PIX port translation not working

Unanswered Question
Feb 16th, 2009
User Badges:

I have a PIX 501 that I am using for a small office location. Behind the firewall is a web server, running two different web instances. The first is running internally on port 85, the second uses port 86. On the PIX, I want to designate two separate external IPs, one for each web site. This way I can have external DNS records point to the two sites individually, even though they are running on the same physical server.


I've defined my static translations along these lines:


static (inside,outside) tcp EXTERNAL1 80 INTERNAL 85 netmask 255.255.255.255 0 0

static (inside,outside) tcp EXTERNAL2 80 INTERNAL 86 netmask 255.255.255.255 0 0


I also have defined my ACLs to allow access to port 80 on each of these IPs.


Yet for some reason, the connections are not happening properly.


Did I miss something?


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 02/16/2009 - 12:59
User Badges:
  • Purple, 4500 points or more

When you add static translations, you need to run "clear xlate."


HTH,


John

pondersean Mon, 02/16/2009 - 13:03
User Badges:

Hmm...I just ran that and it didn't clear up the problem. External clients are unable to connect to either of my static external IPs using a web browser. I definitely feel like I'm missing something here!


-Sean

John Blakley Mon, 02/16/2009 - 13:10
User Badges:
  • Purple, 4500 points or more

Can you post your names, acl lines that are applied to the outside interface, and the "sh xlate" output? Do you have an acl on your inside interface? If so, can you post that acl?


Thanks,

John

pondersean Mon, 02/16/2009 - 13:13
User Badges:

Sure thing! I am not using names, purely IPs. But here are the details, straight from the config (with minor omission)


access-list WEB permit tcp any host x.x.x.188 eq www

access-list WEB permit tcp any host x.x.x.188 eq https

access-list WEB permit tcp any host x.x.x.189 eq https

access-list WEB permit tcp any host x.x.x.189 eq www


static (inside,outside) tcp x.x.x.189 www 192.168.41.10 85 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.188 www 192.168.41.10 86 netmask 255.255.255.255 0 0


Thanks!


-Sean

John Blakley Mon, 02/16/2009 - 13:15
User Badges:
  • Purple, 4500 points or more

Sean,


Do you have an acl on your inside interface?


John

pondersean Mon, 02/16/2009 - 13:18
User Badges:

Nope, these ACLs are applied to the outside interface only. I have nothing running on the inside interface.

John Blakley Mon, 02/16/2009 - 13:19
User Badges:
  • Purple, 4500 points or more

Can you post your "sh xlate?" What happens if you try to telnet from an outside host into your ip and port 80?


John

pondersean Mon, 02/16/2009 - 13:24
User Badges:

When I use "show xlate" it only shows a list of the PAT connections from my inside PC to websites...on my global outside IP. Nothing in the list for these two defined IPs.


-Sean

John Blakley Mon, 02/16/2009 - 13:31
User Badges:
  • Purple, 4500 points or more

What do your nat and global statements look like? So far, it should be working.


John

pondersean Mon, 02/16/2009 - 13:34
User Badges:

Here they are, in all their glory:


global (outside) 1 x.x.x.186

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.41.0 255.255.255.0 0 0

static (inside,outside) tcp x.x.x.189 www 192.168.41.10 85 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.188 www 192.168.41.10 86 netmask 255.255.255.255 0 0


The "nonat" NAT statement is for a static VPN tunnel that I have set up to another location. All it does is define the interesting traffic for the VPN, and not NAT it.


-Sean


John Blakley Mon, 02/16/2009 - 13:55
User Badges:
  • Purple, 4500 points or more

Well, unless someone else jumps in here, my next thought is for you to write your changes and reload the firewall. You could also try to add another translation for a standard port to see if it works. I'm assuming that you're not trying to connect to your public IP address from inside of your firewall because that would never work. You would physically have to be outside of your internal network to see it.


A reboot may resolve the issue.


HTH,


John

pondersean Mon, 02/16/2009 - 14:30
User Badges:

I'll be darned! Reloading did the trick!


thanks for your help!


-Sean

Actions

This Discussion