RE: Cisco PIX question, static, conduit, and alias [7:40722]
Robert, Ok, I'm more confused than before. :-) You say I do want any outside host to access the web server and then you say So, I do want everyone to access the web server at ip address xxx.yyy.115.190, this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be doctored so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: Robert, Your conduit command doesn't look right. Typically you want to allow any outside host to access the inside host specified in the conduit. You can specify 'any' by using 0.0.0.0 or 0: conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 Also, I'm not sure what your trying to accomplish with those alias commands: alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 Your telling the PIX to translate dst address 172.20.21.241 to xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 back to the same inside address? Typically the internal hosts would just go directly to the 172.20.21.241 address without having to go through the PIX in the first place. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert T. Repko (R Squared Consultants) Sent: Saturday, April 06, 2002 8:23 PM To: [EMAIL PROTECTED] Subject: Cisco PIX question, static, conduit, and alias [7:40722] I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Kent- What if you have your DNS Server(s) (resolving Public addresses for the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the PIX with all of them running RFC1918 addresses, and you want both inside and outside sourced traffic (Any Any) to reach the Web or Mail Server? Is the Alias command used for the inside hosts to reach the servers when resolving to the Public Addresses only?? Forgive my ignorance... I' just catching back up on my PIX studies, and see where the above scenario comes into play on a regular basis for small/medium networks where the Business/Organization hosts their own DNS and has their ISP provide Secondary DNS for them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Tuesday, April 09, 2002 9:53 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Robert, Ok, I'm more confused than before. :-) You say I do want any outside host to access the web server and then you say So, I do want everyone to access the web server at ip address xxx.yyy.115.190, this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be doctored so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: Robert, Your conduit command doesn't look right. Typically you want to allow any outside host to access the inside host specified in the conduit. You can specify 'any' by using 0.0.0.0 or 0: conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 Also, I'm not sure what your trying to accomplish with those alias commands: alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 Your telling the PIX to translate dst address 172.20.21.241 to xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 back to the same inside address? Typically the internal hosts would just go directly to the 172.20.21.241 address without having to go through the PIX in the first place. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert T. Repko (R Squared Consultants) Sent
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Mark, Typically the alias command is used when: 1) You have overlapping addresses, ie. your using 10 net addressing and you have to connect to someone else who is also using 10 net addressing (this is done through DNS doctoring) Or you have a split DNS. (see below) 2) You want to translate the dst address of packets going from inside to outside on the PIX. If you have a situation where your DNS is external and your servers are internal, you probably don't want the internal hosts accessing the internal servers using their external address. In order for the DNS replies to give the internal hosts the internal address of the servers, you would use the alias command to alter the reply to the internal hosts. This comes into play when you have what is typically called a split-brain DNS. The external DNS can only resolve hosts which are accessible from the outside. The internal DNS forwards to the external for name resolution of externally accessible hosts. Since the DNS resolution yeilds an externally reachable address, you would use the alias to make sure that the internal hosts use the internal IP while the external hosts use the external IP. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Odette II Sent: Tuesday, April 09, 2002 8:38 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Kent- What if you have your DNS Server(s) (resolving Public addresses for the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the PIX with all of them running RFC1918 addresses, and you want both inside and outside sourced traffic (Any Any) to reach the Web or Mail Server? Is the Alias command used for the inside hosts to reach the servers when resolving to the Public Addresses only?? Forgive my ignorance... I' just catching back up on my PIX studies, and see where the above scenario comes into play on a regular basis for small/medium networks where the Business/Organization hosts their own DNS and has their ISP provide Secondary DNS for them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Tuesday, April 09, 2002 9:53 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Robert, Ok, I'm more confused than before. :-) You say I do want any outside host to access the web server and then you say So, I do want everyone to access the web server at ip address xxx.yyy.115.190, this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be doctored so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So
RE: Cisco PIX question, static, conduit, and alias [7:40722]
I thought that's what I had? conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 (outside address) (port) (ip addr of host to reach) (inside address) If I'm misunderstanding could you rewrite the statement above to demonstrate what you mean. Please keep in mind this is ver 4.1.4, 'any' is not a valid part of the conduit statement, the PIX complains when I use 'any' in the command. At 4/7/2002 12:59 AM, Daniel Cotts reminisced: Conduit should be outside address of local machine (xxx.yyy.115.172) then port to be reached (25 tcp) then address and subnet mask of remote hosts wishing access. any = 0.0.0.0 0.0.0.0. It could be a single address; but I'd expect to see a routable address. -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Saturday, April 06, 2002 10:23 PM To: [EMAIL PROTECTED] Subject: Cisco PIX question, static, conduit, and alias [7:40722] I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since they are running such an old version (Ver 4.1.4) of the IOS I could not use the same exact commands. I'm not as familiar with the PIX 4.1.4 commands and obviously have something stated incorrectly. Below I have what I believe to be the pertinent information from both the 7206 and PIX. Can someone tell me where I went wrong. The xxx.yyy represent the same 2 octets through out both configs. Any help greatly appreciated. Cisco 7206 VXR interface FastEthernet0/1 description ** Firewall Connection (inside area)** ip address xxx.yyy.115.18 255.255.255.240 secondary ip address 172.20.19.3 255.255.255.0 ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points to the ISP) ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 255.255.255.255 alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 ** * * Robert T. Repko - R Squared Consultants |Voice: (610) 253-2849* * Serving the Computing World for 20 years | Fax: (610) 253-0725* * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: [EMAIL PROTECTED] * * Custom Programming| Address: 4 Juniper Ave.* * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA 18045 * ** * *** * Robert T. Repko - R Squared Consultants |Voice: (610) 253-2849* * Serving the Computing World for 20 years | Fax: (610) 253-0725* * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: [EMAIL PROTECTED] * * Custom Programming| Address: 4 Juniper Ave.* * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA 18045 * *** Message Posted at:
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Robert, Your conduit command doesn't look right. Typically you want to allow any outside host to access the inside host specified in the conduit. You can specify 'any' by using 0.0.0.0 or 0: conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 Also, I'm not sure what your trying to accomplish with those alias commands: alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 Your telling the PIX to translate dst address 172.20.21.241 to xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 back to the same inside address? Typically the internal hosts would just go directly to the 172.20.21.241 address without having to go through the PIX in the first place. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert T. Repko (R Squared Consultants) Sent: Saturday, April 06, 2002 8:23 PM To: [EMAIL PROTECTED] Subject: Cisco PIX question, static, conduit, and alias [7:40722] I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since they are running such an old version (Ver 4.1.4) of the IOS I could not use the same exact commands. I'm not as familiar with the PIX 4.1.4 commands and obviously have something stated incorrectly. Below I have what I believe to be the pertinent information from both the 7206 and PIX. Can someone tell me where I went wrong. The xxx.yyy represent the same 2 octets through out both configs. Any help greatly appreciated. Cisco 7206 VXR interface FastEthernet0/1 description ** Firewall Connection (inside area)** ip address xxx.yyy.115.18 255.255.255.240 secondary ip address 172.20.19.3 255.255.255.0 ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points to the ISP) ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 255.255.255.255 alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 *** * Robert T. Repko - R Squared Consultants |Voice: (610) 253-2849* * Serving the Computing World for 20 years | Fax: (610) 253-0725* * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: [EMAIL PROTECTED] * * Custom Programming| Address: 4 Juniper Ave.* * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA 18045 * *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40764t=40722 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: Robert, Your conduit command doesn't look right. Typically you want to allow any outside host to access the inside host specified in the conduit. You can specify 'any' by using 0.0.0.0 or 0: conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 Also, I'm not sure what your trying to accomplish with those alias commands: alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 Your telling the PIX to translate dst address 172.20.21.241 to xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 back to the same inside address? Typically the internal hosts would just go directly to the 172.20.21.241 address without having to go through the PIX in the first place. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert T. Repko (R Squared Consultants) Sent: Saturday, April 06, 2002 8:23 PM To: [EMAIL PROTECTED] Subject: Cisco PIX question, static, conduit, and alias [7:40722] I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since they are running such an old version (Ver 4.1.4) of the IOS I could not use the same exact commands. I'm not as familiar with the PIX 4.1.4 commands and obviously have something stated incorrectly. Below I have what I believe to be the pertinent information from both the 7206 and PIX. Can someone tell me where I went wrong. The xxx.yyy represent the same 2 octets through out both configs. Any help greatly appreciated. Cisco 7206 VXR interface FastEthernet0/1 description ** Firewall Connection (inside area)** ip address xxx.yyy.115.18 255.255.255.240 secondary ip address 172.20.19.3 255.255.255.0 ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points to the ISP) ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 255.255.255.255 alias (inside) 172.20.21.241
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Conduit should be outside address of local machine (xxx.yyy.115.172) then port to be reached (25 tcp) then address and subnet mask of remote hosts wishing access. any = 0.0.0.0 0.0.0.0. It could be a single address; but I'd expect to see a routable address. -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Saturday, April 06, 2002 10:23 PM To: [EMAIL PROTECTED] Subject: Cisco PIX question, static, conduit, and alias [7:40722] I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since they are running such an old version (Ver 4.1.4) of the IOS I could not use the same exact commands. I'm not as familiar with the PIX 4.1.4 commands and obviously have something stated incorrectly. Below I have what I believe to be the pertinent information from both the 7206 and PIX. Can someone tell me where I went wrong. The xxx.yyy represent the same 2 octets through out both configs. Any help greatly appreciated. Cisco 7206 VXR interface FastEthernet0/1 description ** Firewall Connection (inside area)** ip address xxx.yyy.115.18 255.255.255.240 secondary ip address 172.20.19.3 255.255.255.0 ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points to the ISP) ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 255.255.255.255 alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 ** * * Robert T. Repko - R Squared Consultants |Voice: (610) 253-2849* * Serving the Computing World for 20 years | Fax: (610) 253-0725* * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: [EMAIL PROTECTED] * * Custom Programming| Address: 4 Juniper Ave.* * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA 18045 * ** * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40725t=40722 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
