I'm having issues opening up a http connection between a host on one interface (higher security level) and a webserver on another interface (lower security level). The webserver is statically mapped to a public ip address, and the host is using interface PAT.
Now, I'm assuming that this is a translation/port issue since there's no outbound acls for the internal interface the host sits on.
Before I go further, here is the version info and relevant config entries (there are additional interfaces, nat, alcs, ect omitted):
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(1)
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Here's a look at what going on with the connections:
The host in question (172.16.3.7), opens a connection with the webserver (172.16.5.7), and has it's private ip translated to the interface ip (208.x.x.x):
TCP out 208.x.x.x:1060 in 172.16.5.7:80 idle 0:00:30 Bytes 0 flags aB
The webserver responds, has its private ip (172.16.5.7) translated to it's static public ip (63.x.x.x), and tries to open a connection to port 3954 on the requesting host (172.16.3.7):
TCP out 63.x.x.x:80 in 172.16.3.7:3954 idle 0:00:06 Bytes 0 flags saA
It does seem like the translations are behaving as configured, but for some reason (the crux of the issue), the source port of the requesting host changes from 1060 to 3954. Why is this and how can it be corrected? The connection flags also point to this issue:
webserver:aB = (awaiting outside ACK to SYN) (initial SYN from outside)
requesting host:saA = (awaiting outside SYN) (awaiting outside ACK to SYN) (awaiting inside ACK to SYN)
If the source port of the requesting host was the same on the webserver's reply, then the requesting host wouldn't be waiting for an outside SYN.. right? What is causing the sport change?
There is one host (172.16.3.4) on this segment that can successfully open up a http connection to the webserver on a different fw interface. The difference? This host on the private interface has a statically mapped public ip address. Here's the connection output:
TCP out 66.x.x.x:2513 in 172.16.5.7:80 idle 0:00:00 Bytes 77259 flags UIOB
TCP out 63.x.x.x:80 in 172.16.3.4:2513 idle 0:00:49 Bytes 77259 flags UIO
The requesting host source port is the same on both paths of the tcp connection.
So.. why can't the source port stay the same for hosts using interface PAT, and why does it stay the same for a host that has a statically mapped public ip? How do I go about fixing this sport issue? (assuming the problem is with the tcp sport)
Make sure you allow the required access from Private -> F5External (allowed by default from higher to lower security). If you also need access to be initiated from F5External -> Private (Lower to higher) then that needs to be specifically allowed as well.
Also make sure that the private hosts are actually trying to connect to the 172.16.5.7 IP address instead of to its Public IP address otherwise the packet might be trying to go out the outisde interface which seems to be the case in your logs.
don't forget to do clear xlate after the changes !!!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...