translation/port issues with a 515E

Unanswered Question
Oct 9th, 2008

I'm having issues opening up a http connection between a host on one interface (higher security level) and a webserver on another interface (lower security level). The webserver is statically mapped to a public ip address, and the host is using interface PAT.

Now, I'm assuming that this is a translation/port issue since there's no outbound acls for the internal interface the host sits on.

Before I go further, here is the version info and relevant config entries (there are additional interfaces, nat, alcs, ect omitted):

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(1)

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

nameif ethernet0 outside security0

nameif ethernet3 private security20

nameif vlan5 F5External security8

ip address outside 208.x.x.x x.x.x.x

ip address private

ip address F5External

global (outside) 1 interface

nat (private) 0 access-list private_outbound_nat0_acl

nat (private) 1 0 0

nat (F5External) 0 access-list F5External_outbound_nat0_acl

nat (F5External) 1 0 0

access-list private_outbound_nat0_acl line 3 permit ip any

access-list F5External_outbound_nat0_acl line 3 permit ip any

static (F5External,outside) 63.x.x.x netmask 0 0

static (private,outside) 66.x.x.x netmask 0 0

Here's a look at what going on with the connections:

The host in question (, opens a connection with the webserver (, and has it's private ip translated to the interface ip (208.x.x.x):

TCP out 208.x.x.x:1060 in idle 0:00:30 Bytes 0 flags aB

The webserver responds, has its private ip ( translated to it's static public ip (63.x.x.x), and tries to open a connection to port 3954 on the requesting host (

TCP out 63.x.x.x:80 in idle 0:00:06 Bytes 0 flags saA

It does seem like the translations are behaving as configured, but for some reason (the crux of the issue), the source port of the requesting host changes from 1060 to 3954. Why is this and how can it be corrected? The connection flags also point to this issue:

webserver:aB = (awaiting outside ACK to SYN) (initial SYN from outside)

requesting host:saA = (awaiting outside SYN) (awaiting outside ACK to SYN) (awaiting inside ACK to SYN)

If the source port of the requesting host was the same on the webserver's reply, then the requesting host wouldn't be waiting for an outside SYN.. right? What is causing the sport change?

There is one host ( on this segment that can successfully open up a http connection to the webserver on a different fw interface. The difference? This host on the private interface has a statically mapped public ip address. Here's the connection output:

TCP out 66.x.x.x:2513 in idle 0:00:00 Bytes 77259 flags UIOB

TCP out 63.x.x.x:80 in idle 0:00:49 Bytes 77259 flags UIO

The requesting host source port is the same on both paths of the tcp connection.

So.. why can't the source port stay the same for hosts using interface PAT, and why does it stay the same for a host that has a statically mapped public ip? How do I go about fixing this sport issue? (assuming the problem is with the tcp sport)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abinjola Thu, 10/09/2008 - 17:32

I am assuming your local machines wants to open the webserver with its public ip

add the following lines and let me know if it helps

static (F5external,private)63.x.x.x

global (F5external) 1 interface

let me know how it goes

Fernando_Meza Thu, 10/09/2008 - 17:59

Hi ..

I can't see the rest of the configuration .. howecver I suggest you to use static NAT between private and F5External instead of using nat exception (nat 0) ..

static (private,F5External) netmask

Make sure you allow the required access from Private -> F5External (allowed by default from higher to lower security). If you also need access to be initiated from F5External -> Private (Lower to higher) then that needs to be specifically allowed as well.

Also make sure that the private hosts are actually trying to connect to the IP address instead of to its Public IP address otherwise the packet might be trying to go out the outisde interface which seems to be the case in your logs.

don't forget to do clear xlate after the changes !!!

I hope it helps .. please rate helpful posts


This Discussion