Cisco PIX 8.0.4, static address mapping not working?
- by Bill
upgrading a working Pix running 5.3.1 to 8.0.4. The memory/IOS upgrade went fine, but the 8.0.4 configuration is not quite working 100%. The 5.3.1 config on which it was based is working fine.
Basically, I have three networks (inside, outside, dmz) with some addresses on the dmz statically mapped to outside addresses. The problem seems to be that those addresses can't send or receive traffic from the outside (Internet.) Stuff on the DMZ that does not have a static mapping seems to work fine. So, basically:
Inside - outside: works
Inside - DMZ: works
DMZ - inside: works, where the rules allow it
DMZ (non-static) - outside: works
But:
DMZ (static) - outside: fails
Outside - DMZ: fails (So, say, udp 1194 traffic to .102, http to .104)
I suspect there's something I'm missing with the nat/global section of the config, but can't for the life of me figure out what. Help, anyone?
The complete configuration is below. Thanks for any thoughts!
!
PIX Version 8.0(4)
!
hostname firewall
domain-name asasdkpaskdspakdpoak.com
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address XX.XX.XX.100 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.68.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 10
ip address 192.168.69.1 255.255.255.0
!
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name asasdkpaskdspakdpoak.com
access-list acl_out extended permit udp any host XX.XX.XX.102 eq 1194
access-list acl_out extended permit tcp any host XX.XX.XX.104 eq www
access-list acl_dmz extended permit tcp host 192.168.69.10 host 192.168.68.17 eq ssh
access-list acl_dmz extended permit tcp 10.71.83.0 255.255.255.0 192.168.68.0 255.255.255.0 eq ssh
access-list acl_dmz extended permit tcp 10.71.83.0 255.255.255.0 192.168.68.0 255.255.255.0 eq 5901
access-list acl_dmz extended permit udp host 192.168.69.103 any eq ntp
access-list acl_dmz extended permit udp host 192.168.69.103 any eq domain
access-list acl_dmz extended permit tcp host 192.168.69.103 any eq www
access-list acl_dmz extended permit tcp host 192.168.69.100 host 192.168.68.101 eq 3306
access-list acl_dmz extended permit tcp host 192.168.69.100 host 192.168.68.102 eq 3306
access-list acl_dmz extended permit tcp host 192.168.69.101 host 192.168.68.101 eq 3306
access-list acl_dmz extended permit tcp host 192.168.69.101 host 192.168.68.102 eq 3306
access-list acl_dmz extended permit tcp 10.71.83.0 255.255.255.0 host 192.168.68.101 eq 3306
access-list acl_dmz extended permit tcp 10.71.83.0 255.255.255.0 host 192.168.68.102 eq 3306
access-list acl_dmz extended permit tcp host 192.168.69.104 host 192.168.68.101 eq 3306
access-list acl_dmz extended permit tcp host 192.168.69.104 host 192.168.68.102 eq 3306
access-list acl_dmz extended permit tcp 10.71.83.0 255.255.255.0 host 192.168.69.104 eq 8080
access-list acl_dmz extended permit tcp 10.71.83.0 255.255.255.0 host 192.168.69.104 eq 8099
access-list acl_dmz extended permit tcp host 192.168.69.105 any eq www
access-list acl_dmz extended permit tcp host 192.168.69.103 any eq smtp
access-list acl_dmz extended permit tcp host 192.168.69.105 host 192.168.68.103 eq ssh
access-list acl_dmz extended permit tcp host 192.168.69.104 any eq www
access-list acl_dmz extended permit tcp host 192.168.69.100 any eq www
access-list acl_dmz extended permit tcp host 192.168.69.100 any eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) XX.XX.XX.103 192.168.69.11 netmask 255.255.255.255
static (inside,dmz) 192.168.68.17 192.168.68.17 netmask 255.255.255.255
static (inside,dmz) 192.168.68.100 192.168.68.100 netmask 255.255.255.255
static (inside,dmz) 192.168.68.101 192.168.68.101 netmask 255.255.255.255
static (inside,dmz) 192.168.68.102 192.168.68.102 netmask 255.255.255.255
static (inside,dmz) 192.168.68.103 192.168.68.103 netmask 255.255.255.255
static (dmz,outside) XX.XX.XX.104 192.168.69.100 netmask 255.255.255.255
static (dmz,outside) XX.XX.XX.105 192.168.69.105 netmask 255.255.255.255
static (dmz,outside) XX.XX.XX.102 192.168.69.10 netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.97 1
route dmz 10.71.83.0 255.255.255.0 192.168.69.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.68.17 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2d1bb2dee2d7a3e45db63a489102d7de
