Whah
asked on
Re-routing behind the firewall
All IPs and domains below are sample.
I have a domain, asp.test.com. It currently resolves to 1.1.1.1. I have a PIX 506e that I thought was routing all 1.1.1.1 traffic to 192.168.1.115. The .115 server is going away and .120 is coming online. I wanted to leave the internet's DNS the same so any traffic destined for asp.test.com would go to 1.1.1.1 but I want the PIX to route traffic to the .120 server rather than the .115 server.
I'm using the PIX PDM. So far I've removed the Translation Rule that I thought sent traffic to the .115 server. I then added a Translation Rule that should route asp.test.com traffic to the .120 server, Apply and Save. It's not working. All traffic still goes to the .115 server.
I have a domain, asp.test.com. It currently resolves to 1.1.1.1. I have a PIX 506e that I thought was routing all 1.1.1.1 traffic to 192.168.1.115. The .115 server is going away and .120 is coming online. I wanted to leave the internet's DNS the same so any traffic destined for asp.test.com would go to 1.1.1.1 but I want the PIX to route traffic to the .120 server rather than the .115 server.
I'm using the PIX PDM. So far I've removed the Translation Rule that I thought sent traffic to the .115 server. I then added a Translation Rule that should route asp.test.com traffic to the .120 server, Apply and Save. It's not working. All traffic still goes to the .115 server.
DewFreak
Post sho run
ASKER
There are a lot of IPs I'd prefer not to post. Is there something specifc I can send?
X them out. Otherwise how can we help? Let's see your NAT and access rules.
ASKER
Here's the original NAT:
static (inside,outside) 1.1.1.1 192.168.1.115 netmask 255.255.255.255 0 0
Here's the NAT I added:
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.1 192.168.1.115 netmask 255.255.255.255 0 0
Here's the NAT I added:
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0
I assume you also updated the access-list:
access-list outside_access_in extended permit tcp any host 1.1.1.1 eq http
Also, do you have the new inside host pointed to the correct gateway address (your firewall)?
access-list outside_access_in extended permit tcp any host 1.1.1.1 eq http
Also, do you have the new inside host pointed to the correct gateway address (your firewall)?
ASKER
Here's a screenshot of the Access List. 
ASKER
I haven't done much with the access list. I'd like to see access to the .115 server fail so I know my NATing is working correctly.
Yes, the new inside host is configured with the correct gateway.
Yes, the new inside host is configured with the correct gateway.
ASKER
Here's all my static NAT. I don't understand how any traffic is getting to .115
Result of firewall command: "show static"
static (inside,outside) 1.1.1.12 192.168.12 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.9 192.168.1.175 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.8 192.168.1.119 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.7 192.168.1.114 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.6 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.5 192.168.1.110 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.4 192.168.1.113 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.3 linux_box netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.2 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0
Result of firewall command: "show static"
static (inside,outside) 1.1.1.12 192.168.12 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.9 192.168.1.175 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.8 192.168.1.119 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.7 192.168.1.114 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.6 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.5 192.168.1.110 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.4 192.168.1.113 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.3 linux_box netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.2 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0
Ok, so I assume you are testing this from an outside source watching the log? have you disabled the webserver on .115 to make sure you aren't seeing cached results. When you do a sho run from the cli you don't see any reference to .115?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have a mobile broadband account and I've added its IP to the acceptible "Host/Networks" tab. I wasn't able to access the .115 site until I did this.
I'm not watching the log. I'm not sure what to watch or configure to watch. I'll see what I can get going.
I disabled the web server and now I get, as expected, an "Unable to connect" page. When I restart the service I'm back to the old .115 page.
Here's the .115 references:
name 192.168.1.115 IN_asp.test.com
network-object 1.1.1.115 255.255.255.255
access-list outside_access_in permit tcp object-group Access_to_asp.test.com host 1.1.1.115 object-group PublicAccess
static (inside,outside) 1.1.1.115 192.168.1.120 netmask 255.255.255.255 0 0
I'm not watching the log. I'm not sure what to watch or configure to watch. I'll see what I can get going.
I disabled the web server and now I get, as expected, an "Unable to connect" page. When I restart the service I'm back to the old .115 page.
Here's the .115 references:
name 192.168.1.115 IN_asp.test.com
network-object 1.1.1.115 255.255.255.255
access-list outside_access_in permit tcp object-group Access_to_asp.test.com host 1.1.1.115 object-group PublicAccess
static (inside,outside) 1.1.1.115 192.168.1.120 netmask 255.255.255.255 0 0
So, why not remove all references to the old .115 server?
ASKER
It seems the only odd .115 entry looks to be name 192.168.1.115 IN_asp.test.com. I believe that is just a group name.
I may have discribed the desired outcome poorly. Here is a diagram that may be helpful.
I may have discribed the desired outcome poorly. Here is a diagram that may be helpful.
ASKER
Is there a log that will show what hits the PIX and where the traffic is going?
Are you using ASDM? If so you can view the live log in there and filter easily to watch for traffic on that IP.
ASKER
It doesn't look like it. Under the loging node I see: Logging Setup, PDM Logging, Syslog and Others
Whah, Did you restart / reboot your PIX 506e after you made your changes?
ASKER
I haven't rebooted yet. I'm thinking that's the next step. I shouldn't have to though, right?
Shouldn't have to but as I said earlier, it never hurts to clear out ARP cache etc.