Solved: Static xlate question

pondersean · ‎02-02-2010

Hello everyone,

I am configuring a PIX 501 for a small office situation, and have a server internally that is providing web-based services on two separate ports. What I want to do is map a public IP for each internal service on the same server.

The server is providing web services on ports 80 and 86, and I have configured the static nat as follows:

static (inside,outside) tcp 1.2.3.4 www 192.168.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.2.3.5 www 192.168.0.2 86 netmask 255.255.255.255 0 0

I also have my ACLs configured to allow traffic on port 80 to those two external IPs. When I look at the log, I see an error about "Deny inbound (no xlate)" for the second entry.

I'm sure that I'm just missing something simple, but for the life of me can't see it. Any help would be appreciated!

Thanks,

Sean

Kureli Sankar · ‎02-03-2010

Sean,

static (inside,outside) tcp a.b.c.x www 192.168.41.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp a.b.c.y www 192.168.41.10 8501 netmask 255.255.255.255 0 0

and log:

302013: Built inbound TCP connection 590854 for outside:/57930 (/57930) to inside:192.168.41.10/8501 (a.b.c.y/80)

302014: Teardown TCP connection 590854 for outside:/56911 to inside:192.168.41.10/8501 duration 0:02:01 bytes 0 SYN Timeout

And show xlate outputs:

PAT Global a.b.c.y(80) Local 192.168.41.10(8501)

Are you sure this works internally? Looks like there is no response from the 192.168.41.10 server and that is the reason for the syn timeout syslogs. Does it really listen on tcp 8501?

Are you able to open a browser on that server 192.168.41.10 and load http://192.168.41.10:8501 and load the page? and other hosts in the same segment and other inside segments are able to load the page internally on this server?

-KS

View solution in original post

Kureli Sankar · ‎02-02-2010

I do not see anything wrong with the configuration. It appears correct.

Are you seeing these messages?

http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1052137

Pls. copy and paste the exact message. You can make changes to the IP address if you like to match the static pat lines above but, pls. leave the port numbers in tact.

-KS

pondersean · ‎02-03-2010

Interesting. I am now getting this message in the log:

305011: Built static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80

302013: Built inbound TCP connection 589110 for outside:/53099 (/53099) to inside:192.168.41.10/8501 (a.b.c.d/80)

And I see the hitcount for the permit ACLs incrementing. Yet I cannot actually hit the page, I get timed out. And then I see this:

302014: Teardown TCP connection 589117 for outside:/56504 to inside:192.168.41.10/8501 duration 0:02:01 bytes 0 SYN Timeout

305012: Teardown static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80 duration 0:02:04

Definitely odd. Any ideas?

-Sean

Kureli Sankar · ‎02-03-2010

305011: Built static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80

302013: Built inbound TCP connection 589110 for outside:/53099 (/53099) to inside:192.168.41.10/8501 (a.b.c.d/80)

302014: Teardown TCP connection 589117 for outside:/56504 to inside:192.168.41.10/8501 duration 0:02:01 bytes 0 SYN Timeout

305012: Teardown static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80 duration 0:02:04

static (inside,outside) tcp 1.2.3.4 www 192.168.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.2.3.5 www 192.168.0.2 86 netmask 255.255.255.255 0 0

The above logs don't match these IPs in the statics.

-KS

pondersean · ‎02-03-2010

You're right, sorry. I edited my paste to hide the IPs on the first one, and wasn't consistent. Here is current:

static (inside,outside) tcp a.b.c.x www 192.168.41.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp a.b.c.y www 192.168.41.10 8501 netmask 255.255.255.255 0 0

and log:

302013: Built inbound TCP connection 590854 for outside:/57930 (/57930) to inside:192.168.41.10/8501 (a.b.c.y/80)

302014: Teardown TCP connection 590854 for outside:/56911 to inside:192.168.41.10/8501 duration 0:02:01 bytes 0 SYN Timeout

And show xlate outputs:

PAT Global a.b.c.y(80) Local 192.168.41.10(8501)

So it looks like it is translating the IP correctly, and the ACL hitcount is incrementing every time I try to connect to the URL from the outside. Yet it's not completing the session and I'm getting SYN timeouts.

Sorry again for the confusion.

-Sean

Kureli Sankar · ‎02-03-2010

Sean,

static (inside,outside) tcp a.b.c.x www 192.168.41.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp a.b.c.y www 192.168.41.10 8501 netmask 255.255.255.255 0 0

and log:

302013: Built inbound TCP connection 590854 for outside:/57930 (/57930) to inside:192.168.41.10/8501 (a.b.c.y/80)

302014: Teardown TCP connection 590854 for outside:/56911 to inside:192.168.41.10/8501 duration 0:02:01 bytes 0 SYN Timeout

And show xlate outputs:

PAT Global a.b.c.y(80) Local 192.168.41.10(8501)

Are you sure this works internally? Looks like there is no response from the 192.168.41.10 server and that is the reason for the syn timeout syslogs. Does it really listen on tcp 8501?

Are you able to open a browser on that server 192.168.41.10 and load http://192.168.41.10:8501 and load the page? and other hosts in the same segment and other inside segments are able to load the page internally on this server?

-KS

pondersean · ‎02-03-2010

I just tested it on another system on the network, and it failed. Turns out my firewall config was correct, the app developer neglected to open up Windows firewall for the special ports he was utilizing. I went in and opened them, and everything is talking properly.

Thanks for the help, it is much appreciated!

-Sean

Kureli Sankar · ‎02-03-2010

This happens all the time. No worries. The syn timeout syslog gave it away. Logs are our best friend.

Got to remember that.

-KS