[c-nsp] problem creating a static on Pix

Tony td_miles at yahoo.com
Thu Jul 30 18:43:31 EDT 2009 

Your access list need to have the OUTSIDE address in it, as this is what will be in the packets arriving on the outside interface of your PIX eg:

access-list acl-outside permit ip any host 206.x.x.77 eq 80


This URL:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
http://tinyurl.com/8vrj

lists the order of operation that happen on the PIX. You can see that for outside-to-inside the access-list is step 3 and the NAT happens at step 6. This means that the ACL is checked before any NAT happens and so the packets will still have the outside address in them (they haven'tbeen NAT'ed yet).



regards,
Tony.




--- On Fri, 31/7/09, Scott Granados <gsgranados at comcast.net> wrote:

> From: Scott Granados <gsgranados at comcast.net>
> Subject: [c-nsp] problem creating a static on Pix
> To: cisco-nsp at puck.nether.net
> Date: Friday, 31 July, 2009, 8:18 AM
> Hi, I'm having the following issue.
> 
> Background
> 
> I have two networks one public 206.x.x.77/27 and internal
> 10.18.x.253/27.  I wish to open port 80 to the world
> and allow web traffic.
> 
> I've added the following static line.
> 
> static (inside,outside) tcp 206.x.x.77 80 10.18.x.253 80
> netmask 255.255.255.255 0 0
> 
> I have added the following to my ACL
> 
> access-list acl-outside permit ip any host 10.18.x.253 eq
> 80
> (the first line in sequence)
> 
> Finally, I apply the acl as follows
> 
> access-group acl-outside in interface outside
> 
> I've confirmed that the device is listening on 80 and
> accepting connections and I've confirmed that the device can
> route out to the internet by pinging some distant network
> addresses.  My issue is I can't initiate a connection
> from the outside in.  Telnet to 206.x.x.77 80 yields
> "no route to host" from a Linux box out in the field. 
> I tried to execute a telnet from the router on 206.x.x.65
> (the gateway to the outside network) to 206.x.x.77 80 and it
> simply hangs.  (testing connectivity on the same
> segment)  What have I missed?
> 
> This feels like it should be something obvious but I've
> been pulling my hair out (what's left) and no lights are
> going on.  Any pointers would be appreciated..
> 
> Thanks
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list