|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Guest
|
 Posted: Fri Oct 19, 2007 12:55 am Post subject: PIX 515 DMZ can't access Internet |
 |
|
To all PIX experts,
I have a PIX 515 running 6.3(3) software.
Windows 2003 server (plan on using as FTP server) in the DMZ with
private IP 192.168.17.100.
This private IP is statically nat to a public IP address 209.181.x.y.
This public IP is different from the global public IP which is
209.181.a.b being use for NATing internal private-ip systems.
Related entries are below:
nameif ethernet0 outside security0
nameif ethernet2 dmz security20
global (outside) 1 209.181.a.b netmask 255.255.255.248
nat (dmz) 1 192.168.17.0 255.255.255.0
static (dmz,outside) 209.181.x.y 192.168.17.100 netmask
255.255.255.255 0 0
The issue is I cannot get outside (to the Internet) from this Windows
2003 server.
If I change the IP of this Win 2003 server to 192.168.17.101 (no
static here,NAT with public global ip) then it will work.
Any idea what I am missing...
BV |
|
| Back to top |
|
 |
|
|
Walter Roberson
Guest
|
| Posted: Fri Oct 19, 2007 4:40 am Post subject: Re: PIX 515 DMZ can't access Internet |
|
|
In article <1192737310.885269.306300@v23g2000prn.googlegroups.com>,
<bavien@gmail.com> wrote:
| Quote: | I have a PIX 515 running 6.3(3) software.
Windows 2003 server (plan on using as FTP server) in the DMZ with
global (outside) 1 209.181.a.b netmask 255.255.255.248
nat (dmz) 1 192.168.17.0 255.255.255.0
static (dmz,outside) 209.181.x.y 192.168.17.100 netmask 255.255.255.255 0 0
The issue is I cannot get outside (to the Internet) from this Windows
2003 server.
|
Whatever the next hop is beyond your PIX: does it know to *route*
209.181.x.y to your PIX public IP 209.181.a.b ?
The PIX will proxy arp for 209.181.x.y, but proxy arp is often
unreliable. |
|
| Back to top |
|
|
Guest
|
| Posted: Sun Oct 21, 2007 12:50 am Post subject: Re: PIX 515 DMZ can't access Internet |
|
|
On Oct 19, 1:26 pm, bav...@gmail.com wrote:
| Quote: | On Oct 18, 6:40 pm, rober...@hushmail.com (Walter Roberson) wrote:
In article <1192737310.885269.306...@v23g2000prn.googlegroups.com>,
bav...@gmail.com> wrote:
I have a PIX 515 running 6.3(3) software.
Windows 2003 server (plan on using as FTP server) in the DMZ with
global (outside) 1 209.181.a.b netmask 255.255.255.248
nat (dmz) 1 192.168.17.0 255.255.255.0
static (dmz,outside) 209.181.x.y 192.168.17.100 netmask 255.255.255.255 0 0
The issue is I cannot get outside (to the Internet) from this Windows
2003 server.
Whatever the next hop is beyond your PIX: does it know to *route*
209.181.x.y to your PIX public IP 209.181.a.b ?
The PIX will proxy arp for 209.181.x.y, but proxy arp is often
unreliable.
Thanks Walter...
The PIX 515 is part of the DSL set up, behind a Cisco 837 DSL router.
Range of 8 ip addresses (6 usable) from DSL provider.
Are you suggesting I need to look into the config of the Cisco 837? If
you are, what am I looking for in particular?
Thanks again.
BV- Hide quoted text -
- Show quoted text -
|
Just wondering if the x.y address is in the range of 6 represented by
a.b?
Don't you have to exclude the address used for the static translation
from the pool?
John |
|
| Back to top |
|
|
Guest
|
| Posted: Mon Oct 22, 2007 8:53 pm Post subject: Re: PIX 515 DMZ can't access Internet |
|
|
On Oct 21, 10:36 am, rober...@hushmail.com (Walter Roberson) wrote:
| Quote: | In article <1192818403.514787.146...@i38g2000prf.googlegroups.com>,
bav...@gmail.com> wrote:
Whatever the next hop is beyond your PIX: does it know to *route*
209.181.x.y to your PIX public IP 209.181.a.b ?
The PIX 515 is part of the DSL set up, behind a Cisco 837 DSL router.
Range of 8 ip addresses (6 usable) from DSL provider.
Are you suggesting I need to look into the config of the Cisco 837? If
you are, what am I looking for in particular?
6 usable? Or 5? Or 4?
.0 - base address
.7 - broadcast address
.something - 837's LAN address
That's the minimum usable setup if your IP address range is brought
to you on a "carrier" IP range. But if your IP address range is direct,
then you have
.something - 837's WAN address
.somethingelse - ISP's WAN address
leaving only 4 usable IPs (unless you overload the 837's WAN addres
sto forward to something internal.)
In any case, on the 837, you would put something like
route inside 290.181.x.0 0.0.0.7 host 209.181.a.b
replacing 290.181.x.0 with the base IP address of your range.
|
In my Cisco 837 DSL router there is an entry relating to routing:
"ip route 0.0.0.0 0.0.0.0 Dialer0"
Dialer0 is "ip unnumbered Ethernet0" and Ethernet0 is assign the WAN
IP, which is another IP address (different from both 209.181.x.y and
209.181.a.b)
The above ip route command should be sufficient... right?
BV |
|
| Back to top |
|
|
|
|
