Hi JouniForss,

connection coming form internet to internal lan web server with static nat

traffic of pix come to internal lan with dynamic pat

any solution to send orginal source ip to my internal server ??

thanks

Hi,

Well usually you only have Dynamic PAT for LAN users to access Internet and Static NAT for your server to be accessed from the Internet.

You DONT usually configure Dynamic PAT from WAN to LAN.

If you dont have any specific use for the Dynamic PAT from WAN to LAN then you should remove it.

But as I said it would be good to see your NAT configurations before doing anything.

- Jouni

Hi,

my configuration for publish web server from inside to outide is :

1 ) global (inside) 1 interface

2 ) nat (inside) 1 0.0.0.0 0.0.0.0

3 ) static (inside,outside) publicIP 10.0.0.102 netmask 255.255.255.255

when i remove 1 and 2 , web server not accessible from external

JouniForss wrote:
Hi,
Well usually you only have Dynamic PAT for LAN users to access Internet and Static NAT for your server to be accessed from the Internet.
You DONT usually configure Dynamic PAT from WAN to LAN.
If you dont have any specific use for the Dynamic PAT from WAN to LAN then you should remove it.
But as I said it would be good to see your NAT configurations before doing anything.
- Jouni

Hi,

The above configuration doesnt make much sense.

The only NAT configuration the Web server should need is the

static (inside,outside) publicIP 10.0.0.102 netmask 255.255.255.255

Also the Dynamic PAT configuration you list above is

global (inside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

This would only do Dynamic PAT for traffic that is entering from "inside" and going to "inside".

There is no reference to the "outside" interface as the source for this Dynamic PAT configuration that would explain that external IP addresses are PATed to the "inside" interface IP address.

Though, if they are and removing the Dynamic PAT configurations causes the external connections to the Web server fail then that would probably mean that the Web servers default gateway IS NOT set to be the PIX "inside" interface IP address.

It would probably also mean that you have the following configuration (which is not shown in your post though)

nat (outside) 1 0.0.0.0 0.0.0.0

I am not sure what your software level is on the PIX. If its 7.x you might be able to use the "packet-tracer" command to determine what NAT rules are actually hit.

packet-tracer input outside tcp 1.1.1.1 12345

This should simulate a packet incoming from the "outside" and the PIX should tell us what WOULD happen to it. That is, if your PIX software level supports this command.

Otherwise you can list all the NAT configuration either with commands

show run global

show run nat

show run stat

Or if those arent supported either then you can use

show run | inc global

show run | inc nat

show run | inc static

- Jouni

Hi,

I see this in packet-tracer result :

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (outside) 1 0.0.0.0 0.0.0.0 outside

nat-control

  match ip outside any inside any

    dynamic translation to pool 1 (10.10.0.1 [Interface PAT])

    translate_hits = 98355764, untranslate_hits = 2125958

Additional Information:

Dynamic translate 1.1.1.1/12345 to 10.10.0.1/14009 using netmask 255.255.255.255

my web server not connect directly to pix. web server connect to L3 switch and web server gateway is L3 switch interface ip and L3 switch route pix data to 10.10.0.1.

Hi,

So you have the "nat" configuration I presumed.

Where does your L3 switch Default Route point to?

It would seem to me that if you only have the "static" command for the server AND it doesnt work after removing the "global" and "nat" command THAT your default route is pointing somewhere else than the PIX "inside" interface IP address?

The type of configuration you have on the "outside" interface is typically used in Cisco PIX and ASA when that firewall isnt the default gateway of the LAN network. That Dynamic PAT is configured to make sure that all external connections are visible to the LAN with an IP address on the LAN as is happening to you at the moment. Therefore the LAN devices correctly forward the traffic to the PIX since the traffic was sourced from its IP address AND even if the default route is pointing somewhere else.

- Jouni

Hi,

My internet gataway and firewall are diffrent

default route point to internet gateway device ip

the plan is as follow

web_server -------> server switch (3560) -------> core switch (3750) ----> pix 525 ----> internet

in server switch :

ip route 0.0.0.0 0.0.0.0 10.0.0.55 name default_route

ip route 10.10.0.0 255.255.255.0 10.255.255.33 name to_pix_firewall

in core switch :

ip route 0.0.0.0 0.0.0.0 10.255.255.34 name default_route

ip route 10.10.0.0 255.255.255.0 10.10.0.1 name to-pix

tracert 10.10.0.1 result is :

1    <1 ms    <1 ms    <1 ms  10.0.0.1

2    <1 ms    <1 ms    <1 ms  10.255.255.33

3    <1 ms    <1 ms    <1 ms  10.10.0.1

Hi,

If your default route is pointing towards some other gateway device other than the PIX then you WONT BE ABLE to achieve what you are asking for without either changing the PIX to act as the Internet gateway OR use Policy Based Routing on the L3 switch the manipulate the default gateway for the Web server alone and leaving all other traffic using the normal default gateway.

The NAT phase you are seeing in the earlier output is there to enable accessing the server through the PIX Internet connection.

If you remove it the result is that connection traffic will first flow through the PIX to the Web server and server and L3 switch will forward the traffic through the other gateway which in turn means the connections will all fail through the PIX to this server.

- Jouni

Hi,

thanks for help

I understand of your reply that because my default route not point to pix not able to send orginal request ip in to the web server and force to use Dynamic PAT.

is correct ?