cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1634
Views
0
Helpful
20
Replies

Connection issue

sgoethals1
Level 1
Level 1

Hi Folks,

I recently made some changes on our firewall to use port redirection. Essentially, I wanted to use a different port for people on the outside to connect to my SQL server. Thanks to those that answered my post, everthing works great.

However, I noticed that if someone on the local network uses the server (the one the changes effect) to make a connection to the Internet, suddenly, no one one on the outside can connect to the machine. I have to clear the XLATE table before it accepts connections. (all other connections are fine)

I examined the xlate table and it appears that when an outbound connection is made, it uses one of my global addresses instead of the static address I setup.

I've posted a partial config and xlate table for review. If someone could let me know what I did wrong, I would appreciate it...Thanks

access-list outside_access_in permit tcp any host x.x.x.109 eq 7505

access-list outside_access_in permit tcp any host x.x.x.109 eq 7506

access-list outside_access_in permit tcp any host x.x.x.109 eq pcanywhere-data

access-list outside_access_in permit tcp any host x.x.x.109 eq 5632

access-list outside_access_in permit tcp any host x.x.x.109 eq www

access-list outside_access_in permit tcp any host x.x.x.109 eq https

static (inside,outside) tcp x.x.x.109 5632 192.168.0.109 5632 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 pcanywhere-data 192.168.0.109 pcanywhere-data netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 7505 192.168.0.109 1433 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 7506 192.168.0.109 1434 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 www 192.168.0.109 www netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.109 https 192.168.0.109 https netmask 255.255.255.255 0 0

static (outside,inside) 192.168.0.109 x.x.x.109 netmask 255.255.255.255 0 0

XLATE Connection (partial)

PAT Global x.x.x.109(80) Local 192.168.0.109(80)

Global x.x.x.111 Local 192.168.0.109

The above global statement should use the same .109 address when a connection is made to the outside, but for some reason it grabs one of the addresses from my dynamic pool (it starts at 110).

20 Replies 20

What did you have in mind?

Scott

Actually was about to edit last post saying scrap that. I just need to log on to a pix at work in our lab and test something.

Jon

Scott

After much messing around i managed to get some version of this working :).

The setup i had was

Server on inside of pix - 10.231.224.50

static (inside,outside) tcp 10.15.1.10 5000 10.231.224.50 80

So to connect to the web service on 10.231.224.50 user would use url http://10.15.1.10:5000

I also had nat and global setup for hosts to get out to Internet ie.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The outside interface address was 10.15.1.2

I found with this setup i could connect from the 10.231.224.50 server to a router on the outside with telnet and it created this dynamic translation

PAT Global 10.15.1.2(1031) Local 10.231.224.50(41347)

With this translation in the xlate table i then tried to connect from outside on port 5000 to 10.15.1.10 and it worked fine. It added the following to the xlate table

PAT Global 10.15.1.10(5000) Local 10.231.224.50(80)

Both the xlate entries exist at the same time.

This was all tested on v6.3 and it needs a bit more testing as it does not exactly match your test case and you would need a spare public IP address.

If i get time i will do some more testing but unfortunately i have a day job :) so i thought i'd let you know where i was in case you want to test it.

Jon

Jon,

Sorry for the delay in getting back. I had to be out of the office yesterday. I appreciate the testing you did. I will take a deeper look at it and see where I go.

I may end up calling Cisco on this one. If I do, I will let you know what I find out.

Scott

Jon,

Here's what I found of from Cisco...

Static NAT where we mapped one IP to another. ie. x.x.x.109 -> 192.168.0.109 is bidirectional.

Static PAT (port redirection) is unidirectional and only works for outside to inside connections. Connections initiated from the inside will either use an address from my dynamic pool, or the address of the outside interface of the firewall.

To force it to use the address that I want, I had to create another dynamic pool (containing 1 address), and use a nat statement to tell it to use it. So, all I had to do was add the following statements.

global (outside) 2 x.x.x.109

nat (inside) 2 192.168.0.109 255.255.255.255

Once I did this, it works fine.

Thanks again for all of your help. I appreciate it.

Scott

Glad you got it working and thanks for letting me know.

Weirdly the solution Cisco gave you was one of the first things i tried in my lab but i seemed to get very inconsistent results. I guess it could have been something else in the lab setup.

Anyway thanks for letting me know

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: