Solved

How do I set up an incoming static connection to a server on a different subnet?

Posted on 2004-09-19
28
481 Views
Last Modified: 2013-11-16
Hi,
I need to set up an incoming connection to a server(192.168.5.26) on one of my subnets for an application vendor. I have a Pix 515 Firewall with a Cisco 2621 Router behind it connecting 5 other subnets. All internet traffic goes through the router to the Pix and then out.

Pix outside IF: xx.xx.232.201
Pix inside IF: 192.168.1.1
Router 192.168.1.2
Local network: 192.168.1.0
other subnets: 2.0, 3.0, 4.0, 5.0, 6.0 (joined through point to point T-1's)

Following other questions I found here, I added the following:

static (inside,outside) xx.xx.232.204 192.168.5.26 netmask 255.255.255.255 0 0
access-list test1 permit tcp host xx.xx.61.2 host xx.xx.232.204 eq 3389
access-group test1 in interface outside

Unfortunately, this has not worked. I believe the problem is that the Pix doesn't know how to get a packet to the server at 5.26.
The reason I say this, is because if I change the static command to a server at 192.168.1.25, it works successfully. But it does not get across to 5.26. I am testing this from my home network before I set it up for the vendor.

I do have a:

route inside 192.168.5.0 255.255.255.0 192.168.1.2 1

statement on the Pix (amongst other routes). This has been handling all routing to that subnet all along. I'm thinking that the translation is ocurring on the outside interface and not being sent to the inside and therefore to the router at 1.2 Am I right on this?

Whether I'm right or not, how can I get this to work?

Eric
0
Comment
Question by:e_miller53
  • 17
  • 7
  • 3
  • +1
28 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12098091
If you can ping 192.168.5.26 from the PIX, then the static/acl as you have it should work just like it does with a local server. Client that is trying to connect to this server is outside the pix, host xx.xx.61.2, right?
You're not trying to test it first from an inside host?

Trace the default gateways from the 5.26 server. It points to its local router, that router points over the wan to your 2600, which has a default pointing to the PIX, PIX points out to Internet router outside...

Have you thought about enabling OSPF between your PIX and the 2600 WAN router?
0
 
LVL 5

Expert Comment

by:epylko
ID: 12098111
Did you do a "clear xlate" after putting in your static?

-Eric
0
 

Author Comment

by:e_miller53
ID: 12098602
I can ping 5.26 from the Pix, I can also ping 1.1 from 5.26.
Yes, the remote client 61.2 is outside the Pix.
No, I am testing it from outside, through the Internet. If I use 192.168.1.25 as the target server, I have no problem connecting.

Coming from the server 5.26, it goes to the router at 5.1. This connects by T1 to the router at 192.168.1.2 which goes to the Pix at 1.1.

OSPF, no.


Yes, I did do clear xlate after entering the static command.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12098835
And you have verified that Terminal Services is running on 5.26?
Can you connect a term serv session from 1.x  to that server?
0
 

Author Comment

by:e_miller53
ID: 12098860
Yes, I do have term services running. I also have site to site VPN's working to the Pix and I can connect to the 5.26 server with Terminal Services through the VPN. I can also connect from my laptop to the server when I am in the 1.x location. Everything works fine on the inside and works through VPN's. Its just not working with opening the port.
0
 

Author Comment

by:e_miller53
ID: 12108395
Still looking for answers on this question. Does anyone have any comments?
0
 
LVL 6

Expert Comment

by:fullerms
ID: 12122066
The problem is 5.26 does not know how to reach the internet source Ip from where you are testing.

I assume that the other subnets are also terminated on this router( 192.168.1.2). In that case ensure that the default route for the other subnet routers is pointing to this router and 1.2 has a default route pointing to the pix.

Check the default gateway on the 5.26 box
Do a trace to the internet source IP from  5.26. It should hit your pix.

