Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX port translation not working

I have a PIX 501 that I am using for a small office location. Behind the firewall is a web server, running two different web instances. The first is running internally on port 85, the second uses port 86. On the PIX, I want to designate two separate external IPs, one for each web site. This way I can have external DNS records point to the two sites individually, even though they are running on the same physical server.

I've defined my static translations along these lines:

static (inside,outside) tcp EXTERNAL1 80 INTERNAL 85 netmask 255.255.255.255 0 0

static (inside,outside) tcp EXTERNAL2 80 INTERNAL 86 netmask 255.255.255.255 0 0

I also have defined my ACLs to allow access to port 80 on each of these IPs.

Yet for some reason, the connections are not happening properly.

Did I miss something?

Thanks!

13 REPLIES

Re: PIX port translation not working

When you add static translations, you need to run "clear xlate."

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: PIX port translation not working

Hmm...I just ran that and it didn't clear up the problem. External clients are unable to connect to either of my static external IPs using a web browser. I definitely feel like I'm missing something here!

-Sean

Re: PIX port translation not working

Can you post your names, acl lines that are applied to the outside interface, and the "sh xlate" output? Do you have an acl on your inside interface? If so, can you post that acl?

Thanks,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: PIX port translation not working

Sure thing! I am not using names, purely IPs. But here are the details, straight from the config (with minor omission)

access-list WEB permit tcp any host x.x.x.188 eq www

access-list WEB permit tcp any host x.x.x.188 eq https

access-list WEB permit tcp any host x.x.x.189 eq https

access-list WEB permit tcp any host x.x.x.189 eq www

static (inside,outside) tcp x.x.x.189 www 192.168.41.10 85 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.188 www 192.168.41.10 86 netmask 255.255.255.255 0 0

Thanks!

-Sean

Re: PIX port translation not working

Sean,

Do you have an acl on your inside interface?

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: PIX port translation not working

Nope, these ACLs are applied to the outside interface only. I have nothing running on the inside interface.

Re: PIX port translation not working

Can you post your "sh xlate?" What happens if you try to telnet from an outside host into your ip and port 80?

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: PIX port translation not working

When I use "show xlate" it only shows a list of the PAT connections from my inside PC to websites...on my global outside IP. Nothing in the list for these two defined IPs.

-Sean

Re: PIX port translation not working

What do your nat and global statements look like? So far, it should be working.

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: PIX port translation not working

Here they are, in all their glory:

global (outside) 1 x.x.x.186

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.41.0 255.255.255.0 0 0

static (inside,outside) tcp x.x.x.189 www 192.168.41.10 85 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.188 www 192.168.41.10 86 netmask 255.255.255.255 0 0

The "nonat" NAT statement is for a static VPN tunnel that I have set up to another location. All it does is define the interesting traffic for the VPN, and not NAT it.

-Sean

Re: PIX port translation not working

Well, unless someone else jumps in here, my next thought is for you to write your changes and reload the firewall. You could also try to add another translation for a standard port to see if it works. I'm assuming that you're not trying to connect to your public IP address from inside of your firewall because that would never work. You would physically have to be outside of your internal network to see it.

A reboot may resolve the issue.

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: PIX port translation not working

I'll be darned! Reloading did the trick!

thanks for your help!

-Sean

Community Member

Re: PIX port translation not working

Bravo!!! fellows

-JMF

264
Views
0
Helpful
13
Replies
CreatePlease to create content