PIX of static rules

Hello!

I have a firewall PIX 525 and all is well. Today I had to add a new static rule and is a problem.

I have a Web server on an internal DMZ and I have the static rule to that effect. Now I want to have a static rule to 2 public IP addresses translate to the server on my DMZ (2 public translated into an internal IP address on the DMZ). I could do with some work... just to old sites on the DNS IP I have... but I want to be able to translate other my internal Web server IP.

When I try to configure the new static rule, the said PIX she rides the other...

Can anyone help?

Thank you!

This configuration is not supported on the PIX. You can't have 2 GAL, translating to the same internal address. The most common solution I've seen for this adds another interface (whether via a separate NETWORK card or another address on the same NETWORK card if your operating system allows) on the server and create your static on the PIX as a result.

I hope this helps.

Scott

Tags: Cisco Security

Similar Questions

ASA 5510 - VPN for DMZ with static rule?

I have a 5510 ASA with a number of virtual private networks to other sites, allowing the traffic to and from the Interior of the networks.

I need to establish a VPN rule to another site, but they have very little access to resources on my local network. Because I am not in control of the SAA on this end permanently, I need to control that access on my 5510.

(the following is not my real IP, but I use them for this example)

My network: 10.100.1.x

My DMZ: 192.168.1.x

Internal network of other sites: 172.16.1.x

I wanted to try to create a VPN between the site and the specific address of DMZ on my side and then allow access to internal addresses using static rules. I decided to use a static rule to enable http access to a specific server (for example):

static (inside, dmz) 192.168.1.200 tcp 80 10.100.1.200 80

I need allow traffic here:

access-list permits DMZ_IN tcp host 172.16.1.10 host 192.168.1.200 eq 80

Access-group interface dmz DMZ_IN

And of course, rules of access list which allow traffic that I can apply to the VPN:

toSite host 192.168.1.200 ip access list permit 172.16.1.10

And I don't want that traffic THAT NAT had between my DMZ and the other site:

nonatDMZ of the host 192.168.1.200 ip access list permit 172.16.1.10

NAT (dmz) 0-list of access nonatDMZ

NAT (dmz) 1 0.0.0.0 0.0.0.0

And, of course, the corresponding rules on their ASA must be in place, allowing traffic to 192.168.1.200, not NAT it.

Everything is in place, but 172.16.1.10 to 192.168.1.200 http traffic never reaches 10.100.1.200. I know the following:

1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.

2 packet trace shows me that traffic is allowed.

3. the works of static rule: to access the 192.168.1.200:80 of another host on the same interface, DMZ, which brings me to 10.100.1.200:80

4. in the process of running a sniffer package on 10.100.1.200 shows 172.16.1.10 traffic does not reach it.

So I'm banging my head against the wall here. I'm sure it's something simple I'm missing. Anything else I need to check? Should I go about this a different way?

Thank you.

What you are trying to reach is not supported. You cannot configure NATing between the inside and the demilitarized zone interfaces while your VPN connection is from the external interface. The static NAT (inside the dmz) that you have configured will only work if the connection is initiated from the inside towards the demilitarized zone and vice versa.

I think that what you are trying to reach is only allowing access on TCP/80 to10.100.1.200 for the VPN tunnel.

You must configure your option 1:

1. the VPN is configured correctly. If I add rules allowing traffic to (and from) 172.16.1.10 and 10.100.1.200 directly, they work.

You can configure vpn-filter to limit the traffic to the only TCP/80, and he attributed to group policy that you have assigned to this particular tunnel group then.

Example:

web access list - allow permit tcp host 172.16.1.10 host 10.100.1.200 eq 80

internal group-policy-strategy web

attribute group web-strategy strategy

value of VPN-filter web - allows

global-tunnel-group attributes

Group Policy - by default-web-policy

Here is an example configuration for your reference:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

PIX + Rotary static NAT to load balance?

You can load balance of static behind a PIX with nat servers as you can do it on a router cisco (rotating)?

* If Yes, someone at - it had a link to an example?

Hakuna Mete.

Hello Hakuna,

Unfortunately, this is not possible on the PIX. Sorry!

Renault

PIX 501 and pcAnywhere access rules

Hello

I'm having a problem with the implementation of pcANywhere remote access Access 2 servers on the inside network. I created 2 static rules and access lists 2 to start, but I can't get thru to the server. These are the settings

static (inside, outside) 7x.x.x.x 5631 172.16.x.x tcp 5631 255.255.255.255

static (inside, outside) udp 7x.x.x.x 172.16.x.x 5632 5632 255.255.255.255

list of allowed inbound tcp access any host 172.16.x.x eq 5631

list of allowed inbound udp access any host 172.16.x.x eq 5632

Access-group interface incoming outside

Version 6.3 of the PIX using

I also tried access server list terminal server because another method of access, but not go either.

There are no other rules.

Any ideas why this would not work?

TIA

Vince

your external ACL must mention the public IP address of your server:

list of allowed inbound tcp access any host 7x.x.x.x eq 5631

list of allowed inbound udp access any host 7x.x.x.x eq 5632

Cisco SA540 - classic routing problem - 0.0.0.0 in static road

Hello, I am a bit newbie with routing device,

I had several public IP address

I got a Cisco Pix 501and want to replace it with a Cisco SA540

My Wan IP on Pix 501 is 195.68.x.z
My Lan IP on Pix 501 is 62.23.a.b (and 62.23.a.c,...)

My rules Pix 501 translation is: inside the interface. inside: everything: 0.0.0.0. Apart from the interface. same as orginal
My Pix 501 static route: outside | IP address 0.0.0.0. Mask 0.0.0.0. Gateway IP 195.168.x.y | Metric 1

So when a computer with 62.23.a.X want access to the internet the static route he say to throuw the 195.168.x.y of the IP Address of the gateway (as I undestand)

I replicate this config on my SA540

Also, through the Web user interface, I configure the Wan and Lan IP
and then in the routing menu, I check "Classic routing" so I go to the static Menu to add the same route as in my Pix 501, but I can't put 0.0.0.0 in iP address or IP subnet mask.

Can someone help me?

Thank you very much.

Hello

I hope this finds you doing well. Just thought I would add a few things here...

You have probably seen this, but... Here is the link to the page SA500:

https://www.myciscocommunity.com/docs/doc-10526

Yes, when you configure the device as a router, you need to configure routing. Try to remove the routes and the readd.

In addition, a little off topic, but if you want to stay with an ASA5505, there used to be a tool that would turn your PIX configus ASA. I don't remember where this link is now... but it used to fairly simple transition.

After you have configured the routing, since your internal machine, have you tried a trace route? On what device the traceroute fails?

In case you wish to speak to a support representative, here is the link to find the correct number:

http://www.Cisco.com/en/us/support/tsd_cisco_small_business_support_center_contacts.html

HTH,

Andrew Lee Lissitz

Configuration of static translation "inverted".

I am trying to configure a PIX with static translation "inverted".

If I understand correctly, with conventional static translation if I want my host (10.10.10.10) inside to be 'visible' on the external interface like 192.168.5.5), would be my config: -.

public static 192.168.5.5 (Interior, exterior) 10.10.10.10 netmask 255.255.255.255

However, I have an external host (203.203.203.203) I want to be 'visible' inside interface as 10.10.11.11. I would have thought the config would be: -.

public static 10.10.11.11 (exterior, Interior) 203.203.203.203...

but it does not work. Is this possible and if so, how?

Thanks to advnance.

Jon

FYI, here is a good URL.

http://www.Cisco.com/warp/public/707/28.html#topic12

AAA authentication for external router through PIX 515

I have been in vain, to get the authentication AAA works to my external router, through the PIX.

When I connect the router directly within that network (bypassing the PIX) AAA works fine, so I know the configuration of the AAA works between the router and the ACS server.

Initially, I got the PIX configured with a static map between a global external address 192.x.x.12 and a 10.200.1.187 for the ACS server local address, but that didn't work either. So, currently I am using NAT exemption for the ACS server, but it does not work either.

If I activate the debug on the PIX package, I see the ACS authentication request and response between the router and GBA when I try to connect to the router, but it is not successful. After the three way TCP handshake, the router repeats it is last receipt, and then the ACS asked an RST.

The attached diagram shows the simple connection that I'm trying to create.

The configuration of the PIX is also attached. (too large messages size):

Thanks in advance for your help. I tried EAC for two days and have not found solutions that look like this.

Ron Buchalski

What to do is:

1 PIX:

-static map the ACS/GANYMEDE to a public IP address

static (inside, outside) x.x.x.10 10.1.1.25 netmask 255.255.255.255

-otherwise, if you have enough public IP, use the port forwarding for card IP ACS to PIX outside IP of the interface, IE x.x.x.2, via a specific TCP 49:

public static tcp (indoor, outdoor) interface 49 10.1.1.25 49 netmask 255.255.255.255

* allow ACS talk to external router via public IP

Create/add entry for ACL applied to the outside interface to allow the GANYMEDE Protocol + switch router external to the ACS:

access outside permit tcp host XXX1 host x.x.x.10 eq 49 list (Ganymede + use tcp 49)

outside access-group in external interface

* x.x.x.1 = outside the router

2 ACS

-Add the outside router IP (FastEthernet face PIX outside interface) interface as a client of the AAA

-Making of course secret key is identical at ACS and router

3. the outside router

-Add the ACS as radius-server using its IP public, as mapped in PIX which is x.x.x.10.