If your are using terminal services are you sure you opened up the right TCP port for the 5.26 NAT IP? (3389)
0
 

Author Comment

by:e_miller53
ID: 12125274
Thanks for replying, I was beginning to think no one was on-line anymore.  :-)
Here is a traceroute from the server at 5.26 to the Pix. The 255.9 is the serial IF of the router

Tracing route to 192.168.1.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.5.1
  2     4 ms     5 ms     4 ms  192.168.255.9
  3     4 ms     4 ms     4 ms  192.168.1.1

Trace complete.

The default gateway on 5.26 is 192.168.5.1

Yes, the acl shown above is cut and pasted right from the Pix. It is using 3389.

Yes, the other subnets are terminated on the router at 192.168.1.2

I am using EIGRP on all routers, so they all have the same route information.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12136546
Man, all I can tell you is that it works, as long as the routing is fine. If the pix can ping the host, it can create a static translation and port forward to it. It does not have to be a local host. I'd have to see your complete PIX config to make any more guesses as to why this does not work..
0
 

Author Comment

by:e_miller53
ID: 12138776
Thank you for replying. I do appreciate all assistance you and the others have given.
Here is the Pix config below. Please note the ip address of the static and the access-list name has changed since what I posted above. The static at xx.xx.232.204 works going to 192.168.1.25 using ssh. The other static for port 3389 has been changed to the 203 address and the acl is changed to bluebird, and it still times out

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password Ww0YZPh.iCQFGluP encrypted
passwd Ww0YZPh.iCQFGluP encrypted
hostname pix.133154-01
domain-name ewaldauto.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 20
names
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.50.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.60.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list emiller permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.10.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.50.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.60.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list airport permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list airport permit ip 192.168.5.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list airport permit ip 192.168.10.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list racine permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list racine permit ip 192.168.5.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list racine permit ip 192.168.10.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list browndeer permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list browndeer permit ip 192.168.5.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list browndeer permit ip 192.168.10.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list bluebird permit tcp host xx.xx.255.8 host xx.xx.232.204 eq ssh
access-list bluebird permit tcp host xx.xx.61.2 host xx.xx.232.203 eq 3389
 
pager lines 24
interface ethernet0 100full
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xx.xx.232.201 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool clients 192.168.200.100-192.168.200.119
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.232.202
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.232.204 192.168.1.25 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.232.203 192.168.5.26 netmask 255.255.255.255 0 0
access-group bluebird in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 xx.xx.232.193 1
route inside 10.138.88.0 255.255.255.0 192.168.1.2 1
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
route inside 192.168.5.0 255.255.255.0 192.168.1.2 1
route inside 192.168.6.0 255.255.255.0 192.168.1.2 1
route inside 192.168.10.0 255.255.255.0 192.168.1.2 1
route inside 192.168.50.0 255.255.255.0 192.168.1.2 1
route inside 192.168.60.0 255.255.255.0 192.168.1.2 1
route inside 192.168.100.0 255.255.255.0 192.168.1.10 1
route inside 192.168.200.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media

0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community black-hole
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map EAG 21 ipsec-isakmp
crypto map EAG 21 match address emiller
crypto map EAG 21 set peer xx.xx.255.8
crypto map EAG 21 set transform-set strong
crypto map EAG 22 ipsec-isakmp
crypto map EAG 22 match address racine
crypto map EAG 22 set peer xx.xx.116.70
crypto map EAG 22 set transform-set strong
crypto map EAG 23 ipsec-isakmp
crypto map EAG 23 match address airport
crypto map EAG 23 set peer xx.xx.116.154
crypto map EAG 23 set transform-set strong
crypto map EAG 24 ipsec-isakmp
crypto map EAG 24 match address browndeer
crypto map EAG 24 set peer xx.xx.116.176
crypto map EAG 24 set transform-set strong
crypto map EAG interface outside
isakmp enable outside
isakmp key ******** address xx.xx.255.8 netmask 255.255.255.255
isakmp key ******** address xx.xx.116.154 netmask 255.255.255.255
isakmp key ******** address xx.xx.116.70 netmask 255.255.255.255
isakmp key ******** address xx.xx.116.176 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh xx.xx.255.8 255.255.255.255 outside
ssh timeout 30
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local clients
vpdn group 1 client configuration dns 192.168.1.25
vpdn group 1 client configuration wins 192.168.1.25
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxxx password *********
vpdn username xxxxx password *********
vpdn enable outside
terminal width 80
Cryptochecksum:8a3aedba3712486570ff380bd171aa8e
: end
0
 

