Ok, I'm using a DMZ on a pix 515E to go down to a pair of servers running Timbuktu (I'd never heard of it previously either) This little baby uses UDP407 for handshaking then TCP ports 1417 through 1420 for other tasks. On top of that it also runs dynamic UDP and TCP ports. Surprises surprise it isn't working.
I have tried various permutations of ACL. Including permit UDP and permit TCP any just to get it going. A debug UDPproto shows that the application hits the firewall from the trusted ip address specified in the ACL and is directed to the global address in the static command. It then does no more.
I can ping the target server from the PIX. Would the fixup protocol command be a good way to go on this one?
Help would be appreciated.
Steve N.
For those of you who are interested. The loadbalancers I had behind the inside interface needed an:
ACL to permit tcp any host <public_ip> eq www
Static to translate from the public_IPs to the virtual_IPs on the loadbalancer.
The inside interface of the PIX designated as the gateway for the servers.
Horribly straightforward in the end.