Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

translation/port issues with a 515E

I'm having issues opening up a http connection between a host on one interface (higher security level) and a webserver on another interface (lower security level). The webserver is statically mapped to a public ip address, and the host is using interface PAT.

Now, I'm assuming that this is a translation/port issue since there's no outbound acls for the internal interface the host sits on.

Before I go further, here is the version info and relevant config entries (there are additional interfaces, nat, alcs, ect omitted):

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(1)

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

nameif ethernet0 outside security0

nameif ethernet3 private security20

nameif vlan5 F5External security8

ip address outside 208.x.x.x x.x.x.x

ip address private 172.16.3.1 255.255.255.0

ip address F5External 172.16.5.1 255.255.255.0

global (outside) 1 interface

nat (private) 0 access-list private_outbound_nat0_acl

nat (private) 1 172.16.3.0 255.255.255.0 0 0

nat (F5External) 0 access-list F5External_outbound_nat0_acl

nat (F5External) 1 172.16.5.0 255.255.255.0 0 0

access-list private_outbound_nat0_acl line 3 permit ip any 172.16.5.0 255.255.255.0

access-list F5External_outbound_nat0_acl line 3 permit ip any 172.16.3.0 255.255.255.0

static (F5External,outside) 63.x.x.x 172.16.5.7 netmask 255.255.255.255 0 0

static (private,outside) 66.x.x.x 172.16.3.4 netmask 255.255.255.255 0 0

Here's a look at what going on with the connections:

The host in question (172.16.3.7), opens a connection with the webserver (172.16.5.7), and has it's private ip translated to the interface ip (208.x.x.x):

TCP out 208.x.x.x:1060 in 172.16.5.7:80 idle 0:00:30 Bytes 0 flags aB

The webserver responds, has its private ip (172.16.5.7) translated to it's static public ip (63.x.x.x), and tries to open a connection to port 3954 on the requesting host (172.16.3.7):

TCP out 63.x.x.x:80 in 172.16.3.7:3954 idle 0:00:06 Bytes 0 flags saA

It does seem like the translations are behaving as configured, but for some reason (the crux of the issue), the source port of the requesting host changes from 1060 to 3954. Why is this and how can it be corrected? The connection flags also point to this issue:

webserver:aB = (awaiting outside ACK to SYN) (initial SYN from outside)

requesting host:saA = (awaiting outside SYN) (awaiting outside ACK to SYN) (awaiting inside ACK to SYN)

If the source port of the requesting host was the same on the webserver's reply, then the requesting host wouldn't be waiting for an outside SYN.. right? What is causing the sport change?

There is one host (172.16.3.4) on this segment that can successfully open up a http connection to the webserver on a different fw interface. The difference? This host on the private interface has a statically mapped public ip address. Here's the connection output:

TCP out 66.x.x.x:2513 in 172.16.5.7:80 idle 0:00:00 Bytes 77259 flags UIOB

TCP out 63.x.x.x:80 in 172.16.3.4:2513 idle 0:00:49 Bytes 77259 flags UIO

The requesting host source port is the same on both paths of the tcp connection.

So.. why can't the source port stay the same for hosts using interface PAT, and why does it stay the same for a host that has a statically mapped public ip? How do I go about fixing this sport issue? (assuming the problem is with the tcp sport)

2 REPLIES
Cisco Employee

Re: translation/port issues with a 515E

I am assuming your local machines 172.16.3.7 wants to open the webserver with its public ip

add the following lines and let me know if it helps

static (F5external,private)63.x.x.x 172.16.5.7

global (F5external) 1 interface

let me know how it goes

Re: translation/port issues with a 515E

Hi ..

I can't see the rest of the configuration .. howecver I suggest you to use static NAT between private and F5External instead of using nat exception (nat 0) ..

static (private,F5External) 172.16.3.0 172.16.3.0 netmask 255.255.255.0

Make sure you allow the required access from Private -> F5External (allowed by default from higher to lower security). If you also need access to be initiated from F5External -> Private (Lower to higher) then that needs to be specifically allowed as well.

Also make sure that the private hosts are actually trying to connect to the 172.16.5.7 IP address instead of to its Public IP address otherwise the packet might be trying to go out the outisde interface which seems to be the case in your logs.

don't forget to do clear xlate after the changes !!!

I hope it helps .. please rate helpful posts

133
Views
0
Helpful
2
Replies
CreatePlease to create content