. Here is the full configuration:

pixfirewall# show static
static (inside,outside) 65.175.63.106 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) 65.175.63.107 192.168.1.39 netmask 255.255.255.255 0 0

pixfirewall# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024) alert-interval 300
access-list 100; 6 elements
access-list 100 line 1 permit icmp any any echo-reply (hitcnt=25)
access-list 100 line 2 permit icmp any any time-exceeded (hitcnt=157)
access-list 100 line 3 permit icmp any any unreachable (hitcnt=779)
access-list 100 line 4 permit tcp any host 65.175.63.106 eq pptp (hitcnt=77)
access-list 100 line 5 permit gre any host 65.175.63.106 (hitcnt=0)
access-list 100 line 6 permit tcp any host 65.175.63.107 eq

http://www (hitcnt=10)

access-list NO_NAT; 3 elements
access-list NO_NAT line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=30)
access-list NO_NAT line 2 permit ip 192.168.1.0 255.255.255.0 host 10.101.60.98 (hitcnt=0)
access-list NO_NAT line 3 permit ip 192.168.1.0 255.255.255.0 host 10.101.60.117 (hitcnt=12)
access-list rackcryptoacl; 1 elements
access-list rackcryptoacl line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=69)
access-list digexcryptoacl; 4 elements
access-list digexcryptoacl line 1 permit ip 192.168.1.0 255.255.255.0 host 10.101.60.98 (hitcnt=0)
access-list digexcryptoacl line 2 permit ip 192.168.1.0 255.255.255.0 host 10.101.60.117 (hitcnt=41)
access-list digexcryptoacl line 3 permit ip 192.168.2.0 255.255.255.0 host 10.101.60.98 (hitcnt=0)
access-list digexcryptoacl line 4 permit ip 192.168.2.0 255.255.255.0 host 10.101.60.117 (hitcnt=0)

pixfirewall# show access-group
access-group 100 in interface outside

 

[horus42]

Please modify your static to the following

static (outside,inside) 65.175.63.107 192.168.1.39 netmask 255.255.255.255 0 0

And then clear xlate by executing this command "clear xlate global 65.175.63.107"

Hope that helps

 

[hise]

Hi:

Thank you very much for your time on this. Before I potentially bring down this office's internet I just want to try to gain some confidence in what I'm doing.

I would REMOVE the old entry by running:

# no static (inside,outside) 65.175.63.107 192.168.1.39 netmask 255.255.255.255 0 0

Then add the entry by running

# static (outside,inside) 65.175.63.107 192.168.1.39 netmask 255.255.255.255 0 0

And by clear xlate...What does that do? Will that affect any of my other configurations?

Thank you sooo much!

jeremy

 

[hise]

Hi:

Have another question, looking at the documentation, I see that there is an optional last parameter to the static command for specifying the max_connections. And in this configuration I see "0 0". Do you think that could have something to do with it?

Thanks!

 

[horus42]

The following should do the trick and it will not effect anything else

no static (inside,outside) 65.175.63.107 192.168.1.39 netmask 255.255.255.255 0 0

static (outside,inside) 65.175.63.107 192.168.1.39 netmask 255.255.255.255 0 0

clear xlate global 65.175.63.107

Hope that helps

 

[hise]

Hi: That went through with no errors. But let me ask one final question. How do I save this to make it active? Do I need to run:

# write memory

? Do I need to do anything after that?

Thank you!!!

 

[hise]

Ok. Well I did the write memory (found more elaborate documentation on what that does).

I'm still not getting through.

Thanks for all your help on this one.

Jeremy

 

[boymarty24]

Can you post the complete config!
Mask the important information

 

[hise]

pixfirewall(config)# write terminal
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service VPNTCP tcp
description VPN TCP CONNECTIONS
port-object eq 500
port-object eq pptp
port-object eq 1701
port-object eq 4500
object-group service VPNUDP udp
description VPN UDP CONN
port-object eq 1723
port-object eq isakmp
port-object eq 1701
port-object eq 4500
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 65.175.63.106 eq pptp
access-list 100 permit gre any host 65.175.63.106
access-list 100 permit tcp any host 65.175.63.107 eq www
access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 host 10.101.60.98
access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 host 10.101.60.117
access-list rackcryptoacl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.25
5.255.0
access-list digexcryptoacl permit ip 192.168.1.0 255.255.255.0 host 10.101.60.98

