I am attempting to do a port redirection on the outside interface of the Pix with the new commands that v6.0+ provides.
Any tcp traffic on port 3000 that comes to my outside interface is statically translated with the static(inside,outside)command and redirected to a server (same port, 3000)on the trusted/inside network.
Hey, if it worked I wouldn't be posting here would I?
The only difference I see in cisco's sample config is that they are using a separate PAT address whereas I am using the Pix's outside interface as my PAT address. Is that a problem?
What is happening when you try conencting to port 3000 (or whatever)? Is the server on the inside listening on that port? What does a 'sh conn detail' show you when you try? Any chance you could post your config for review? Should work fine though.
Thanks for the reply Scott. Here's the part of the config in question, with some of the addresses changed to protect the innocent. As you can see, the PIX is getting it's outside address from DHCP (cable modem)but it hasn't changed in years, so I guess it's OK. I am also doing some PPTP VPN stuff which works fine with the DHCP address.
access-list 101 permit tcp any host (PIX OUTSIDE) eq 3000
access-list nonat permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
SH CONN DETAIL doesn't appear to show any sort of connection or translation to 192.168.0.199. To access this port on the server, I just open a browser and hit http://(PIX outside address):3000, but it fails immediately. It works internally, with 192.168.0.199:3000 but not from outside.
Config looks fine and it also should be fine using a DHCP interface in the port static. Might be time to take a look at debug level syslogs to see what is going on. Before that, can you paste the output from a 'sh xlate '. The part was added in later code so I don't know if it exists in your version. Obviously, you would want to remove the '<>' in the command before running it. If 'debug' does not exist, 'sh xlate' should be fine.
As a consultant I ran into similar problem. I found out that this customer did enter the command "no sysopt proxy-arp" at their PIX, and this was causing the problem. This customers case was slightly diferent from your case, cause there where two PIX´s connected back-to-back (two companies in one building communicating to eachother), but you could check it at your PIX ;-)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...