Question

Cisco 3620 cutting off port 80 inbound after short period

Asked by: billbiv

My client has reconfigured their Cisco 3620 from a basic router to a firewall as part of an overall reconfiguration to enable a web server and mail server to sit behind the firerwall and also provide public services (as well as inside net services).

Everything works great EXCEPT routing to the web server.  For whatever reason, after some short period of time once the DNS pointers begin sending web traffic toward the web server, the firewall stops all port 80 traffic.  Port 21 traffic to the same NIC stays open.  The mail server and mail traffic is all unaffected.  It is only port 80 that is locking up. Clearing the NAT translation tables effectively frees up the port again, but only temporarily.

The ISP has gotten involved to help configure the router properly, but they are even having trouble getting it right.

Their first approach was to put in some NAT translation time outs with the thought that the translation tables were filling up and getting corrupted.  The time outs had no effect, though, even when dropped to 2 minutes.

Next, the ISP thought that perhaps the internal ips being mapped to a single pool going out was insufficient, so they tried using more pools for the internal IPs to get mapped to.  Did not work.

Then they made sure the web and mail servers were mapped so that they would come out via the same public IP that incoming requests arrived on.  Still no go.

Has anyone seen anything like this?

I can post the config file, but am a little uncomfortable putting up my client's public IPs.  Should I xx out portions of those for security?

Help solving this one will be DEEPLY appreciated!

Bill

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2003-07-02 at 10:33:07ID20666616
Tags

3620

,

cisco

Topic

Network Software Firewalls

Participating Experts
3
Points
500
Comments
13

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Inbound NAT cisco 800 advice please.
    I am looking for a router that can provide nat on inbound connections over ISDN. I am considering the CISCO 800 series. As an example the requirment is to route from a private network to a 192.168.0.0 mask 255.255.255.0 network. Another connection is already setup to route th...
  2. Cisco 4500 NAT
    Smacking my head on the keyboard after hours of trying to figure this one out. Hoping someone can provide some insight. Configuration: - Cisco 4500 - C4500-IS-M v12.2(2)T IOS - 2 Ethernet Interfaces I have 6 world-routable IP addresses, range lets say is 22.33.44.55 - 22.3...
  3. cisco nat
    Hello Experts, I have a question specific to NAT on Cisco ASA firewalls . Specifically is it possible to do an overload(PAT) from the outside going to the inside. I know that Cisco ASA can do inbound NAT as a static NAT, or a port redirection. However I have never hea...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: snoopy13Posted on 2003-07-02 at 10:42:04ID: 8842418

Hi what version of IOS are you using? If you can post the config as you said xx out the IP address and remove passwords.

 

by: billbivPosted on 2003-07-02 at 11:09:09ID: 8842647

The top line reads version 12.0.

Here's the config:

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname FIREWALL_NAT
!
enable secret XXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXXXXX
!
username XXXXX privilege XX password X XXXXXXXXXXXXXXXXXX
username XXXXX privilege XX password X XXXXXXXXXXXXXXXXXX
!
!
!
!
ip subnet-zero
ip name-server XX.XXX.0.12
ip name-server XX.XXX.1.2
!
ip audit notify log
ip audit po max-events 100
!
!
controller T1 0/0
!
controller T1 1/0
!
process-max-time 200
!
interface FastEthernet0/0
 description connected to Internet
 ip address XX.XXX.30.222 255.255.255.240 secondary
 ip address XX.XXX.29.218 255.255.255.248
 no ip directed-broadcast
 ip nat outside
 ip irdp
 ip rip receive version 2
 no ip mroute-cache
 keepalive 5
!
interface FastEthernet1/0
 description connected to EthernetLAN
 ip address 10.10.40.200 255.255.0.0 secondary
 ip address 192.168.101.254 255.255.255.0 secondary
 ip address 192.168.1.254 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no ip mroute-cache
!
router rip
 version 2
 passive-interface FastEthernet0/0
 network 192.168.1.0
 no auto-summary
!
ip default-gateway XX.XXX.29.217
ip nat translation timeout 900
ip nat translation tcp-timeout 900
ip nat translation port-timeout tcp 80 3600
ip nat translation port-timeout tcp 443 3600
ip nat translation port-timeout udp 53 300
ip nat translation max-entries 2147483647
ip nat pool int XX.XXX.30.217 XX.XXX.30.221 netmask 255.255.255.240
ip nat pool mail XX.XXX.30.210 XX.XXX.30.210 netmask 255.255.255.240
ip nat pool web XX.XXX.30.212 XX.XXX.30.212 netmask 255.255.255.240
ip nat inside source list 2 pool mail overload
ip nat inside source list 3 pool web overload
ip nat inside source list 4 pool int overload
ip nat inside source static tcp 192.168.1.219 3389 XX.XXX.30.212 3389 extendable