-check the key AAA statement is accurate.

The test without saving the config is outside the router. Save ok once confirmed.

I have similar facility before, and it worked very well.

Pls note all useful message (s)

AK

Optimization of the rules

Hello
I want to know ways to optimize the modules. Can someone list on optimization techniques? Those can really fast substantially determination? Thank you

.. and if I can close the loop on what this has to do with optimizing the performance. This is my opinion.

I think that when Jasmine says that the rule is a rule of 'BAD', (be careful not to speak too loudly for him) she means not only from a point of view maintenance rule.

First, the engine optimizes the path until the OPA don't just use every bit of data 'seeds' and create a static rule execution plan.

Consider that when you give enough forced a SQL statement in the where clause, a query may return several responses and poor performance. OPA, however, can still make a unique determination given incomplete sets attributes of database (unknowns and might.) OPA may provide explanations that include what basic attributes must always be provided (OPA has a forward and backward chaining). In short, the OPA may use only a small set of basic data to determine a result, even if OPA Gets a lot of seed data. In this respect, the internal dev team Oracle OPA provides optimization performance and optimizations to the engine itself to a path of optimal execution. This way can and will change dynamically.

Traditionally, tuning execution path is what .net/java developers worry about and most often is the prospect that developers pull then ask questions about optimizing the performance of OPA. So my reply may seem unsatisfactory to anyone who does not participate in effective policies of the organization.

As a second review, OPA has strengths in optimization, modeling and optimization of the policy itself, which rarely concern of the developer. Were necessary intermediate decisions by the company and OPA said these determinations were while they were not (perhaps due to a bad mix of procedural rules / background)? Can reduce what is necessary for improved or new political determination or remove the dependencies of base?

So, if politics is already optimized, then OPA will not be be slower than any other method of execution that requires the same information, but probably much, much faster. So I think that Brad question above...

A developer usually should not change the policy, but policy changes can have the most impact on performance for the end user and the business. Jasmine guidelines provide something of a foundation on the writing of strategy using proven methods of political organization / readability. This provides visibility into changes policies to non-developers. Thus, when you create policy documents, we (or at least I) follow the guidelines, devote an extra effort to exploit the isomorphism of the OPA and make political visible to policy work.

It's observation, and I speak in generalizations. (Once the policy is well written, btw, if I have a problem which is not now obvious, so I just call the engine for the intermediate attributes know where my problem lies - that I should have for test cases in Excel and/or SoapUI.) Be careful, however, as the need for optimization of performance may indicate really need something else entirely...) If the answer is still not satisfactory, although I hope not, is there a policy statement of example and source documents that can be provided to get advice on the setting? -I would recommend starting a new thread in the forum for this.

ASA5520

8.0 (4)

asdm615

VPN and lisens

Inside access list - checks only connections from inside DMZ or outside interfaces.

Abd do not work for traffic going from the outside ot dmz.

for example host located in inside:

only 1 rule in acl located inside the int.

license to host 10.1.1.1 209.1.1.200 3389

Telnet 209.1.1.200 4899

refused by the host remoute or unreacheble.

Telnet 209.1.1.200 3389

Open...

-----------------------------------

That's ok.

is also NAT static rule from inside to outside is-

= 10.1.1.1 to 209.1.1.1 =-

but host located outside

Telnet 209.1.1.1 3389

Open...

Telnet 209.1.1.1 4899

Open...

------------------------------------

It isn't okay! because there no rule which allows this session from the outside to the inside.

I see matches only to access list on the external interface.

to close the licencons inside what can I do?

changing exept allow a whole on the external interface ip access list?

Ive read this:

1. package SYN TCP has arrived to the PIX firewall to establish a new connection.

2 PIX Firewall verifies the access control list (ACL) of database to determine if the connection is allowed.

3 PIX Firewall creates an entry in the connection database (tables XLATE and CONN).

4 PIX Firewall checks the database of Inspections to determine if the connection requires application level inspection.

5 the inspection function application of all the operations required for the package, the PIX firewall passes the packet to the destination system.

