pix 506e static ip problem

Unanswered Question
Oct 4th, 2007
User Badges:

I have a 5 block range of ip's that our isp has given us. We use pat on the pix external address and use a static for the second ip in the range and both work fine. When I try to add a third static it doesn't work. No matter how I configure it I never get traffic out the third ip, or forth, or fifth for that matter. However if I use a static ip connected directly to our DSL modem they work fine


Any suggestions. Pix config attached but ip's changed.



Thanks,

Mike



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
PAUL GILBERT ARIAS Thu, 10/04/2007 - 16:12
User Badges:
  • Silver, 250 points or more

Hello,

The commands on your configuration looks fine. There is something that you have to do whenever you do changes on your NAT.

As soon as you add the static translations you have to clear the translatioins. For example you add:


static (inside,outside) x.x.x.179 serverip netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.181 192.168.1.6 netmask 255.255.255.255 0 0


Then:

clear xlate local serverip

cl ear xlate local 192.168.1.6


After that the traffic should be able to get translated using the right ip. You can verify it by checking the translations created. You can check it by using the command:

show xlate

Or

show xlate local 192.168.1.6


This will give you the translation being made.

I hope this helps.


merlin_666 Thu, 10/04/2007 - 16:47
User Badges:

I make sure to do that each time. however the traffic still doesn't go through. Syslog shows syn timeout for the connection. pix-6-302014 I think for the error code. Looked and says something about DoS flood but that doesn't sound right.

PAUL GILBERT ARIAS Fri, 10/05/2007 - 07:50
User Badges:
  • Silver, 250 points or more

If you get a Syn timeout it might be because the traffic is not returning to the PIX. Make sure the server has the default gateway pointing to the PIX.

arunsing Thu, 10/04/2007 - 18:32
User Badges:

can you please post the syslogs and show xlate

merlin_666 Sun, 10/07/2007 - 07:33
User Badges:

Here is the show xlate with comments added. I'll add syslog shortly.


PAT Global 129.X.X.178(443) Local 192.168.1.24(137)

Global 129.X.X.182 Local 192.168.1.58 - static that doesn't work

PAT Global 129.X.X.178(33789) Local 192.168.1.85(1935)

PAT Global 129.X.X.178(33788) Local 192.168.1.65(50267)

PAT Global 129.X.X.178(33790) Local 192.168.1.45(2831)

PAT Global 129.X.X.178(4994) Local 192.168.1.200(1044)

Global 129.X.X.179 Local mdaemon - static has always worked

merlin_666 Sun, 10/07/2007 - 07:56
User Badges:

Syslog messages for just 192.168.1.58


10/7/2007 11:45 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 138990 for outside:69.61.55.195/80 (69.61.55.195/80) to inside:192.168.1.58/51601 (129.X.X.182/51601)

10/7/2007 11:45 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 139007 for outside:64.236.16.52/80 (64.236.16.52/80) to inside:192.168.1.58/51602 (129.X.X.182/51602)

10/7/2007 11:46 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 139026 for outside:64.236.24.12/80 (64.236.24.12/80) to inside:192.168.1.58/51603 (129.X.X.182/51603)

10/7/2007 11:46 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 139032 for outside:198.23.16.138/443 (198.23.16.138/443) to inside:192.168.1.58/51604 (129.X.X.182/51604)

10/7/2007 11:46 Local4.Info 192.168.1.1 %PIX-6-302014: Teardown TCP connection 138942 for outside:198.23.16.138/443 to inside:192.168.1.58/51599 duration 0:02:01 bytes 0 SYN Timeout

10/7/2007 11:46 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 139038 for outside:64.236.29.120/80 (64.236.29.120/80) to inside:192.168.1.58/51605 (129.X.X.182/51605)

10/7/2007 11:46 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 139052 for outside:64.236.91.21/80 (64.236.91.21/80) to inside:192.168.1.58/51606 (129.X.X.182/51606)

10/7/2007 11:47 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 139054 for outside:64.236.91.22/80 (64.236.91.22/80) to inside:192.168.1.58/51607 (129.X.X.182/51607)

10/7/2007 11:47 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 139055 for outside:198.23.16.138/443 (198.23.16.138/443) to inside:192.168.1.58/51608 (129.X.X.182/51608)

10/7/2007 11:47 Local4.Info 192.168.1.1 %PIX-6-302014: Teardown TCP connection 138983 for outside:198.23.16.138/443 to inside:192.168.1.58/51600 duration 0:02:01 bytes 0 SYN Timeout

10/7/2007 11:47 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 139069 for outside:64.236.91.23/80 (64.236.91.23/80) to inside:192.168.1.58/51609 (129.X.X.182/51609)

10/7/2007 11:47 Local4.Info 192.168.1.1 %PIX-6-302014: Teardown TCP connection 138990 for outside:69.61.55.195/80 to inside:192.168.1.58/51601 duration 0:02:01 bytes 0 SYN Timeout

10/7/2007 11:47 Local4.Info 192.168.1.1 %PIX-6-302014: Teardown TCP connection 139007 for outside:64.236.16.52/80 to inside:192.168.1.58/51602 duration 0:02:01 bytes 0 SYN Timeout

10/7/2007 11:47 Local4.Info 192.168.1.1 %PIX-6-302013: Built outbound TCP connection 139089 for outside:64.236.91.24/80 (64.236.91.24/80) to inside:192.168.1.58/51610 (129.X.X.182/51610)


Actions

This Discussion