ip nat inside source static tcp 192.168.1.210 366 XX.XXX.30.210 366 extendable
ip nat inside source static tcp 192.168.1.210 465 XX.XXX.30.210 465 extendable
ip nat inside source static tcp 192.168.1.210 143 XX.XXX.30.210 143 extendable
ip nat inside source static tcp 192.168.1.210 389 XX.XXX.30.210 389 extendable
ip nat inside source static tcp 192.168.1.210 995 XX.XXX.30.210 995 extendable
ip nat inside source static tcp 192.168.1.210 993 XX.XXX.30.210 993 extendable
ip nat inside source static tcp 192.168.1.210 1000 XX.XXX.30.210 1000 extendable

ip nat inside source static tcp 192.168.1.210 3002 XX.XXX.30.210 3002 extendable

ip nat inside source static tcp 192.168.1.210 3000 XX.XXX.30.210 3000 extendable

ip nat inside source static tcp 192.168.1.210 110 XX.XXX.30.210 110 extendable
ip nat inside source static tcp 192.168.1.210 25 XX.XXX.30.210 25 extendable
ip nat inside source static tcp 192.168.1.212 21 XX.XXX.30.212 21 extendable
ip nat inside source static tcp 192.168.1.212 443 XX.XXX.30.212 443 extendable
ip nat inside source static tcp 192.168.1.212 80 XX.XXX.30.212 80 extendable
ip nat inside source static tcp 192.168.1.210 25 XX.XXX.29.220 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 XX.XXX.29.217
ip route 0.0.0.0 0.0.0.0 XX.XXX.30.209
ip route 10.0.0.0 255.0.0.0 FastEthernet1/0
ip route XX.XXX.29.220 255.255.255.255 192.168.1.210
ip route XX.XXX.30.210 255.255.255.255 192.168.1.210
ip route XX.XXX.30.212 255.255.255.255 192.168.1.212
ip route 172.16.0.0 255.255.0.0 FastEthernet1/0
ip route 192.168.0.0 255.255.0.0 FastEthernet1/0
no ip http server
!
access-list 2 permit 192.168.1.210
access-list 3 permit 192.168.1.212
access-list 4 permit 192.168.0.0 0.0.255.255
snmp-server engineID local 00000009020000D058F270E0
snmp-server community public RO
banner motd ^CCYou are unauthorized ... Company Security Officer has been notifed with your information.


Logout^C
!
line con 0
 exec-timeout 0 0
 password X XXXXXXXXXXXXXXXX
 login
 transport input none
line aux 0
line vty 0 4
 password X XXXXXXXXXXXXXXXX
 login
!
end

 

by: lrmoorePosted on 2003-07-03 at 07:58:16ID: 8849879

You need to use a route-map when you have both static and dynamic NAT..

