02-16-2009 12:56 PM - edited 03-11-2019 07:51 AM
I have a PIX 501 that I am using for a small office location. Behind the firewall is a web server, running two different web instances. The first is running internally on port 85, the second uses port 86. On the PIX, I want to designate two separate external IPs, one for each web site. This way I can have external DNS records point to the two sites individually, even though they are running on the same physical server.
I've defined my static translations along these lines:
static (inside,outside) tcp EXTERNAL1 80 INTERNAL 85 netmask 255.255.255.255 0 0
static (inside,outside) tcp EXTERNAL2 80 INTERNAL 86 netmask 255.255.255.255 0 0
I also have defined my ACLs to allow access to port 80 on each of these IPs.
Yet for some reason, the connections are not happening properly.
Did I miss something?
Thanks!
02-16-2009 12:59 PM
When you add static translations, you need to run "clear xlate."
HTH,
John
02-16-2009 01:03 PM
Hmm...I just ran that and it didn't clear up the problem. External clients are unable to connect to either of my static external IPs using a web browser. I definitely feel like I'm missing something here!
-Sean
02-16-2009 01:10 PM
Can you post your names, acl lines that are applied to the outside interface, and the "sh xlate" output? Do you have an acl on your inside interface? If so, can you post that acl?
Thanks,
John
02-16-2009 01:13 PM
Sure thing! I am not using names, purely IPs. But here are the details, straight from the config (with minor omission)
access-list WEB permit tcp any host x.x.x.188 eq www
access-list WEB permit tcp any host x.x.x.188 eq https
access-list WEB permit tcp any host x.x.x.189 eq https
access-list WEB permit tcp any host x.x.x.189 eq www
static (inside,outside) tcp x.x.x.189 www 192.168.41.10 85 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.188 www 192.168.41.10 86 netmask 255.255.255.255 0 0
Thanks!
-Sean
02-16-2009 01:15 PM
Sean,
Do you have an acl on your inside interface?
John
02-16-2009 01:18 PM
Nope, these ACLs are applied to the outside interface only. I have nothing running on the inside interface.
02-16-2009 01:19 PM
Can you post your "sh xlate?" What happens if you try to telnet from an outside host into your ip and port 80?
John
02-16-2009 01:24 PM
When I use "show xlate" it only shows a list of the PAT connections from my inside PC to websites...on my global outside IP. Nothing in the list for these two defined IPs.
-Sean
02-16-2009 01:31 PM
What do your nat and global statements look like? So far, it should be working.
John
02-16-2009 01:34 PM
Here they are, in all their glory:
global (outside) 1 x.x.x.186
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.41.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.x.189 www 192.168.41.10 85 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.188 www 192.168.41.10 86 netmask 255.255.255.255 0 0
The "nonat" NAT statement is for a static VPN tunnel that I have set up to another location. All it does is define the interesting traffic for the VPN, and not NAT it.
-Sean
02-16-2009 01:55 PM
Well, unless someone else jumps in here, my next thought is for you to write your changes and reload the firewall. You could also try to add another translation for a standard port to see if it works. I'm assuming that you're not trying to connect to your public IP address from inside of your firewall because that would never work. You would physically have to be outside of your internal network to see it.
A reboot may resolve the issue.
HTH,
John
02-16-2009 02:30 PM
I'll be darned! Reloading did the trick!
thanks for your help!
-Sean
02-17-2009 06:01 AM
Bravo!!! fellows
-JMF
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: