Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Re-routing behind the firewall

Posted on 2011-03-03
19
369 Views
Last Modified: 2012-05-11
All IPs and domains below are sample.

I have a domain, asp.test.com.  It currently resolves to 1.1.1.1.  I have a PIX 506e that I thought was routing all 1.1.1.1 traffic to 192.168.1.115.  The .115 server is going away and .120 is coming online.  I wanted to leave the internet's DNS the same so any traffic destined for asp.test.com would go to 1.1.1.1 but I want the PIX to route traffic to the .120 server rather than the .115 server.

I'm using the PIX PDM.  So far I've removed the Translation Rule that I thought sent traffic to the .115 server.  I then added a Translation Rule that should route asp.test.com traffic to the .120 server, Apply and Save.  It's not working.  All traffic still goes to the .115 server.
0
Comment
Question by:Whah
  • 10
  • 8
19 Comments
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033207
Post sho run
0
 

Author Comment

by:Whah
ID: 35033241
There are a lot of IPs I'd prefer not to post.  Is there something specifc I can send?
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033253
X them out.  Otherwise how can we help?  Let's see your NAT and access rules.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Whah
ID: 35033311
Here's the original NAT:
static (inside,outside) 1.1.1.1 192.168.1.115 netmask 255.255.255.255 0 0

Here's the NAT I added:
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0


0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033324
I assume you also updated the access-list:

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq http

Also, do you have the new inside host pointed to the correct gateway address (your firewall)?
0
 

Author Comment

by:Whah
ID: 35033328
Here's a screenshot of the Access List. AccessList
0
 

Author Comment

by:Whah
ID: 35033352
I haven't done much with the access list.  I'd like to see access to the .115 server fail so I know my NATing is working correctly.

Yes, the new inside host is configured with the correct gateway.
0
 

Author Comment

by:Whah
ID: 35033377
Here's all my static NAT.  I don't understand how any traffic is getting to .115

Result of firewall command: "show static"
static (inside,outside) 1.1.1.12 192.168.12 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.9 192.168.1.175 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.8 192.168.1.119 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.7 192.168.1.114 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.6 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.5 192.168.1.110 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.4 192.168.1.113 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.3 linux_box netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.2 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033379
Ok, so I assume you are testing this from an outside source watching the log?  have you disabled the webserver on .115 to make sure you aren't seeing cached results.  When you do a sho run from the cli you don't see any reference to .115?
0
 
LVL 6

Accepted Solution

by:
DewFreak earned 500 total points
ID: 35033391
Yes, from that it should not be.  Assume you have rebooted the firewall to clear any weird ARP issues.  
0
 

Author Comment

by:Whah
ID: 35033427
I have a mobile broadband account and I've added its IP to the acceptible "Host/Networks" tab.  I wasn't able to access the .115 site until I did this.

I'm not watching the log.  I'm not sure what to watch or configure to watch.  I'll see what I can get going.

I disabled the web server and now I get, as expected, an "Unable to connect" page.  When I restart the service I'm back to the old .115 page.

Here's the .115 references:
name 192.168.1.115 IN_asp.test.com
network-object 1.1.1.115 255.255.255.255
access-list outside_access_in permit tcp object-group Access_to_asp.test.com host 1.1.1.115 object-group PublicAccess
static (inside,outside) 1.1.1.115 192.168.1.120 netmask 255.255.255.255 0 0
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033440
So, why not remove all references to the old .115 server?
0
 

Author Comment

by:Whah
ID: 35033500
It seems the only odd .115 entry looks to be name 192.168.1.115 IN_asp.test.com.  I believe that is just a group name.

I may have discribed the desired outcome poorly.  Here is a diagram that may be helpful. IP
0
 

Author Comment

by:Whah
ID: 35033511
Is there a log that will show what hits the PIX and where the traffic is going?
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35033529
Are you using ASDM?  If so you can view the live log in there and filter easily to watch for traffic on that IP.
0
 

Author Comment

by:Whah
ID: 35033555
It doesn't look like it.  Under the loging node I see:  Logging Setup, PDM Logging, Syslog and Others
0
 
LVL 2

Expert Comment

by:BITCooler
ID: 35033591
Whah,  Did you restart / reboot your PIX 506e after you made your changes?

0
 

Author Comment

by:Whah
ID: 35033632
I haven't rebooted yet.  I'm thinking that's the next step.  I shouldn't have to though, right?
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35036020
Shouldn't have to but as I said earlier, it never hurts to clear out ARP cache etc.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question