http://www.cisco.com/warp/public/556/9.html

 

by: jclark666Posted on 2003-07-03 at 08:17:41ID: 8850041

Does this router have the FW featureset?  If so, there's a better  way of doing this that won't beat up on NAT so much:

get rid of:  (and note not everything is gone, so pay attention.  :) )

ip nat pool mail XX.XXX.30.210 XX.XXX.30.210 netmask 255.255.255.240
ip nat pool web XX.XXX.30.212 XX.XXX.30.212 netmask 255.255.255.240
ip nat inside source list 2 pool mail overload
ip nat inside source list 3 pool web overload
ip nat inside source static tcp 192.168.1.219 3389 XX.XXX.30.212 3389 extendable

ip nat inside source static tcp 192.168.1.210 366 XX.XXX.30.210 366 extendable
ip nat inside source static tcp 192.168.1.210 465 XX.XXX.30.210 465 extendable
ip nat inside source static tcp 192.168.1.210 143 XX.XXX.30.210 143 extendable
ip nat inside source static tcp 192.168.1.210 389 XX.XXX.30.210 389 extendable
ip nat inside source static tcp 192.168.1.210 995 XX.XXX.30.210 995 extendable
ip nat inside source static tcp 192.168.1.210 993 XX.XXX.30.210 993 extendable
ip nat inside source static tcp 192.168.1.210 1000 XX.XXX.30.210 1000 extendable

ip nat inside source static tcp 192.168.1.210 3002 XX.XXX.30.210 3002 extendable

ip nat inside source static tcp 192.168.1.210 3000 XX.XXX.30.210 3000 extendable

ip nat inside source static tcp 192.168.1.210 110 XX.XXX.30.210 110 extendable
ip nat inside source static tcp 192.168.1.210 25 XX.XXX.30.210 25 extendable
ip nat inside source static tcp 192.168.1.212 21 XX.XXX.30.212 21 extendable
ip nat inside source static tcp 192.168.1.212 443 XX.XXX.30.212 443 extendable
ip nat inside source static tcp 192.168.1.212 80 XX.XXX.30.212 80 extendable
ip nat inside source static tcp 192.168.1.210 25 XX.XXX.29.220 25 extendable

and

access-list 2 permit 192.168.1.210
access-list 3 permit 192.168.1.212


and replace it all with:

ip nat inside source static 192.168.1.210 xx.xxx.30.210 extendable
ip nat inside source static 192.168.1.210 xx.xxx.29.220 extendable
(although its a lot easier to debug if you use two internal interfaces.  Extendable NAT is just asking for trouble.)
ip nat inside source static 192.168.1.212 xx.xxx.30.212

access-list 151 permit tcp any host XX.XXX.30.212  eq 80
access-list 151 permit tcp any host XX.XXX.30.212  eq 3389
access-list 151 permit tcp any host XX.XXX.30.212  eq 443
access-list 151 permit tcp any host XX.XXX.30.212  eq 20
access-list 151 permit tcp any host XX.XXX.30.212  eq 21
access-list 151 permit tcp any host XX.XXX.30.210  eq 366
access-list 151 permit tcp any host XX.XXX.30.210  eq 465
access-list 151 permit tcp any host XX.XXX.30.210  eq 143
access-list 151 permit tcp any host XX.XXX.30.210  eq 389
access-list 151 permit tcp any host XX.XXX.30.210  eq 995
access-list 151 permit tcp any host XX.XXX.30.210  eq 993
access-list 151 permit tcp any host XX.XXX.30.210  eq 1000
access-list 151 permit tcp any host XX.XXX.30.210  eq 3002
access-list 151 permit tcp any host XX.XXX.30.210  eq 3000
access-list 151 permit tcp any host XX.XXX.30.210  eq 110
access-list 151 permit tcp any host XX.XXX.30.210  eq 25
access-list 151 permit tcp any host XX.XXX.29.220 eq 25
access-list 151 permit tcp any any gt 1023 established  (to allow established sessions through, otherwise your internal hosts won't be able to talk to anyone outside)
access-list 151 permit udp host (your isps DNS servers IP) any  (to allow dns queries to come back)
access-list 151 permit tcp any host XX.XXX.29.218 eq 23   (so you can telnet in)
access-list 151 deny ip any host XX.XXX.30.212  (not strictly necessary, but I always like to make sure they're there so I don't accidentally open up something to 'any' that leaves me open)
access-list 151 deny ip any host XX.XXX.30.210
access-list 151 deny ip any host XX.XXX.29.220

and, finally, add

interface FastEthernet0/0
  ip access-group 151 in

 

by: jclark666Posted on 2003-07-03 at 08:27:53ID: 8850137

And you don't need a route-map unless you're using an ipsec tunnel or doing something else where certain traffic should NOT be natted when going out.