6 the destination system responds to the initial request.

7 PIX Firewall receives the response packet, lift the connection to the database connection, and passes the packet because it belongs to an established session.

from: http://www.cisco.com/en/US/docs/security/pix/pix62/configuration/guide/fixup.html

is this means that if permitted on 1 acl package, will be allowed on all the othaer acl?

Valery,

I think you are missing the part "statefull-ness" of a firewall. When you have an ACL that is applied to an interface and a initiates a connection behind this interface, if the ACL permits then a connection is created. Return traffic for the connection that comes from outside will not be considered against the external interface ACL because we already have existing connections for this.

Now, if you want to block people on the outside to come to your home (connections initiated from the outside) you need an ACL on the outside. Inside of the ACL are not on arrival (outside the launched) connections. So to block foreigners from getting to port 3389 you block on the external interface. I'd suggest a 'decline' for traffic destined to internal hosts on ports that you want to block a whole if above your license you do not want to block more than that.

The rate of useful messages.

PK

failure of the regular creation of translation for the protocol 50

Hello

I get the following error message when you try to connect a vpn client via an ASA5505 with an ipsec already configured a connection site to site AES/256:

failed to create regular translation for protocol 50 src:inside:192.168.1.167

DST: Outside:XX.xxx.x.64

The address of a site isn't relevant, I don't mean to pass traffic to the site to site, but rather to create a new virtual private network from inside the customer external VPN outside which is not under my control.

The client is able to create a connection, but no traffic is passed, when I try to ping / rdp, the message above is returned to me.

If I add the static rule (indoor, outdoor) interface 192.168.1.167 netmask 255.255.255.255 then it works, everything works, but ONLY from this computer.

Been Googling for hours, but no result yet.

Hope someone can shed some light on my questions.

Thank you

\\mark

Hi, as the client away from end running the VPN server to turn on NAT - T, if they have a PIX / ASA have then add isakmp nat-traversal crypto 20 just as you do not have in your.

Concerning

Policy nat for L2L and external access

Hello

I'm running into an interesting question with a 506th PIX 6.3 (4)

I created a VPN with our central location and implemented a policy nat on the 506th NAT their local 192.168.1.0/24 IPs to 10.200.25.0/24. This NATing works very well except for servers that also provide a static external IP address. I made a few captures of packets and traffic is crossing the VPN as expected and what actually at the remote end, but the answers are nat would be on the 'outside' ip of the host instead of the NAT. political I can ping other hosts on the remote network very well from the central location, not just those who have a static external IP address.

Example:

10.10.7.1 is my central site and try to ping a server with an IP address of 10.200.25.11 through the VPN. The traffic leaves the site central, is encrypted and delivered the firewall remotely. The firewall remotely translated 10.200.25.11-> 192.168.1.11 (the REAL Server IP) and delivers the package and the server responds, but answers are nat would be its public ip address of 75.X.X.X instead of 10.200.25.11.

Any thoughs on how I can work around this problem?

Here are the relevant config:

permit for line of policy-nat access-list 1 ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

allowed for access policy-nat-list line 2 ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

allowed for line of policy-nat to access list 3 ip 192.168.1.0 255.255.255.0 10.10.7.0 255.255.255.0

list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0

list of access vpn-sheep allowed ip 192.168.1.0 255.255.255.0 10.100.11.0 255.255.255.0

NAT (inside) 0-list of access vpn-sheep

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Global 1 interface (outside)

public static 75.x.x.x (indoor, outdoor) 192.168.1.11 netmask 255.255.255.255 0 0

public static 10.200.25.0 (inside, outside) - list of access policy-nat 0 0

Try to rearrange your static rules:

Do the static strategy, the first to be read by the pix

public static 10.200.25.0 (inside, outside) - list of access policy-nat 0 0

public static 75.x.x.x (indoor, outdoor) 192.168.1.11 netmask 255.255.255.255 0 0

See how it goes

VPN site to site as a backup

Wondering if anyone has any suggestions for a configuration that I'm trying to go there.

What I have is a Colo data center that is connected to multiple sites via MPLS. Internet access is through the camp from all sites. In case of failure of the MPLS, I'm trying make a future automated VPN that would connect a router, Adtran with a Verizon Wireless Card inside. I have the VPN upward and that works. This is the piece of automation that I try to understand. Thus, currently, the Pix has static routes that point to the MPLS router for all sites. Everything else uses the router MPLS as a GTS and then the GTS for the SPLM is the Pix.

