andrew.prince@m... Tue, 06/30/2009 - 00:58

Your acl could be using the wrong destination address, you could be using the wrong internal address - check both of these.


andrew.prince@m... Tue, 06/30/2009 - 01:03

Then you need to check if the internal device is actually listening on the UDP/TCP port numbers you have defined in your ACL.

Also if the internal device has internet access - goto and confirm the NAT translation is 100% correct.

omar.elmohri Tue, 06/30/2009 - 01:08

When using the 'show xlate' that don't show details on that PIX edition, is there a way for that?

omar.elmohri Tue, 06/30/2009 - 02:47

Here is more details about the situation:

Fisrt, I have the commandes:


permit tcp any 'public@ip1' eq www

permit ip any 'public@ip2


static (inside,outside) tcp public@ip1 www private@ip1 www

static (inside,outisde) public@ip2 private@ip2

Access to the first ip@ with web is working (tested by telnetting the 80 port). But nothing is permitted to the second ip@ (no reply when telnet)

I inverted the ACLs and NAT (ip@1 with ip@2) and still the same, the first is OK and not the same.

If the server is not well configured, can I see the session open when translated by the PIX but not opened on the server?


andrew.prince@m... Tue, 06/30/2009 - 02:50

To check the servers, if they are windows @ the command line type "netstat -a" this will tell you what ports TCP/UDP the server is listening on and has current sessions.

Another good test is try to connect to the servers on the inside!


This Discussion