 

by: billbivPosted on 2003-07-03 at 13:53:55ID: 8852683

Thanks everyone so far - we're looking into both recommendations from lrmoore and jclark666.

lrmoore, the document you referenced does not specifically mention "route-map" or a route-map command.  Is it the access-list 7 that in that example that is accomplishing the objective you are talking about in using a route-map when combining SNAT and DNAT? --->

From http://www.cisco.com/warp/public/556/9.html:

"Note: ACL 7 (access-list 7) in the above configuration denies the inside local address, which is used in the static nat command. This will prevent packets sourced from the inside local address, 10.10.10.1, from being able to generate NAT dynamically. This is necessary because the inside local address of 10.10.10.1 is already being used for static NAT. This practice should always be used when configuring static and dynamic NAT simultaneously."



 

by: lrmoorePosted on 2003-07-03 at 14:09:39ID: 8852764

You're right. My brain was somewhere else. Gave you the correct link, though..
The key is denying the static-mapped systems from using the Nat/Pat Pool..

jclark666 is also correct that unless you have a reason to nat some, not nat others like in a VPN tunnel, then you don't necessarily need a route-map..

 

by: billbivPosted on 2003-07-10 at 19:00:06ID: 8898250

Ok, we tried the new config this morning -- mostly along the lines you (jclark666) recommended, and also with some recommendations from a CISCO tech advising the ISP tech.  The new config seemed to be working beautifully all day long from install at around 11:30am until about 5:30pm when port 80 shut down again.  ????  Running the clear ip nat trans * command fixed the issue immediately, but obviously the core issue remains.  Would you please look at this config (the one that ran for 6 hours today) and see if you can spot any glaring issues?

Thanks again for your help!

Bill






CSSI_NAT#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CSSI_NAT
!
enable secret 5 XXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXXXXX
!
username jkarn privilege 15 password 7 XXXXXXXXXXXXXXXXXXX
username alee privilege 15 password 7 XXXXXXXXXXXXXXXXXXX
!
!
!
!
ip subnet-zero
ip name-server XX.XXX.0.12
ip name-server XX.XXX.1.2
!
ip audit notify log
ip audit po max-events 100
!
!
controller T1 0/0
!
controller T1 1/0
!
process-max-time 200
!
interface FastEthernet0/0
 description connected to Internet
 ip address XX.XXX.30.222 255.255.255.240
 ip access-group PortsIn in
 no ip directed-broadcast
 ip nat outside
 ip irdp
 ip rip receive version 2
 no ip mroute-cache
 keepalive 5
!
interface FastEthernet1/0
 description connected to EthernetLAN
 ip address 10.10.40.200 255.255.0.0 secondary
 ip address 192.168.1.254 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no ip mroute-cache
!
router rip
 version 2
 passive-interface FastEthernet0/0
 network 192.168.1.0
 no auto-summary
!
ip default-gateway XX.XXX.30.209
ip nat translation timeout 900
ip nat translation tcp-timeout 900
ip nat translation port-timeout tcp 80 7200
ip nat translation port-timeout tcp 443 7200
ip nat translation port-timeout udp 53 300
ip nat translation max-entries 2147483647
ip nat pool cssi-int XX.XXX.30.217 XX.XXX.30.221 netmask 255.255.255.240
ip nat inside source list 4 pool cssi-int overload
ip nat inside source static 192.168.1.221 XX.XXX.30.216 extendable
ip nat inside source static 192.168.1.204 XX.XXX.30.215 extendable
ip nat inside source static 192.168.1.210 XX.XXX.30.210 extendable
ip nat inside source static 192.168.1.212 XX.XXX.30.212 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 XX.XXX.30.209
ip route 10.0.0.0 255.0.0.0 FastEthernet1/0
ip route XX.XXX.30.210 255.255.255.255 192.168.1.210
ip route XX.XXX.30.212 255.255.255.255 192.168.1.212
ip route 172.16.0.0 255.255.0.0 FastEthernet1/0
ip route 192.168.0.0 255.255.0.0 FastEthernet1/0
no ip http server
!
!
ip access-list extended PortsIn
 permit tcp any host XX.XXX.30.212 eq www
 permit tcp any host XX.XXX.30.212 eq 443
 permit tcp any host XX.XXX.30.212 eq ftp
 permit tcp any host XX.XXX.30.210 eq smtp
 permit tcp any host XX.XXX.30.210 eq pop3
 permit tcp any host XX.XXX.30.210 eq 143
 permit tcp any host XX.XXX.30.210 eq 366
 permit tcp any host XX.XXX.30.210 eq 389
 permit tcp any host XX.XXX.30.210 eq 465
 permit tcp any host XX.XXX.30.210 eq 995
 permit tcp any host XX.XXX.30.210 eq 1000
 permit tcp any host XX.XXX.30.210 eq 3000
 permit tcp any host XX.XXX.30.210 eq 3002
 permit tcp any host XX.XXX.30.216 eq 1433
 permit tcp any host XX.XXX.30.216 eq 3389
 permit tcp any host XX.XXX.30.215 eq www
 permit tcp any any gt 1023 established
 permit udp host XX.XXX.0.12 any
 permit udp host XX.XXX.1.2 any
 permit udp host XX.XXX.1.3 any
 permit tcp any host XX.XXX.30.210 eq 993
 deny   ip any host XX.XXX.30.210
 deny   ip any host XX.XXX.30.212
 deny   ip any host XX.XXX.30.215
 deny   ip any host XX.XXX.30.216
access-list 4 permit 192.168.0.0 0.0.255.255
snmp-server engineID local 00000009020000D058F270E0
snmp-server community public RO
banner motd ^CCYou are unauthorized ... Company Security Officer has been notifed
 with your information.