If there is a failure the VPN will return but then there are the roads on the Pix that will push just to the SPLM. The supplier is said to superiors to see metric for the static back for the SPLM, but higher than what? When the VPN rises it is not really of routes there to push the traffic through the VPN.

Thought I had was that, given that the MPLS router managed at camp is a router Cisco to have redistribute it provider BGP route back to EIGRP which the Pix could pick up. Failure, once EIGRP has been updated there is no route to the SPLM and everything would just route on the GTS which would be the Pix.

Anyone dones something like that before that might have some ideas?

Thank you

A simple delay sensitive solution will be IP SLA in the PIX / ASA. When the SiteA MPLS interface is inaccessible,

a static route in the PIX / ASA pointing in the tunnel VPN is enabled. When the MPLS interface becomes available,

Then, the road is removed.

HTH >

Andrew.

L to L passing tunnel concentrator 3000 to ASA 5510

Hello

I'm looking in to Lan VPN configuration tunnel the Cisco VPN 3000 to ASA 5510 concentrator Lan. I noticed that this particular configuration has NAT enabled in the hub (Config-online policy management of-online traffic Mgmt-online NAT-online L to L rules)... There are 2 servers NATted to 192.168.1.1 et.2 addresses, so I need to do the same in ASA. Should what steps I take to reach the same configuration in SAA? Is it possible through SDM?

Thank you

Forman

In ASDM-online-online NAT rules configuration, I can create static rule inside indoor int interface and then create the tunnel using 'translated the address' or 'translated network' local area network in the VPN configuration. Is this right?

That is right.

You should NAT the VPN traffic and set the VPN traffic from the translated addresses.

Federico.

Access DMZ, internal

I use a PIX 506 6.1 (1) with such a DMZ. It's our first DMZ and I need assistance to access to the web server in the DMZ. We use a 172.16.0.0 subnet for the demilitarized zone and a 192.168.40.0 internal subnet. In 12.19.xxx.xx public subnet address. I added the following to the Web server on the PIX:

static (dmz, external) 12.19.xxx.xx 172.16.0.21 netmask 255.255.255.255 0 0

Global (dmz) 1 172.16.0.100 - 172.16.0.110

NAT (dmz) 1 172.16.0.0 255.255.255.0

I need to access the Web server in the DMZ to the 192.168.40.0 subnet.

What Miss me? Thank you

This access list do anything?

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.1.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 200.171.173.178

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.5.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 64.219.15.121

192.168.31.0 IP Access-list sheep 255.255.255.0 allow 10.0.5.0 255.255.255.0

192.168.31.0 IP Access-list sheep 255.255.255.0 allow host 64.219.15.121

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.3.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 148.233.144.17

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.4.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 148.235.11.101

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.7.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 66.136.190.89

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.6.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 64.22.205.74

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.0.0 255.255.255.0

I think that's the problem.

You should use something like that;

sheep 192.168.40.0 ip access-list allow 255.255.255.0 172.16.0.0 255.255.255.0

This should take from your home to your dmz.

even host multiple NATs

hub 3030... I have a local host that needs to access the L2L multiple tunnels with different requirements of NAT:

I currently have that configured NAT...

source destination of 134.x.x.x/32 the NAT static 10.1.1.1/32 ANY

I need to configure the NAT...

source 10.1.1.1/32 static NAT 10.99.17.x/32 destination 32.x.x.x/32

Is this possible? I tried and I get "Source and the address of the remote network.

conflict with an existing rule. The source or the address of the remote network

must be changed. " This is the conflict because of the destination of ANY pre-existing rule?

I thought that, since the destination of the rule I have to add is more specific than that

should work.

Thanks for your help, Anne

Hi Anne,.

Yes the conflict error that we see is due to the pre-existing State OF destination. Ideally, we need to have more specific static instructions in static rules to have several nat for the same source. So I would say that we find out the list of remote networks for which we need the 1 translation (134.x.x.x/32) and apply the static rule (may need more than 1 static rule if several remote subnets are the case), and similarly a plus for the new static we are looking (for the 32.x.x.x/32 destination).

Now on some of the other safety devices, we have a work around for our scenario, but I do not know if the version of the software running on your hub it would support.

Try to remove the static rule to all (1st statement) and then apply the new rule first (to 32.x.x.x/32). After that, apply the original static rule (destination at all). The idea is to have more State static speific first, and then the General static (all) the rule for the rest of the destinations. I suggest you try this in a maintenance window to avoid any impact on users.

Let me know if that helps...

See you soon,.

Christian V

PIX of static rules

Similar Questions

Maybe you are looking for