Solved

Re-routing behind the firewall

Posted on 2011-03-03
19
360 Views
Last Modified: 2012-05-11
All IPs and domains below are sample.

I have a domain, asp.test.com.  It currently resolves to 1.1.1.1.  I have a PIX 506e that I thought was routing all 1.1.1.1 traffic to 192.168.1.115.  The .115 server is going away and .120 is coming online.  I wanted to leave the internet's DNS the same so any traffic destined for asp.test.com would go to 1.1.1.1 but I want the PIX to route traffic to the .120 server rather than the .115 server.

I'm using the PIX PDM.  So far I've removed the Translation Rule that I thought sent traffic to the .115 server.  I then added a Translation Rule that should route asp.test.com traffic to the .120 server, Apply and Save.  It's not working.  All traffic still goes to the .115 server.
0
Comment
Question by:Whah
  • 10
  • 8
19 Comments
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033207
Post sho run
0
 

Author Comment

by:Whah
ID: 35033241
There are a lot of IPs I'd prefer not to post.  Is there something specifc I can send?
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033253
X them out.  Otherwise how can we help?  Let's see your NAT and access rules.
0
 

Author Comment

by:Whah
ID: 35033311
Here's the original NAT:
static (inside,outside) 1.1.1.1 192.168.1.115 netmask 255.255.255.255 0 0

Here's the NAT I added:
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0


0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033324
I assume you also updated the access-list:

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq http

Also, do you have the new inside host pointed to the correct gateway address (your firewall)?
0
 

Author Comment

by:Whah
ID: 35033328
Here's a screenshot of the Access List. AccessList
0
 

Author Comment

by:Whah
ID: 35033352
I haven't done much with the access list.  I'd like to see access to the .115 server fail so I know my NATing is working correctly.

Yes, the new inside host is configured with the correct gateway.
0
 

Author Comment

by:Whah
ID: 35033377
Here's all my static NAT.  I don't understand how any traffic is getting to .115

Result of firewall command: "show static"
static (inside,outside) 1.1.1.12 192.168.12 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.9 192.168.1.175 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.8 192.168.1.119 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.7 192.168.1.114 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.6 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.5 192.168.1.110 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.4 192.168.1.113 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.3 linux_box netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.2 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033379
Ok, so I assume you are testing this from an outside source watching the log?  have you disabled the webserver on .115 to make sure you aren't seeing cached results.  When you do a sho run from the cli you don't see any reference to .115?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 6

Accepted Solution

by:
DewFreak earned 500 total points
ID: 35033391
Yes, from that it should not be.  Assume you have rebooted the firewall to clear any weird ARP issues.  
0
 

Author Comment

by:Whah
ID: 35033427
I have a mobile broadband account and I've added its IP to the acceptible "Host/Networks" tab.  I wasn't able to access the .115 site until I did this.

I'm not watching the log.  I'm not sure what to watch or configure to watch.  I'll see what I can get going.

I disabled the web server and now I get, as expected, an "Unable to connect" page.  When I restart the service I'm back to the old .115 page.

Here's the .115 references:
name 192.168.1.115 IN_asp.test.com
network-object 1.1.1.115 255.255.255.255
access-list outside_access_in permit tcp object-group Access_to_asp.test.com host 1.1.1.115 object-group PublicAccess
static (inside,outside) 1.1.1.115 192.168.1.120 netmask 255.255.255.255 0 0
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033440
So, why not remove all references to the old .115 server?
0
 

Author Comment

by:Whah
ID: 35033500
It seems the only odd .115 entry looks to be name 192.168.1.115 IN_asp.test.com.  I believe that is just a group name.

I may have discribed the desired outcome poorly.  Here is a diagram that may be helpful. IP
0
 

Author Comment

by:Whah
ID: 35033511
Is there a log that will show what hits the PIX and where the traffic is going?
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033529
Are you using ASDM?  If so you can view the live log in there and filter easily to watch for traffic on that IP.
0
 

Author Comment

by:Whah
ID: 35033555
It doesn't look like it.  Under the loging node I see:  Logging Setup, PDM Logging, Syslog and Others
0
 
LVL 2

Expert Comment

by:BITCooler
ID: 35033591
Whah,  Did you restart / reboot your PIX 506e after you made your changes?

0
 

Author Comment

by:Whah
ID: 35033632
I haven't rebooted yet.  I'm thinking that's the next step.  I shouldn't have to though, right?
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35036020
Shouldn't have to but as I said earlier, it never hurts to clear out ARP cache etc.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now