Logout^C
!
line con 0
 exec-timeout 0 0
 password 7 XXXXXXXXXXXXXXXXXXX
 login
 transport input none
line aux 0
line vty 0 4
 password 7 XXXXXXXXXXXXXXXXXXX
 login
!
end

CSSI_NAT#

 

by: lrmoorePosted on 2003-07-10 at 19:15:12ID: 8898313

Access-list 4 should be:

## deny the hosts with static nats:
access-list 4 deny 192.168.1.204 0.0.0.0
access-list 4 deny 192.168.1.210 0.0.0.0
access-list 4 deny 192.168.1.212 0.0.0.0
access-list 4 deny 192.168.1.221 0.0.0.0
access-list 4 permit 192.168.0.0 0.0.255.255  


 

by: billbivPosted on 2003-07-11 at 03:28:10ID: 8900913

That makes sense to me.  I was wondering if the static nats would not need to be excluded from the dynamic translation processing.  Is that what these statements essentially do?

 

by: lrmoorePosted on 2003-07-11 at 05:21:27ID: 8901739

Exactly.

 

by: billbivPosted on 2003-07-11 at 05:43:45ID: 8901910

Thank you.  I'll let you know as soon as the we've modified and tested again. Hopefully this will resolve the issue.  I do wonder why only the one IP gets locked down (and even only the one port - 80) and other routes are not affected.  The router must somehow be isolating or losing the translation rule for that particular port-specific route.  It seems like "losing" the rule makes more sense - it doesn't make sense to me that a IP:port route would get "locked down" per se and then be able to be freed up just by clearing the NAT table, although maybe that is part of the firewall's functionality.  I have enjoyed learning more about IP traffic and firewall configs on this issue.  Thanks for all of your help!

Bill

 

by: lrmoorePosted on 2003-07-11 at 05:49:46ID: 8901950

Seems to me that what is happening is that all inbound traffic uses the static - no choice in that matter. Then some outbound traffic from that host tries to use addresses from the nat pool instead of its own static, causing some of these issues. If it's a busy server, it can easily overrun the dynamic nat.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...