Inbound connections on a 515e without NAT


All,

I have a PIX 5i5E configured that permits outbound connections
from inside our network. However I can't get it to permit inbound
ones. I know this should be fairly simple, I think the complication
is we aren't doing NAT, and are using the same addresses inside as
outside. Here's the revelant part of our configuration.


PIX Version 7.0(4)2

! we use NAT control but use our real addresses on the inside
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

interface Ethernet0
nameif outside
security-level 0
ip address A.B.50.14 255.255.255.0

interface Ethernet1
nameif inside
security-level 100
ip address A.B.70.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 A.B.50.1 1

! So far this part works as it should, here's
! the part I'm having trouble with. Lets say I
! I have a web server at A.B.70.50, From what I've
! read, I would have thought the following would
! permit inbound traffic to it.

access-list permit_web extended permit tcp any host A.B.70.50 eq 80
access-group permit_web in interface outside

static (inside,outside) A.B.70.50 A.B.70.50 netmask 255.255.255.255

But, this fails. My thinking was to allow a connection for the address
of the web server. So when this failed, I thought, maybe I allow
the connection on the outside interface, like:

static (inside,outside) A.B.50.14 A.B.50.14 netmask 255.255.255.255

Even though, if this worked, it would allow inbound connections to every system behind A.B.50.14 on the PIX. But even this doesn't work.

I've looked pretty carefully through _Cisco PIX Firewalls_ (Behrens, et al) and through other postings in this group, but they all use NAT / PAT. In fact, it seems as though the static(,) command pretty much expects some form of address translation, and isn't very happy unless it occurs.

Thanks in advance for any help.

B Squared
=========================================================================
I've gone to hundreds of fortune-tellers' parlors, and have been told
thousands of things, but nobody ever told me I was a policewoman
getting ready to arrest her. --Unknown NYC Detective





.

Relevant Pages

  • Re: Two ISP - One Router - 1 PIX
    ... which is connected a switch1 and a PIX Firewall whose inside interface ... be "access router"), your links with redundent. ... then all existing connection-based connections ...
    (comp.dcom.sys.cisco)
  • PIX and WinXP
    ... I have a WinXP machine which is connected to a PIX ... firewall on its inside interface. ... and connect via VPN to the PIX, they can ping themselves (for testing, ... limited in VPN connections, so this could also be the problem. ...
    (comp.dcom.vpn)
  • PIX & XP
    ... I have a WinXP machine which is connected to a PIX ... firewall on its inside interface. ... and connect via VPN to the PIX, they can ping themselves (for testing, ... limited in VPN connections, so this could also be the problem. ...
    (comp.dcom.sys.cisco)
  • Re: pix question
    ... > know PIX and IPSec well, your posting asks about 3 completely different ... > - Is 68.68.68.68 the outside interface IP of your PIX, ... > 68.68.68.68 could be a host with other hosts behind it, ... > - Are there connections that the hosts within 11.11.12.0/24 should be ...
    (comp.dcom.sys.cisco)
  • Re: Inbound connections on a 515e without NAT
    ... However I can't get it to permit inbound ... should remove the global/nat pair -- it would be redundant and would ... access-group permit_web in interface outside ... ports are reserved for accessing the PIX itself... ...
    (comp.dcom.sys.cisco)