Robert, Your conduit command doesn't look right. Typically you want to allow any outside host to access the inside host specified in the conduit. You can specify 'any' by using 0.0.0.0 or 0:
conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 Also, I'm not sure what your trying to accomplish with those alias commands: alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 Your telling the PIX to translate dst address 172.20.21.241 to xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 back to the same inside address? Typically the internal hosts would just go directly to the 172.20.21.241 address without having to go through the PIX in the first place. HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert T. Repko (R Squared Consultants) Sent: Saturday, April 06, 2002 8:23 PM To: [EMAIL PROTECTED] Subject: Cisco PIX question, static, conduit, and alias [7:40722] I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since they are running such an old version (Ver 4.1.4) of the IOS I could not use the same exact commands. I'm not as familiar with the PIX 4.1.4 commands and obviously have something stated incorrectly. Below I have what I believe to be the pertinent information from both the 7206 and PIX. Can someone tell me where I went wrong. The xxx.yyy represent the same 2 octets through out both configs. Any help greatly appreciated. Cisco 7206 VXR interface FastEthernet0/1 description ** Firewall Connection (inside area)** ip address xxx.yyy.115.18 255.255.255.240 secondary ip address 172.20.19.3 255.255.255.0 ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129 !(points to the ISP) ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 255.255.255.255 alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 **************************************************************************** *** * Robert T. Repko - R Squared Consultants | Voice: (610) 253-2849 * * Serving the Computing World for 20 years | Fax: (610) 253-0725 * * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: [EMAIL PROTECTED] * * Custom Programming | Address: 4 Juniper Ave. * * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA 18045 * **************************************************************************** *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40764&t=40722 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
