Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
0
Helpful
13
Replies

PIX port translation not working

pondersean
Level 1
Level 1

‎02-16-2009 12:56 PM - edited ‎03-11-2019 07:51 AM

I have a PIX 501 that I am using for a small office location. Behind the firewall is a web server, running two different web instances. The first is running internally on port 85, the second uses port 86. On the PIX, I want to designate two separate external IPs, one for each web site. This way I can have external DNS records point to the two sites individually, even though they are running on the same physical server.

I've defined my static translations along these lines:

static (inside,outside) tcp EXTERNAL1 80 INTERNAL 85 netmask 255.255.255.255 0 0

static (inside,outside) tcp EXTERNAL2 80 INTERNAL 86 netmask 255.255.255.255 0 0

I also have defined my ACLs to allow access to port 80 on each of these IPs.

Yet for some reason, the connections are not happening properly.

Did I miss something?

Thanks!

Labels:
0 Helpful
13 Replies 13

John Blakley
VIP Alumni
VIP Alumni

‎02-16-2009 12:59 PM

When you add static translations, you need to run "clear xlate."

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

pondersean
Level 1
Level 1
In response to John Blakley

‎02-16-2009 01:03 PM

Hmm...I just ran that and it didn't clear up the problem. External clients are unable to connect to either of my static external IPs using a web browser. I definitely feel like I'm missing something here!

-Sean

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to pondersean

‎02-16-2009 01:10 PM

Can you post your names, acl lines that are applied to the outside interface, and the "sh xlate" output? Do you have an acl on your inside interface? If so, can you post that acl?

Thanks,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

pondersean
Level 1
Level 1
In response to John Blakley

‎02-16-2009 01:13 PM

Sure thing! I am not using names, purely IPs. But here are the details, straight from the config (with minor omission)

access-list WEB permit tcp any host x.x.x.188 eq www

access-list WEB permit tcp any host x.x.x.188 eq https

access-list WEB permit tcp any host x.x.x.189 eq https

access-list WEB permit tcp any host x.x.x.189 eq www

static (inside,outside) tcp x.x.x.189 www 192.168.41.10 85 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.188 www 192.168.41.10 86 netmask 255.255.255.255 0 0

Thanks!

-Sean

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to pondersean

‎02-16-2009 01:15 PM

Sean,

Do you have an acl on your inside interface?

John

HTH, John *** Please rate all useful posts ***
0 Helpful

pondersean
Level 1
Level 1
In response to John Blakley

‎02-16-2009 01:18 PM

Nope, these ACLs are applied to the outside interface only. I have nothing running on the inside interface.

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to pondersean

‎02-16-2009 01:19 PM

Can you post your "sh xlate?" What happens if you try to telnet from an outside host into your ip and port 80?

John

HTH, John *** Please rate all useful posts ***
0 Helpful

pondersean
Level 1
Level 1
In response to John Blakley

‎02-16-2009 01:24 PM

When I use "show xlate" it only shows a list of the PAT connections from my inside PC to websites...on my global outside IP. Nothing in the list for these two defined IPs.

-Sean

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to pondersean

‎02-16-2009 01:31 PM

What do your nat and global statements look like? So far, it should be working.

John

HTH, John *** Please rate all useful posts ***
0 Helpful

pondersean
Level 1
Level 1
In response to John Blakley

‎02-16-2009 01:34 PM

Here they are, in all their glory:

global (outside) 1 x.x.x.186

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.41.0 255.255.255.0 0 0

static (inside,outside) tcp x.x.x.189 www 192.168.41.10 85 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.188 www 192.168.41.10 86 netmask 255.255.255.255 0 0

The "nonat" NAT statement is for a static VPN tunnel that I have set up to another location. All it does is define the interesting traffic for the VPN, and not NAT it.

-Sean

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to pondersean

‎02-16-2009 01:55 PM

Well, unless someone else jumps in here, my next thought is for you to write your changes and reload the firewall. You could also try to add another translation for a standard port to see if it works. I'm assuming that you're not trying to connect to your public IP address from inside of your firewall because that would never work. You would physically have to be outside of your internal network to see it.

A reboot may resolve the issue.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

pondersean
Level 1
Level 1
In response to John Blakley

‎02-16-2009 02:30 PM

I'll be darned! Reloading did the trick!

thanks for your help!

-Sean

0 Helpful

jmf3186fj
Level 1
Level 1
In response to pondersean

‎02-17-2009 06:01 AM

Bravo!!! fellows

-JMF

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card