Results 1 to 2 of 2

Thread: PIX Firewall 6.3 Static problem

  1. #1
    Junior Member
    Join Date
    Jun 2007
    Posts
    2

    PIX Firewall 6.3 Static problem

    Hello,
    I have one PIX that I need to use to give outside access to one of our servers.
    I'm trying to place it under public ip 10.23.125.187 but I can't.
    Any help would be appreciated.

    As I said the public IP address is 10.23.125.187, the ip address of the server on the lan is 192.168.10.123 and I'm using the acl static-timbuktu-rip to allow the traffic.

    The config file is the following:
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ********** encrypted
    passwd ********* encrypted
    hostname pixfirewall
    domain-name labicer.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.10.11 mvxapp
    name 194.98.151.186 intentia-fw
    name 194.103.23.5 intentia-host
    access-list inside_access_in permit ip 192.168.10.0 255.255.255.0 any
    access-list inside_access_in permit ip 192.168.20.0 255.255.255.0 any
    access-list inside_access_in permit ip 192.168.40.0 255.255.255.0 any
    access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.40.0 255.255.255.0 192.168.50.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
    access-list outside_cryptomap_100 permit ip host mvxapp host 10.23.125.185
    access-list acl_intentia_ipsec permit ip 10.23.125.184 255.255.255.248 host intentia-host
    access-list static-intentia-srv1 permit ip host mvxapp host intentia-host
    access-list static-intentia-srv2 permit ip host 192.168.10.12 host intentia-host
    access-list nat-intentia-srv1 permit ip host mvxapp host intentia-host
    access-list nat-intentia-srv2 permit ip host 192.168.10.12 host intentia-host
    access-list split-labicer-admin permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list split-labicer-admin permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list acl_valorceram_ipsec permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
    access-list acl_valorceram_ipsec permit ip 192.168.40.0 255.255.255.0 192.168.50.0 255.255.255.0
    access-list static-timbuktu-rip permit ip host 192.168.10.123 host 10.23.125.187
    no pager
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside 81.193.121.53 255.255.255.248
    ip address inside 192.168.10.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPN_Pool 192.168.10.120-192.168.10.130
    pdm location 192.168.10.5 255.255.255.255 inside
    pdm location 192.168.10.0 255.255.255.0 outside
    pdm location 81.193.123.148 255.255.255.255 outside
    pdm location 192.168.10.0 255.255.255.255 inside
    pdm location 10.0.0.1 255.255.255.255 outside
    pdm location 194.98.151.185 255.255.255.255 outside
    pdm location mvxapp 255.255.255.255 inside
    pdm location 10.23.125.185 255.255.255.255 outside
    pdm location 194.98.151.185 255.255.255.255 inside
    pdm location 83.211.137.82 255.255.255.255 outside
    pdm location 192.168.10.38 255.255.255.255 inside
    pdm location 213.30.87.246 255.255.255.255 outside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 5 10.23.125.185
    global (outside) 6 10.23.125.186
    global (outside) 10 interface
    global (outside) 7 10.23.125.187
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 5 access-list nat-intentia-srv1 0 0
    nat (inside) 6 access-list nat-intentia-srv2 0 0
    nat (inside) 10 192.168.10.0 255.255.255.0 0 0
    static (inside,outside) 10.23.125.185 access-list static-intentia-srv1 0 0
    static (inside,outside) 10.23.125.186 access-list static-intentia-srv2 0 0
    static (inside,outside) 10.23.125.187 access-list static-timbuktu-rip 0 0
    access-group inside_access_in in interface inside
    conduit permit tcp host 10.23.125.187 eq telnet any
    route outside 0.0.0.0 0.0.0.0 81.193.121.54 1
    route inside 192.168.20.0 255.255.255.0 192.168.10.251 1
    route inside 192.168.40.0 255.255.255.0 192.168.10.253 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host 192.168.10.5 29i3ud38d7ged timeout 5
    http server enable
    http 192.168.10.5 255.255.255.255 inside
    http 192.168.10.14 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set ts-intentia esp-3des esp-md5-hmac
    crypto ipsec transform-set ts-labicer-it esp-3des esp-md5-hmac
    crypto ipsec transform-set ts-labicer esp-3des esp-md5-hmac
    crypto ipsec transform-set ts-labicer-valorceram esp-3des esp-md5-hmac
    crypto dynamic-map vpn_cli_dyn_map 30 set transform-set ts-labicer
    crypto map cm-labicer 5 ipsec-isakmp
    crypto map cm-labicer 5 set peer 62.94.188.18
    crypto map cm-labicer 5 set transform-set ts-labicer-it
    ! Incomplete
    crypto map cm-labicer 10 ipsec-isakmp
    crypto map cm-labicer 10 match address acl_intentia_ipsec
    crypto map cm-labicer 10 set peer intentia-fw
    crypto map cm-labicer 10 set transform-set ts-intentia
    crypto map cm-labicer 15 ipsec-isakmp
    crypto map cm-labicer 15 match address acl_valorceram_ipsec
    crypto map cm-labicer 15 set peer 213.13.121.81
    crypto map cm-labicer 15 set transform-set ts-labicer-valorceram
    crypto map cm-labicer 20 ipsec-isakmp dynamic vpn_cli_dyn_map
    crypto map cm-labicer client configuration address initiate
    crypto map cm-labicer client configuration address respond
    crypto map cm-labicer interface outside
    isakmp enable outside
    isakmp key ******** address intentia-fw netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 62.94.188.18 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 213.13.121.81 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp nat-traversal 20
    isakmp policy 5 authentication pre-share
    isakmp policy 5 encryption 3des
    isakmp policy 5 hash md5
    isakmp policy 5 group 2
    isakmp policy 5 lifetime 1000
    isakmp policy 15 authentication pre-share
    isakmp policy 15 encryption 3des
    isakmp policy 15 hash md5
    isakmp policy 15 group 2
    isakmp policy 15 lifetime 86400
    vpngroup labicer-keyks address-pool VPN_Pool
    vpngroup labicer-keyks dns-server 192.168.10.5
    vpngroup labicer-keyks default-domain labicer.local
    vpngroup labicer-keyks idle-time 1800
    vpngroup labicer-keyks password ********
    vpngroup labicer-admin address-pool VPN_Pool
    vpngroup labicer-admin dns-server 192.168.10.5
    vpngroup labicer-admin default-domain labicer.local
    vpngroup labicer-admin split-tunnel split-labicer-admin
    vpngroup labicer-admin idle-time 1800
    vpngroup labicer-admin password ********
    telnet 213.30.87.246 255.255.255.255 outside
    telnet 192.168.10.0 255.255.255.0 outside
    telnet 192.168.10.0 255.255.255.0 inside
    telnet timeout 15
    ssh 213.30.87.246 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    vpdn group labicer.com accept dialin pptp
    vpdn group labicer.com ppp authentication mschap
    vpdn group labicer.com ppp encryption mppe 40 required
    vpdn group labicer.com client configuration address local VPN_Pool
    vpdn group labicer.com pptp echo 60
    vpdn group labicer.com client authentication local
    vpdn username vceram password *********
    vpdn enable outside
    username admin password ************ encrypted privilege 15
    vpnclient mode client-mode
    terminal width 80
    Cryptochecksum:3afd237a8357370f7c8e7090edcc9b54
    : end
    Many thanks

  2. #2
    Junior Member
    Join Date
    Jun 2007
    Posts
    2
    bump!

Similar Threads

  1. Cisco c828 - nat chance - Static entry, cannot change.
    By tbell in forum Networking Forum
    Replies: 0
    Last Post: 05-10-07, 07:25 AM
  2. Pix Firewall HELP!!
    By polonel in forum Network Security
    Replies: 3
    Last Post: 03-22-07, 10:51 PM
  3. Sonicwall Soho3 Firewall Problem
    By echo6 in forum Networking Forum
    Replies: 3
    Last Post: 07-05-06, 10:44 AM
  4. xlate problem with cisco pix 501
    By TheMike in forum Wireless Networks & Routers
    Replies: 0
    Last Post: 06-05-06, 08:59 AM
  5. Replies: 8
    Last Post: 07-09-05, 01:15 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •