07-14-2013 09:30 PM - edited 03-11-2019 07:12 PM
Hi,
I config my pix 500 for publish my local server on internet with static nat (static (inside,outside)) but when request my web server from external ,server security log take pix inside ip address instead of original source public ip.
please help me to resolve this problem
thanks
Solved! Go to Solution.
07-16-2013 11:25 PM
Hi,
Yes, this is correct.
I am not sure is this web server accessed through the default Internet gateway of yours at all? If not then you could consider looking into Policy Based Routing (if your L3 switch supports it). This would let you forward the web servers traffic through the PIX while all other hosts/servers on your network would still use the default Internet gateway.
- Jouni
07-14-2013 11:23 PM
Hi,
I am not quite sure if I understood you correctly.
Are you saying that connections coming to your internal web server are seen coming from local IP address?
Have you perhaps configured somekind of Dynamic PAT that is translating the traffic from the Internet?
We should really see the NAT configurations to be able to determine the cause.
- Jouni
07-14-2013 11:38 PM
Hi JouniForss,
connection coming form internet to internal lan web server with static nat
traffic of pix come to internal lan with dynamic pat
any solution to send orginal source ip to my internal server ??
thanks
07-14-2013 11:51 PM
Hi,
Well usually you only have Dynamic PAT for LAN users to access Internet and Static NAT for your server to be accessed from the Internet.
You DONT usually configure Dynamic PAT from WAN to LAN.
If you dont have any specific use for the Dynamic PAT from WAN to LAN then you should remove it.
But as I said it would be good to see your NAT configurations before doing anything.
- Jouni
07-15-2013 01:18 AM
Hi,
my configuration for publish web server from inside to outide is :
1 ) global (inside) 1 interface
2 ) nat (inside) 1 0.0.0.0 0.0.0.0
3 ) static (inside,outside) publicIP 10.0.0.102 netmask 255.255.255.255
when i remove 1 and 2 , web server not accessible from external
JouniForss wrote:
Hi,
Well usually you only have Dynamic PAT for LAN users to access Internet and Static NAT for your server to be accessed from the Internet.
You DONT usually configure Dynamic PAT from WAN to LAN.
If you dont have any specific use for the Dynamic PAT from WAN to LAN then you should remove it.
But as I said it would be good to see your NAT configurations before doing anything.
- Jouni
07-15-2013 01:27 AM
Hi,
The above configuration doesnt make much sense.
The only NAT configuration the Web server should need is the
static (inside,outside) publicIP 10.0.0.102 netmask 255.255.255.255
Also the Dynamic PAT configuration you list above is
global (inside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
This would only do Dynamic PAT for traffic that is entering from "inside" and going to "inside".
There is no reference to the "outside" interface as the source for this Dynamic PAT configuration that would explain that external IP addresses are PATed to the "inside" interface IP address.
Though, if they are and removing the Dynamic PAT configurations causes the external connections to the Web server fail then that would probably mean that the Web servers default gateway IS NOT set to be the PIX "inside" interface IP address.
It would probably also mean that you have the following configuration (which is not shown in your post though)
nat (outside) 1 0.0.0.0 0.0.0.0
I am not sure what your software level is on the PIX. If its 7.x you might be able to use the "packet-tracer" command to determine what NAT rules are actually hit.
packet-tracer input outside tcp 1.1.1.1 12345
This should simulate a packet incoming from the "outside" and the PIX should tell us what WOULD happen to it. That is, if your PIX software level supports this command.
Otherwise you can list all the NAT configuration either with commands
show run global
show run nat
show run stat
Or if those arent supported either then you can use
show run | inc global
show run | inc nat
show run | inc static
- Jouni
07-15-2013 01:56 AM
Hi,
I see this in packet-tracer result :
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside) 1 0.0.0.0 0.0.0.0 outside
nat-control
match ip outside any inside any
dynamic translation to pool 1 (10.10.0.1 [Interface PAT])
translate_hits = 98355764, untranslate_hits = 2125958
Additional Information:
Dynamic translate 1.1.1.1/12345 to 10.10.0.1/14009 using netmask 255.255.255.255
my web server not connect directly to pix. web server connect to L3 switch and web server gateway is L3 switch interface ip and L3 switch route pix data to 10.10.0.1.
07-15-2013 02:24 AM
Hi,
So you have the "nat" configuration I presumed.
Where does your L3 switch Default Route point to?
It would seem to me that if you only have the "static" command for the server AND it doesnt work after removing the "global" and "nat" command THAT your default route is pointing somewhere else than the PIX "inside" interface IP address?
The type of configuration you have on the "outside" interface is typically used in Cisco PIX and ASA when that firewall isnt the default gateway of the LAN network. That Dynamic PAT is configured to make sure that all external connections are visible to the LAN with an IP address on the LAN as is happening to you at the moment. Therefore the LAN devices correctly forward the traffic to the PIX since the traffic was sourced from its IP address AND even if the default route is pointing somewhere else.
- Jouni
07-15-2013 02:46 AM
Hi,
My internet gataway and firewall are diffrent
default route point to internet gateway device ip
the plan is as follow
web_server -------> server switch (3560) -------> core switch (3750) ----> pix 525 ----> internet
in server switch :
ip route 0.0.0.0 0.0.0.0 10.0.0.55 name default_route
ip route 10.10.0.0 255.255.255.0 10.255.255.33 name to_pix_firewall
in core switch :
ip route 0.0.0.0 0.0.0.0 10.255.255.34 name default_route
ip route 10.10.0.0 255.255.255.0 10.10.0.1 name to-pix
tracert 10.10.0.1 result is :
1 <1 ms <1 ms <1 ms 10.0.0.1
2 <1 ms <1 ms <1 ms 10.255.255.33
3 <1 ms <1 ms <1 ms 10.10.0.1
07-15-2013 03:08 AM
Hi,
If your default route is pointing towards some other gateway device other than the PIX then you WONT BE ABLE to achieve what you are asking for without either changing the PIX to act as the Internet gateway OR use Policy Based Routing on the L3 switch the manipulate the default gateway for the Web server alone and leaving all other traffic using the normal default gateway.
The NAT phase you are seeing in the earlier output is there to enable accessing the server through the PIX Internet connection.
If you remove it the result is that connection traffic will first flow through the PIX to the Web server and server and L3 switch will forward the traffic through the other gateway which in turn means the connections will all fail through the PIX to this server.
- Jouni
07-16-2013 10:15 PM
Hi,
thanks for help
I understand of your reply that because my default route not point to pix not able to send orginal request ip in to the web server and force to use Dynamic PAT.
is correct ?
07-16-2013 11:25 PM
Hi,
Yes, this is correct.
I am not sure is this web server accessed through the default Internet gateway of yours at all? If not then you could consider looking into Policy Based Routing (if your L3 switch supports it). This would let you forward the web servers traffic through the PIX while all other hosts/servers on your network would still use the default Internet gateway.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: