I'm replacing a Watchguard firewall w/a 501 for a customer. We have only 1 public ip address(DSL). Using pat all clients can surf the web. There is a functional conduit into the firewall to an ftp server. The only problem is with the Novell server. It can reach the inside but cannot reach the outside int of the 501. It does fine with the firewall that's already there. I'm using the same ip for both firewalls (just switching them temporarily to test), clearing arp cache as I go,yet the server will not get through the 501. Any ideas PLEASE?
As a side note..if
"static (inside, outside) x.x.x.x 10.0.20.10 "(for incoming mail to the Novell box) is used all outbound traffic will cease through the 501 until the reload command is issued. Thanks again.
So you put in the PAT command and all clients can issue successful requests to the outside world? Including the Novell server ( I realize you can't exactly web browse from a novell box..) but can you ping an outside IP address from the Novell server before you put the static command in place? The ftp server is completely ok. Give more details if possible, we'll help get you there...
All clients can get out with http or icmp. The novell server(unfortunately serves mail) cannot get out at all. The furthest the Novell box goes is the internal 501 int, even before the static command. The static command does not block all traffic when pointing to another internal host, only the Novell box.
I've since tried setting the internal ip(501) to 10.0.20.3 and then setting the default route in tcpcon on the Novell box to the same but w/no results. I'd love to blame the Novell server but the watchgaurd box lets it all through.
I really hope that the IP Addresses and passwords listed are dummy ones that replaced the actual ones.
It's customary to use obviously invalid IPs, like 126.96.36.199 or 10.10.10.10, to ensure no one acquires knowledge of the network that is not for public consumption.
Same thing with passwords: Use obvious password replacements, like or . Even though these are scrambled, it is not secure.
Regarding the problem, can you tell if a translation slot was opened? Do a SH CONN LOCAL 188.8.131.52, where 184.108.40.206 is the inside Novell address. You can also enable some logging to a syslog server while you try to connect and search through to find the transactions between the PIX and Novell server to see what the deal is.
Yes, they are dummy ips and dns names. And thanks for the concern. I can use "debug icmp trace", then ping an external ip from a client and the console shows the traffic. Pinging the same ext. address from the server yields no result on the console. Pinging the internal interface from the server will show on the console. Does that help much? I keep finding articles about Novell IP not working well with NAT but mainly for client/server communications(login, file sharing, etc.). I just need smtp to and from this box.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...