Author Comment

by:e_miller53
ID: 12138813
for lrmoore:
If this config looks vaguely familiar to you, its because you helped me with a VPN problem a couple of weeks ago. All of those crypto maps and VPN acl's are because of the assistance you gave me.

Thank You!
0
 
LVL 6

Expert Comment

by:fullerms
ID: 12140425
You need to have the following to allow inbound access from the internet

1. Route on your internet router for your public IPs pointing to the PIX outside interface.  -- To be confirmed. Check the subnet mask :-)

2. A static(inside,outside) for the inside IP of the resource being accessed.  -- Okay. Do a show local-h to confirm if it is being natted.

3. An acl outside to permit the inbound connection -- Okay
4. Route inside on the pix for the internal IP -- okay
5. Route outside on the pix for the internet IP -- Okay (Default route)

6. A route on the internal network for the internet IP pointing to the firewall. -- Do a trace from the 5.26 box to the internet IP, not the 192.168.1.1 IP. Check whether the default route is being distributed in your eigrp cloud.

Verify whether you are trying for the correct internet IP when testing. We have had situations where the nat ip was different from the IP we were testing from the internet. :-)
0
 

Author Comment

by:e_miller53
ID: 12142076
Thank you for your reply. I will have to check this out later this afternoon and get back to you. Got a busy day today.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12142140
One other issue to look at is that you have both conduit and acl
You can't have both. Suggest removing the conduit completely

     >access-group bluebird in interface outside
     >conduit permit icmp any any
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:e_miller53
ID: 12149331
> 1. Route on your internet router for your public IPs pointing to the PIX outside interface.  -- To be confirmed. Check the subnet mask :-)
Still attempting to confirm this.

2. A static(inside,outside) for the inside IP of the resource being accessed.  -- Okay. Do a show local-h to confirm if it is being natted.

local host: <192.168.5.26>, conn(s)/limit = 0/0, embryonic(s)/limit = 0/0
  AAA:
  Xlate(s):
    Global 69.11.232.203 Local 192.168.5.26
  Conn(s):

This appears to confirm the translation.

6. A route on the internal network for the internet IP pointing to the firewall. -- Do a trace from the 5.26 box to the internet IP, not the 192.168.1.1 IP. Check whether the default route is being distributed in your eigrp cloud.

By internet IP, do you mean the xx.xx.232.203 address? I'm not sure I understand this statement. Here is the result of:
sh ip route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

D EX 206.120.32.0/24 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
     xx.0.0.0/32 is subnetted, 1 subnets
S       xx.xx.232.203 [1/0] via 192.168.1.1
D    192.168.30.0/24 [90/2174976] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.60.0/24 [90/1766912] via 192.168.255.14, 5w2d, Serial1/1
S    192.168.8.0/24 [1/0] via 192.168.1.1
S    192.168.10.0/24 [1/0] via 192.168.1.10
     205.239.188.0/32 is subnetted, 1 subnets
D EX    205.239.188.11 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.4.0/24 [90/2172416] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.20.0/24 [90/1764352] via 192.168.255.2, 5w6d, Serial1/0
D    192.168.5.0/24 [90/2172416] via 192.168.255.10, 5w6d, Serial0/0
     198.208.187.0/32 is subnetted, 1 subnets
D EX    198.208.187.154 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
     10.0.0.0/24 is subnetted, 1 subnets
D       10.138.88.0 [90/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.6.0/24 [90/1764352] via 192.168.255.14, 5w2d, Serial1/1
     192.168.255.0/24 is variably subnetted, 5 subnets, 2 masks
C       192.168.255.4/30 is directly connected, Serial0/1.16
D       192.168.255.0/24
           [90/1766912] via 192.168.1.10, 04:37:56, FastEthernet0/0
C       192.168.255.0/30 is directly connected, Serial1/0
C       192.168.255.12/30 is directly connected, Serial1/1
C       192.168.255.8/30 is directly connected, Serial0/0
D    192.168.50.0/24 [90/2174976] via 192.168.255.10, 5w6d, Serial0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
D    192.168.2.0/24 [90/1764352] via 192.168.255.2, 5w6d, Serial1/0
     207.37.182.0/32 is subnetted, 4 subnets
D EX    207.37.182.30 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D EX    207.37.182.12 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D EX    207.37.182.11 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D EX    207.37.182.36 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.100.0/24 [90/2174976] via 192.168.1.10, 04:37:51, FastEthernet0
D    192.168.3.0/24 [90/2172416] via 192.168.255.6, 5w6d, Serial0/1.16
S*   0.0.0.0/0 [1/0] via 192.168.1.1

