Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX port redirection Xlate stops forwaring 6.3.3

I am attempting to port redirect from 1 external address to 2 internal machines 1 www and 1 smtp. all works fine for a few minutes, and then inbound traffic to the mailhost stops flowing. showing xlate tables shows build of inbound connections but no traffic flows. If I remove port redirection and have a static mapping for the machine there is no problem. Viewing the debug for the connection I get SYN timeout after timeout period ???

Any ideas most appreciated.

12 REPLIES

Re: PIX port redirection Xlate stops forwaring 6.3.3

Hi,

Sounds like a mis-config. Can you post your configuration (with IP's consistently changed and passwords removed) for review? Also, the sh output you have would be helpful as well.

Scott

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

OLD confg that did not work.

access-list inbound permit tcp any host XX.XX.XX.195 eq https

access-list inbound permit tcp any host XX.XX.XX.194 eq smtp

access-list inbound permit tcp any host XX.XX.XX.194 eq www

access-list inbound deny ip any any

access-group inbound in interface outside

static (inside,outside) XX.XX.XX.195 192.168.255.12 netmask 255.255.255.255 20 0

static (inside,outside) tcp XX.XX.XX.194 smtp 192.168.255.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp XX.XX.XX.194 www 192.168.255.18 www netmask 255.255.255.255 0 0

NEW config that does.

access-list inbound permit tcp any host XX.XX.XX.195 eq https

access-list inbound permit tcp any host XX.XX.XX.194 eq smtp

access-list inbound permit tcp any host XX.XX.XX.197 eq www

access-list inbound deny ip any any

static (inside,outside) XX.XX.XX.195 192.168.255.12 netmask 255.255.255.255 20 0

static (inside,outside) XX.XX.XX.194 192.168.255.10 netmask 255.255.255.255 0 0

static (inside,outside) XX.XX.XX.197 192.168.255.18 netmask 255.255.255.255 0 0

access-group inbound in interface outside

Re: PIX port redirection Xlate stops forwaring 6.3.3

Thanks. Clearly #2 is going to work but I am guessing this is not what you are wanting to configure. Can you post the rest of your config (specifically all of the NAT config)? Also, I would be interested in seeing the output from a 'sh x detail' when the problem is occuring.

Scott

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

FYI

The clear xlate allows traffic to flow normally for a while.

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

Did you ever find a solution to this? I am having the exact same issue. Thanks.

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

No solution yet!

Luckily I had a few IP's spare

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

Also if i do a clear xlate, traffic starts flowing again for a show time.

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

Hello all,

Did u find a work-around to this issue ? I have exactly the same problem resolved temporarily when doing a clear xlate.

Thanks for your help.

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

I found that adding a PAT statement to my config for that same IP address fixed my issue:

static (inside,outside) tcp 12.x.x.186 smtp 10.110.4.178 smtp netmask 255.255.255.255

Then

global (outside) 2 12.x.x.186

nat (inside) 2 10.110.4.178 255.255.255.255

That seemed to solve my issue. Good luck!

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

Your initial static translation had a 20 0 at the end of the static statement. That is your problem coz it allows 20 translated sessions for that IP. That is also when you do a clear xlate it starts to work again.

Thanks,

Faisal

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

I also noticed a similar scenario, https works sometimes and other times it doesn not, to fix that you have to disable your ip http server, or PDM.

New Member

Re: PIX port redirection Xlate stops forwaring 6.3.3

So are you allowing remote hosts to access an internal server/service via the web but instead of http you are using https for more security?

I am about to implement this and was wondering if we would be better off using https then http? Although we were not doing "any host" just a specific remote IP from a customer.

But, if I do this i'd have to take out my pdm servicees to allow this to work reliably?

Thanks!!!!

248
Views
0
Helpful
12
Replies
CreatePlease login to create content