Re: PIX port redirection Xlate stops forwaring 6.3.3

gargravarr · ‎11-21-2003

I am attempting to port redirect from 1 external address to 2 internal machines 1 www and 1 smtp. all works fine for a few minutes, and then inbound traffic to the mailhost stops flowing. showing xlate tables shows build of inbound connections but no traffic flows. If I remove port redirection and have a static mapping for the machine there is no problem. Viewing the debug for the connection I get SYN timeout after timeout period ???

Any ideas most appreciated.

scoclayton · ‎11-21-2003

Hi,

Sounds like a mis-config. Can you post your configuration (with IP's consistently changed and passwords removed) for review? Also, the sh output you have would be helpful as well.

Scott

gargravarr · ‎11-24-2003

OLD confg that did not work.

access-list inbound permit tcp any host XX.XX.XX.195 eq https

access-list inbound permit tcp any host XX.XX.XX.194 eq smtp

access-list inbound permit tcp any host XX.XX.XX.194 eq www

access-list inbound deny ip any any

access-group inbound in interface outside

static (inside,outside) XX.XX.XX.195 192.168.255.12 netmask 255.255.255.255 20 0

static (inside,outside) tcp XX.XX.XX.194 smtp 192.168.255.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp XX.XX.XX.194 www 192.168.255.18 www netmask 255.255.255.255 0 0

NEW config that does.

access-list inbound permit tcp any host XX.XX.XX.195 eq https

access-list inbound permit tcp any host XX.XX.XX.194 eq smtp

access-list inbound permit tcp any host XX.XX.XX.197 eq www

access-list inbound deny ip any any

static (inside,outside) XX.XX.XX.195 192.168.255.12 netmask 255.255.255.255 20 0

static (inside,outside) XX.XX.XX.194 192.168.255.10 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.197 192.168.255.18 netmask 255.255.255.255 0 0

access-group inbound in interface outside

scoclayton · ‎11-24-2003

Thanks. Clearly #2 is going to work but I am guessing this is not what you are wanting to configure. Can you post the rest of your config (specifically all of the NAT config)? Also, I would be interested in seeing the output from a 'sh x detail' when the problem is occuring.

Scott

gargravarr · ‎11-24-2003

FYI

The clear xlate allows traffic to flow normally for a while.

gclevenger · ‎06-16-2004

Did you ever find a solution to this? I am having the exact same issue. Thanks.

gargravarr · ‎06-17-2004

No solution yet!

Luckily I had a few IP's spare

gargravarr · ‎11-24-2003

Also if i do a clear xlate, traffic starts flowing again for a show time.

nidiri · ‎07-13-2004

Hello all,

Did u find a work-around to this issue ? I have exactly the same problem resolved temporarily when doing a clear xlate.

Thanks for your help.

gclevenger · ‎07-13-2004

I found that adding a PAT statement to my config for that same IP address fixed my issue:

static (inside,outside) tcp 12.x.x.186 smtp 10.110.4.178 smtp netmask 255.255.255.255

Then

global (outside) 2 12.x.x.186

nat (inside) 2 10.110.4.178 255.255.255.255

That seemed to solve my issue. Good luck!

fsehbai · ‎07-13-2004

Your initial static translation had a 20 0 at the end of the static statement. That is your problem coz it allows 20 translated sessions for that IP. That is also when you do a clear xlate it starts to work again.

Thanks,

Faisal

funraps · ‎07-28-2004

I also noticed a similar scenario, https works sometimes and other times it doesn not, to fix that you have to disable your ip http server, or PDM.

stevem · ‎08-05-2004

So are you allowing remote hosts to access an internal server/service via the web but instead of http you are using https for more security?

I am about to implement this and was wondering if we would be better off using https then http? Although we were not doing "any host" just a specific remote IP from a customer.

But, if I do this i'd have to take out my pdm servicees to allow this to work reliably?

Thanks!!!!