If you are using Dynamic NAT/PAT, connection from the outside can't be initiated. If you need the outside world to contact your server/host behind this pix, make sure that you have static Nat configured an access-list or conduit that will allow port for that application. Static Nat is used for permanent two way translation. Static(inside,outside)192.168.1.35 10.1.1.35 netmask 255.255.255.255 10.1.1.35 is the real ip address of the FTP server 192.168.1.35 is how outside world sees this FTP server (example probably would be more clear if they would use public ip address instead). Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX http://www.cisco.com/warp/public/707/28.html Make sure that you understand how, when and why static command is used on the PIX.
-- Lidiya White -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 9:48 PM To: [EMAIL PROTECTED] Subject: RE: PIX questions [7:53953] OK.. I think I roughly understand what is the problem now. Let me tell you our pix setup. We do a PAT for every outgoing packet so the source address to be translated to 192.168.5.200 before leaving the external interface of the PIX. So when the outside party tried to make connection to 192.168.5.200, it was considered outside as the routing table of the PIX show that the IP 192.168.5.200 should be routed out via external interface. Sound logical? But how to solve it, if I don't want this log 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168.5.200/58000 Another Question2 :) I saw a sentence on a book that I don't understand- The combination of the static declaration and the conduit command can allow FTP traffic through your network. You have allowed FTP traffic to the FTP server with the following two lines Static(inside,outside)192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0--(1) Conduit permit tcp host 192.168.1.35 eq ftp any--(2) I understand the second statement which mean it allow ftp traffic from any outside workstations to connect to 192.168.1.35 in the inside network But what is meaning of the first statement? What is 10.1.1.35 IP for? Why we need this? Thanks a lot Sim -----Original Message----- From: Lidiya White [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 1:39 AM To: Sim, CT (Chee Tong); [EMAIL PROTECTED] Subject: RE: PIX questions [7:53953] The problem here is the source and destination are outside. Why? PIX can't redirect traffic so even if conduit is allowing this traffic, PIX won't let it through, unless it's src outside and dst is inside. You either routing issue here or just something is misconfigured on the PIX. Use "wr term" on the PIX to view the current config. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 10:50 AM To: [EMAIL PROTECTED] Subject: PIX questions [7:53953] I keep having the following log in my PIX. It is very frequent. What is that mean? It seems my PIX deny this connection, but actually I want to allow it now and make it no longer log to the PIX log. 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 I tried to clear it by adding the following command in the PIX config to allow the connection to come in. However, I still found the same log in my PIX? What should be the correct command? conduit permit udp any range 58000 58001 any Question2- How to show the "running-config" in PIX? I found whenever I made a change on PIX. I can't see the change when I issue "sh conf" command until I do "wr mem" What is the router equivalent show running-config command in PIX? Thanks a lot ================================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================================== The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. ================================================================== ================================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================================== The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. ================================================================== Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54082&t=53953 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