If I understand this process correctly, when a packet comes into the Pix outside interface (source xx.xx.255.8, dst xx.xx.232.203) the pix strips off the destination address and replaces it with the translated internal address, 192.168.5.26 and sends it to the internal router at 1.2. This router knows to send it to the network at 5.0. When the packet is sent back by 5.26 to xx.xx.255.8, is it again translated, or does it even matter if dst is xx.xx.255.8 and src is 192.168.5.26? Or is it translated to the outside interface xx.xx.232.201?

This stuff gives me a headache   :-)
0
 

Author Comment

by:e_miller53
ID: 12149337
lrmoore:

I removed the conduit statement, but it hasn't made any difference. It was put in there by the original vendor, I have no idea why it was included. I have notice it, but it didn't seem to be doing any harm, so I left it alone.
0
 

Author Comment

by:e_miller53
ID: 12149344
to fullerms:

I forgot to mention I tried to put in a static route for the 232.203 address. It didn't make any difference, so I removed it. But you will see it above in the ip route table.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12150071
>D    192.168.5.0/24 [90/2172416] via 192.168.255.10, 5w6d, Serial0/0

Can you provide sho ip route from that router that connects directly to the server in question
Can you provide C:\>route print  from the server itself?
0
 

Author Comment

by:e_miller53
ID: 12150376
This is from the router at 192.168.5.1:

Gateway of last resort is 192.168.255.9 to network 0.0.0.0

D EX 206.120.32.0/24 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D    192.168.30.0/24 [90/2686976] via 192.168.255.9, 5w6d, Serial0
D    192.168.60.0/24 [90/2686976] via 192.168.255.9, 5w2d, Serial0
D EX 192.168.8.0/24 [170/2172416] via 192.168.255.9, 3w4d, Serial0
D EX 192.168.10.0/24 [170/2172416] via 192.168.255.9, 5w6d, Serial0
     205.239.188.0/32 is subnetted, 1 subnets
D EX    205.239.188.11 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D    192.168.4.0/24 [90/2684416] via 192.168.255.9, 5w6d, Serial0
D    192.168.20.0/24 [90/2684416] via 192.168.255.9, 5w6d, Serial0
C    192.168.5.0/24 is directly connected, FastEthernet0
     198.208.187.0/32 is subnetted, 1 subnets
D EX    198.208.187.154 [170/2710016] via 192.168.255.9, 5w6d, Serial0
     10.0.0.0/24 is subnetted, 1 subnets
D       10.138.88.0 [90/2710016] via 192.168.255.9, 5w6d, Serial0
D    192.168.6.0/24 [90/2684416] via 192.168.255.9, 5w2d, Serial0
     192.168.255.0/24 is variably subnetted, 5 subnets, 2 masks
D       192.168.255.4/30 [90/2681856] via 192.168.255.9, 5w6d, Serial0
D       192.168.255.0/24 [90/2686976] via 192.168.255.9, 13:44:38, Serial0
D       192.168.255.0/30 [90/2681856] via 192.168.255.9, 5w6d, Serial0
D       192.168.255.12/30 [90/2681856] via 192.168.255.9, 5w2d, Serial0
C       192.168.255.8/30 is directly connected, Serial0
D    192.168.50.0/24 [90/30720] via 192.168.5.10, 7w0d, FastEthernet0
D    192.168.1.0/24 [90/2172416] via 192.168.255.9, 5w6d, Serial0
D    192.168.2.0/24 [90/2684416] via 192.168.255.9, 5w6d, Serial0
     207.37.182.0/32 is subnetted, 4 subnets
D EX    207.37.182.30 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D EX    207.37.182.12 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D EX    207.37.182.11 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D EX    207.37.182.36 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D    192.168.100.0/24 [90/2686976] via 192.168.255.9, 13:44:33, Serial0
D    192.168.3.0/24 [90/2684416] via 192.168.255.9, 5w6d, Serial0
S*   0.0.0.0/0 [1/0] via 192.168.255.9

