Hi Ameet,
The information you have been given previously is correct. I would suspect
something else is incorrect.
Is your Static address part of the Global pool? It should NOT be.
Another troubleshooting tip is to do a "show xlate" on the PIX.
pixfirewall# show xlate external.address.i.p
and
pixfirewall# show xlate internal.address.i.p
And compare the results. This will help verify that the static address
mapping is occurring properly.
Also, it is advisable to clear xlates after reconfiguring the PIX. This
eliminates confusion resulting from an address that may have been in use
via a dynamic connection, which has been assigned a static translation.
If that doesn't help, I'd recommend opening a case with the Cisco Technical
Assistance Center.
Thanks much,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
At 01:22 PM 02/23/2000 -0500, Ameet Chaubal wrote:
>Thanks for the reply
>
>But I do have that set up correctly.
>The strange thing is , I can ping from this machine to outside world; but
>nobody else can ping it.
>I am getting out of things to try now!!
>
>Appreciate the help
>
>ameet
>
>
>----- Original Message -----
>From: Marc Renner <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
>Sent: Wednesday, February 23, 2000 12:37 PM
>Subject: Re: PIX stat translation not working
>
>
> > You need the conduit statement to point to the OUTSIDE Translated Address
>i.e.,:
> >
> > conduit permit tcp host <OUTSIDE TRANSLATED ADDRESS> eq smtp any
> >
> > Also: Make sure you have an MX (Mail eXchange) record for the mail servers
>OUTSIDE TRANSLATED ADDRESS.
> >
> > cheers..
> >
> >
> > Marc..
> >
> > >>> "Alessandra Moura" <[EMAIL PROTECTED]> 02/23/00 09:13AM >>>
> >
> > Try this:
> >
> > conduit permit tcp host <valid IP> eq smtp any
> >
> >
> >
> >
> > 23/02/2000 09:58
> > "Ameet Chaubal" <[EMAIL PROTECTED]>
> >
> > From:
> > On:
> >
> >
> >
> >
> > To: [EMAIL PROTECTED]
> >
> > cc: (bcc: Alessandra Moura/RIO/ANP)
> >
> >
> >
> > Subject: PIX stat translation not working
> >
> >
> >
> >
> >
> >
> > Hi all
> >
> > I am a bit new to pix firewall . The version we have is 4.2
> > It is a fairly simple setup without dmz.
> > we have a pool of global ip addersses and just one entry for static NAT.
> > I have conduit permit icmp any any command in it.
> > I also have the conduit permit for the static address at port 25 for smtp.
> > The machines inside can go out thr' dynamic NAT fine. I can even ping them
> > from outside.
> > But the problem is for the static translated machine.
> > This machine can go out and ping anybody on the internet.
> > But nobody outside seems to be able to see it or ping it. Even telnet at
>25
> > does not work.
> > I checked everything that I could; there are no outbound access lists.
> > Does fixup have anything to do with this.?
> > Could anybody please suggest something?
> >
> > Thanks a lot
> >
> > ameet
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
ID: 0xB72CAF1F, DH/DSS 2048/1024
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
