Here is the whole config file from the pix, with a couple of IP's removed
and the info
from the Pix help screen about the static nat.
Thanks for looking at it.
Kevin
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxx encrypted
hostname pfw
domain-name xxxx.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host aaa.bbb.ccc.ddd eq smtp
access-list 101 permit ip host 172.16.1.60 172.16.0.0 255.255.0.0
access-list 101 permit ip host 172.16.1.61 172.16.0.0 255.255.0.0
pager lines 20
logging on
logging timestamp
logging monitor errors
logging buffered debugging
logging trap warnings
logging history warnings
logging host inside 172.16.1.28
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside aaa.bbb.ccc.ddd 255.255.255.252
ip address inside 192.168.20.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 172.16.1.21 smtp netmask
255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 209.162.228.161 1
route inside 142.142.0.0 255.255.255.128 192.168.20.1 1
route inside 172.16.0.0 255.255.0.0 192.168.20.1 1
route inside 192.168.3.0 255.255.255.0 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip
0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community nss
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset3 ah-sha-hmac esp-3des esp-sha-hmac
crypto map mymaptwo 30 ipsec-manual
crypto map mymaptwo 30 match address 101
telnet 172.16.0.0 255.255.0.0 inside
telnet 172.16.1.2 255.255.255.255 inside
telnet 172.16.0.0 255.255.255.255 inside
telnet 142.142.0.0 255.255.255.255 inside
telnet 192.168.0.0 255.255.255.255 inside
telnet timeout 30
ssh aaa.bbb.ccc.ddd 255.255.255.255 outside
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 15
terminal width 80
Cryptochecksum:3b43315e0ac7c28881303a3218482312
: end
[OK]
Here is the help bit:
pixfirewall(config)# static
usage: [no] static [(internal_if_name, external_if_name)]
{|interface} [netmask ]
[ [ []]]
[no] static [(internal_if_name, external_if_name)] {tcp|udp}
{|interface}
[netmask ]
[ [ []]]
Patrick Ramsey wrote:
> uh oh... I'm not so sure I want to upgrade then...
>
> why on earth would it force you to select a port? what if you had one
> machine that offered 20 services? Would that mean you have to have 20
> static mapping per server? sheeesh....that seems like a pain in the rump.
>
> -Patrick
>
> >>> "Kevin McIntyre" 08/08/01 07:01PM >>>
> I am using Pix software ver 6.0(1) and it won't allow me to not specify a
> port. I seem
> to be forced into specifying the smtp in the command line.
>
> It did sound like a good idea though.
>
> Kevin
>
> Patrick Ramsey wrote:
>
> > try doing a normal static mapping, then use acl's to allow smtp traffic
> > through...ie:
> >
> > static (inside,outside) 192.168.250.16 10.2.48.50 netmask 255.255.255.255
> 0 0
> >
> > -Patrick
> >
> > >>> "Kevin McIntyre" 08/07/01 06:12PM >>>
> > I have the following line in a PIX 506 for static natting to an inside
> > server.
> >
> > static (inside,outside) tcp interface smtp 172.16.1.21 smtp netmask
> > 255.255.255.255 0 0
> >
> > When the Pix is started this will work for a short period of time and
> > then will stop answering to connections on port 25 at all. The log on
> > the server that it actually connects to says an unsuccessful attempt was
> > made to connect but won't accept messages.
> >
> > When I try to send mail using the server from inside the PIX, directly
> > to 172.16.1.21, the server itself is running fine.
> >
> > There is a 3640 router between the pix and the smtp server both with
> > static routes.
> >
> > Any ideas?
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15408&t=15169
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