And here is route print from the server at 192.168.5.26:

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 02 b3 ea 6b 17 ...... Intel(R) PRO/1000 MT Network Connection
0x10004 ...00 02 b3 ea 6a d0 ...... Intel(R) PRO/100 Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.5.1     192.168.5.26     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.5.0    255.255.255.0     192.168.5.26     192.168.5.26     20
     192.168.5.26  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.5.255  255.255.255.255     192.168.5.26     192.168.5.26     20
        224.0.0.0        240.0.0.0     192.168.5.26     192.168.5.26     20
  255.255.255.255  255.255.255.255     192.168.5.26            10003      1
  255.255.255.255  255.255.255.255     192.168.5.26     192.168.5.26      1
Default Gateway:       192.168.5.1
===========================================================================
Persistent Routes:
  None
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12150425
Dagnabbit....
Looks like all the pieces of the puzzle are in place.

>access-list bluebird permit tcp host xx.xx.61.2 host xx.xx.232.203 eq 3389
You have validated again the source IP in this ACL?

Hav you tried:
access-list bluebird permit tcp any host xx.xx.232.203 eq 3389
Then re-apply the acl
  access-group bluebird in interface outside


0
 

Author Comment

by:e_miller53
ID: 12150478
Hav you tried:
access-list bluebird permit tcp any host xx.xx.232.203 eq 3389
Then re-apply the acl
  access-group bluebird in interface outside

Just tried that, still get the same result. I removed the entire ACL and just used your example.


You have validated again the source IP in this ACL?
The vendor has assured me this is the correct ip. However, that is not an issue yet. I am testing this from my home network, so substitute xx.xx.255.8 for the other ip. I also set up the other static from 255.8 to a different server at 1.25 using ssh. This one works, so I know the statements are right.

access-list bluebird permit tcp host xx.xx.255.8 host xx.xx.232.204 eq ssh
access-list bluebird permit tcp host xx.xx.255.8 host xx.xx.232.203 eq 3389
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12150490
OK. Last hope. You're using 6.2(2) and there are some known issues with static xlates. Save your config and do a hard reboot (power off, wait 1 minute) of the PIX.
If that does not fix it, suggest upgrading. The latest is 6.3(4)
0
 

Author Comment

by:e_miller53
ID: 12150558
I've been coming to the same conclusions myself. I suggested to the vendor we do a site to site VPN (I've got the hang of those things now!). If they are still reluctant to do that, I may have to consider upgrading the Pix. This is not something I am going to be able to do right away. I will have to wait until Monday to try the hard reboot, I will post the results of that and then close the question.

Thank you and fullerms for all of your assistance, it is appreciated.
0
 
LVL 6

Assisted Solution

by:fullerms
fullerms earned 250 total points
ID: 12157758
"When the packet is sent back by 5.26 to xx.xx.255.8, is it again translated, or does it even matter if dst is xx.xx.255.8 and src is 192.168.5.26? Or is it translated to the outside interface xx.xx.232.201?"