access-list digexcryptoacl permit ip 192.168.1.0 255.255.255.0 host 10.101.60.11
7
access-list digexcryptoacl permit ip 192.168.2.0 255.255.255.0 host 10.101.60.98

access-list digexcryptoacl permit ip 192.168.2.0 255.255.255.0 host 10.101.60.11
7
pager lines 24
logging on
logging monitor notifications
logging buffered errors
logging trap notifications
mtu outside 1500
mtu inside 1500
ip address outside 65.175.63.102 255.255.255.0
ip address inside 192.168.1.54 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.30 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.1.41 255.255.255.255 inside
pdm location 65.175.63.107 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 65.175.63.109-65.175.63.110
global (outside) 1 65.175.63.108
nat (inside) 0 access-list NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 65.175.63.106 192.168.1.1 netmask 255.255.255.255 0 0
static (outside,inside) 65.175.63.107 192.168.1.39 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 65.175.63.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac
crypto map rackmap 8 ipsec-isakmp
crypto map rackmap 8 match address rackcryptoacl
crypto map rackmap 8 set peer 69.20.124.69
crypto map rackmap 8 set transform-set 3des_md5
crypto map rackmap 9 ipsec-isakmp
crypto map rackmap 9 match address digexcryptoacl
crypto map rackmap 9 set peer 164.109.46.248
crypto map rackmap 9 set transform-set 3des_md5
crypto map rackmap interface outside
isakmp enable outside
isakmp key ******** address 69.20.124.69 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 164.109.46.248 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp log 300
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 3600
telnet 192.168.1.30 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 160
Cryptochecksum:2ffaad23f9ee74d59e9107adfee99c07
: end
[OK]

 

[hise]

Also, just noted, when I do:

# show global

I only see 108 and 109-110. Would that matter?

 

[boymarty24]

Your static is in wrong order.

no static (outside,inside) 65.175.63.107 192.168.1.39

static (inside,outside) 65.175.63.107 192.168.1.39

Do a clear xlate after you removed and readded the static.

Your global statements are in order. But i dont see the use of the 109 and 110 though.108 is doin PAT and that should be enough

 

[horus42]

Sorry mate, it looks like I gave you wrong info, you need to change the static for this IP so please reverse what you have done

no static (outside,inside) 65.175.63.107 192.168.1.39 netmask 255.255.255.255 0 0
static 65.175.63.107 192.168.1.39
clear xlate global 65.175.63.107

 

[horus42]

Do you know if you have any ACLs on the router that sits in front of this firewall

 

[hise]

Horus2 no worries. I makes it easy when Cisco puts the parameters in kind of a reverse order from each other.

I'm not really sure what an ACL is. We have 2 T1 lines that come into a switch, I believe, which then plugs into our PIX. I've called up our service provider and they can "ping" the PIX, just not the addition .107 IP address I inquired about.

 

[boymarty24]

ACL is access-lists. Sometimes ISP filter some basic traffic in there routers.

One thing. You said the programmer left the installation. Maybe he didnt apply the

http://www access-list

to the outside interface.

access-group 100 in interface outside

 

[hise]

Let me just add one thing, which seems kind of odd to me:

on the .39 box, the server I'm trying to connect to, when I ping yahoo, I see something I've never seen before:

[root@arigold thebox]# ping yahoo.com
PING yahoo.com (66.94.234.13) 56(84) bytes of data.
From bwi-serv (192.168.1.1): icmp_seq=1 Redirect Host(New nexthop: 192.168.1.54)
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=54 time=86.1 ms
From bwi-serv (192.168.1.1): icmp_seq=2 Redirect Host(New nexthop: 192.168.1.54)
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=54 time=82.0 ms

--- yahoo.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 82.074/84.088/86.103/2.035 ms


Sepcifically the first line:
From bwi-serv (192.168.1.1): icmp_seq=1 Redirect Host(New nexthop: 192.168.1.54)

That IP is the internal IP of the firewall. If I ping yahoo from any other machine, I get expected response.

Thanks!!

 

[boymarty24]

Do you have 2 ip numbers on your server NIC?

 

[hise]

Yes, I've added an IP of eth0:1 (192.168.1.38) with 192.168.1.39 being eth0:0