Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't connect inside host

I recently installed a Cisco router between my ISP and my PIX 501.  Now I am unable to connect to inside servers.   I think the problem is my static NAT entries on the PIX.  Can anybody help me out?  Thank you!

-Bk

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Can't connect inside host

If you are at home you can call me or give me your phone number so I can call and maybe help you out on a webex??

Value our effort and rate the assistance!

Value our effort and rate the assistance!
10 REPLIES
Silver

Can't connect inside host

POst a digram, the show tech of the devices involved, show arp and show ip route of the router and show show arp and show route of the PIX. Also please give TCP/IP setttings of the server to understand how you are routing on that server.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

Can't connect inside host

Hi Jumora,

Thanks for your response!  I will gather the information you have requested and post it later this evening (since I don't currently have access to my LAN from outside).  Let me clarify to let you know that prior to the change mentioned above I was able to access everything: my web server, PIX, and SSH to an internal linux host.  Now I can't access any of these machines.

You asked about the TCP/IP settings of my server?  I have included the IP address of my web server on the attached diagram (although I should have added /24 to indicate the subnet mask).  I use static addresses for servers.  Please let me know what else you need from the server.  I can tell you that I haven't made any changes to any of my endpoint devices.

Here is the diagram.  As I said I will provide the other information you requested later this evening.  Also please let me know if you think of anything else I can provide that will be helpful.

Regards,

BK

Silver

Can't connect inside host

Just the configurations and show would help me decipherer what is going on

I will wait for your posts

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

Re: Can't connect inside host

Hi Jumora,

Attached you will find the output of the SHOW commands you have requested.  PIX is first, followed by the 1605 router.  Please let me know what you think, and if there is additional info I can provide that will make it easier to see what is going on.  Also I have hidden the public IP addresses in the router extracts.  Let me know if I've removed anything that you need to see.

Thank you,

-Bk

(Apparently there's a limit #files to attach.  The final Show ARP attachment will be on the way shortly)

New Member

Re: Can't connect inside host

And here's the 1605 Show ARP.....

Silver

Re: Can't connect inside host

You left the static PAT configuration on the PIX without migrating it to the router:

static (inside,outside) tcp interface 1701 192.168.1.202 www netmask 255.255.255.255 0 0

The correct line since you are doing NAT on the router would be:

static (inside,outside) tcp interface www 192.168.1.202 www netmask 255.255.255.255 0 0

The Access-list is already created on your PIX to allow incoming connections over port TCP/80 through the interface IP.

FYI: You should consider to NAT only on one device

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

Can't connect inside host

Thanks Jumora I can't wait to get home and try this tonight.  I figured it was something like that I must have missed.  Just wasn't quite sure where to place the entry.

So to be clear I should put "static (inside,outside) tcp interface www ...." instead of "static (inside,outside) tcp interface 1701..." like I had on the PIX?  I still want it coming in over port 1701, but translating to www on the inside.

Also in regards to your FYI - I know I have some cleaning up to do.  And I will be replacing the PIX with an ASA5505 in the next couple of weeks, so I want to streamline as much as possible.  I will remove the NAT entries from the PIX as you have advised.

Thanks again - will chime back in tonight to let you know that it worked!

-BK

New Member

Can't connect inside host

Hi Jumora,

Well I got home - my high hopes were shot down really quickly!  Let me tell you what happened:

- First problem was that I am no longer able to telnet into the 1605 router.  I'm not prompted for a password; I get an error "Could not open connection to the host on port 23: Connect failed".  Tried from another internal machine, with the same result.  This is odd, since it worked yesterday when I pulled the "Show" commands for you.  I thought it might be a security incident, but I don't see any changes to any of my configs.  So I ended up consoling in to the router.

- Next I tried making the change you recommended.  The syntax you provided is for a security appliance only I think; it didn't work on the router.  So the conversion I came up with is: 

IP NAT INSIDE SOURCE STATIC TCP 192.168.1.202 80 INTERFACE ETHERNET0 1701

Needless to say it didn't work.  I eventually get a timeout from the client attempting to make the connection from outside.  Does that syntax look correct to you?  Or am I missing something else?

Final issue:  I thought I would go ahead and clean up NAT entries from the PIX.  I removed 2 entries:

- global (outside) 1 interface

- nat (inside) 1 0.0.0.0 0.0.0.0 0 0

After I did so, I lost internet connectivity.  Is there something else I need to do first?

Sorry for so many issues.  I just want to provide as much information as I can.  Please let me know what I'm missing.

Thank you!

Brian

Silver

Can't connect inside host

If you are at home you can call me or give me your phone number so I can call and maybe help you out on a webex??

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

Can't connect inside host

Thanks for helping me resolve this!!  Will post the final config if anybody wishes to see how jumora made it work.

538
Views
5
Helpful
10
Replies
CreatePlease login to create content