Translation is done on a per interface basis. That way, the same internal IP can have a different NAT IP for different zones on your firewall

Before upgrading the IOS, try these steps

1. Do a trace from 5.26 to any valid internet IP, or xx.xx.61.2. It should hit your pix. This should confirm if default routing is ok.

2. Add an ACL entry to permit icmp from your internet router to the 5.26 NAT IP(x.x.232.203), and then do a trace from your internet router. This should confirm if the inbound routing is okay. Or better, permit ICMP from x.x.61.2 and then do a trace from your home network.

3. I did a trace to x.x.232.203, and it  drops at 69.11.232.146. Ideally, the trace should drop at your internet router. Check if this is happening.

If all this fails, please post a diagram of your network, along with relevant configs of the devices on the network. This should work without an IOS upgrade or a reboot.
0
 

Author Comment

by:e_miller53
ID: 12161997
I will try that later this afternoon and post the results.

Thanks
0
 

Author Comment

by:e_miller53
ID: 12165580
I've seem to have found a new problem.I am not able to ping an outside IP address from 5.26 or any other internal address. That did work last week. I shouldn't have to have anything in place to allow outgoing pings, but they don't seem to be getting out of the Pix.

Here is the trace to the 232.203 address. I added an icmp statement to the acl to allow this.

C:\>tracert xx.xx.232.203

Tracing route to 203.xxxxxxx.com [xx.xx.232.203]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.8.1
  2    11 ms    10 ms    11 ms  10.50.192.1
  3    10 ms     9 ms     9 ms  pos0-0.milwwignfl-rtr1.wi.rr.com [24.160.225.101]
  4    12 ms    11 ms    11 ms  so0-1-0.chcgilL3-rtr1.kc.rr.com [24.94.160.21]
  5    10 ms     9 ms    17 ms  pop1-chi-P7-0.atdn.net [66.185.136.109]
  6    12 ms    20 ms    11 ms  Sprint.atdn.net [66.185.150.218]
  7    12 ms    12 ms    11 ms  sl-bb22-chi-5-0.sprintlink.net [144.232.20.90]
  8    12 ms    28 ms    13 ms  sl-gw33-chi-9-0.sprintlink.net [144.232.26.22]
  9    15 ms    15 ms    15 ms  sl-tdste-3-0.sprintlink.net [160.81.225.142]
 10    69 ms    66 ms    75 ms  mdtnwialcor52-gi4-7.network.tds.net [64.50.226.221]
 11    64 ms    66 ms    66 ms  mdtnwialhed54-gi0-1.network.tds.net [64.50.226.206]
 12    66 ms    66 ms    69 ms  nwblwiedg02-a1-0-70090.network.tds.net [204.246.0.34]
 13    76 ms    70 ms    68 ms  nwblwiedg01-fa4-0.network.tds.net [xx.xx.239.4]
 14    86 ms    72 ms    71 ms  h69-11-233-18.69-11.unk.tds.net [xx.xx.233.18]
 15    77 ms    72 ms    72 ms  q.gmtcom.com [xx.xx.232.29]
 16   107 ms   113 ms    96 ms  gw.xxxxx.com [xx.xx.232.146]
 17    84 ms    76 ms    76 ms  203.xxxxx.com [xx.xx.232.203]
 18    82 ms    86 ms    81 ms  203.xxxxx.com [xx.xx.232.203]
 19    94 ms    82 ms    92 ms  203.xxxxx.com [xx.xx.232.203]

Trace complete.

Even though I can now ping the 203 address, Remote Desktop still does not work.
0
 

Author Comment

by:e_miller53
ID: 12166400
Fixed ping problem. Since adding the acl to support these static translations, icmp stopped working. I added appropriate statements to the acl to allow ping.

I can successfully ping and traceroute to any internet address from the 5.26 server
0
 

Author Comment

by:e_miller53
ID: 12174437
The vendor and I have decided to give up on resolving this issue. We set up a site to site VPN this morning and everything is working fine. Thanks to both of you for your assistance. I decided to split the points equally between you for all of the responses you provided me.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now