08-15-2007 07:09 AM - edited 03-11-2019 03:58 AM
Hi Folks,
I recently made some changes on our firewall to use port redirection. Essentially, I wanted to use a different port for people on the outside to connect to my SQL server. Thanks to those that answered my post, everthing works great.
However, I noticed that if someone on the local network uses the server (the one the changes effect) to make a connection to the Internet, suddenly, no one one on the outside can connect to the machine. I have to clear the XLATE table before it accepts connections. (all other connections are fine)
I examined the xlate table and it appears that when an outbound connection is made, it uses one of my global addresses instead of the static address I setup.
I've posted a partial config and xlate table for review. If someone could let me know what I did wrong, I would appreciate it...Thanks
access-list outside_access_in permit tcp any host x.x.x.109 eq 7505
access-list outside_access_in permit tcp any host x.x.x.109 eq 7506
access-list outside_access_in permit tcp any host x.x.x.109 eq pcanywhere-data
access-list outside_access_in permit tcp any host x.x.x.109 eq 5632
access-list outside_access_in permit tcp any host x.x.x.109 eq www
access-list outside_access_in permit tcp any host x.x.x.109 eq https
static (inside,outside) tcp x.x.x.109 5632 192.168.0.109 5632 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 pcanywhere-data 192.168.0.109 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 7505 192.168.0.109 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 7506 192.168.0.109 1434 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 www 192.168.0.109 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.109 https 192.168.0.109 https netmask 255.255.255.255 0 0
static (outside,inside) 192.168.0.109 x.x.x.109 netmask 255.255.255.255 0 0
XLATE Connection (partial)
PAT Global x.x.x.109(80) Local 192.168.0.109(80)
Global x.x.x.111 Local 192.168.0.109
The above global statement should use the same .109 address when a connection is made to the outside, but for some reason it grabs one of the addresses from my dynamic pool (it starts at 110).
Solved! Go to Solution.
08-15-2007 01:01 PM
What did you have in mind?
08-15-2007 01:07 PM
Scott
Actually was about to edit last post saying scrap that. I just need to log on to a pix at work in our lab and test something.
Jon
08-16-2007 12:49 AM
Scott
After much messing around i managed to get some version of this working :).
The setup i had was
Server on inside of pix - 10.231.224.50
static (inside,outside) tcp 10.15.1.10 5000 10.231.224.50 80
So to connect to the web service on 10.231.224.50 user would use url http://10.15.1.10:5000
I also had nat and global setup for hosts to get out to Internet ie.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
The outside interface address was 10.15.1.2
I found with this setup i could connect from the 10.231.224.50 server to a router on the outside with telnet and it created this dynamic translation
PAT Global 10.15.1.2(1031) Local 10.231.224.50(41347)
With this translation in the xlate table i then tried to connect from outside on port 5000 to 10.15.1.10 and it worked fine. It added the following to the xlate table
PAT Global 10.15.1.10(5000) Local 10.231.224.50(80)
Both the xlate entries exist at the same time.
This was all tested on v6.3 and it needs a bit more testing as it does not exactly match your test case and you would need a spare public IP address.
If i get time i will do some more testing but unfortunately i have a day job :) so i thought i'd let you know where i was in case you want to test it.
Jon
08-17-2007 05:15 AM
Jon,
Sorry for the delay in getting back. I had to be out of the office yesterday. I appreciate the testing you did. I will take a deeper look at it and see where I go.
I may end up calling Cisco on this one. If I do, I will let you know what I find out.
Scott
08-17-2007 07:03 AM
Jon,
Here's what I found of from Cisco...
Static NAT where we mapped one IP to another. ie. x.x.x.109 -> 192.168.0.109 is bidirectional.
Static PAT (port redirection) is unidirectional and only works for outside to inside connections. Connections initiated from the inside will either use an address from my dynamic pool, or the address of the outside interface of the firewall.
To force it to use the address that I want, I had to create another dynamic pool (containing 1 address), and use a nat statement to tell it to use it. So, all I had to do was add the following statements.
global (outside) 2 x.x.x.109
nat (inside) 2 192.168.0.109 255.255.255.255
Once I did this, it works fine.
Thanks again for all of your help. I appreciate it.
08-17-2007 07:19 AM
Scott
Glad you got it working and thanks for letting me know.
Weirdly the solution Cisco gave you was one of the first things i tried in my lab but i seemed to get very inconsistent results. I guess it could have been something else in the lab setup.
Anyway thanks for letting me know
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: