• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 379
  • Last Modified:

Re-routing behind the firewall

All IPs and domains below are sample.

I have a domain, asp.test.com.  It currently resolves to 1.1.1.1.  I have a PIX 506e that I thought was routing all 1.1.1.1 traffic to 192.168.1.115.  The .115 server is going away and .120 is coming online.  I wanted to leave the internet's DNS the same so any traffic destined for asp.test.com would go to 1.1.1.1 but I want the PIX to route traffic to the .120 server rather than the .115 server.

I'm using the PIX PDM.  So far I've removed the Translation Rule that I thought sent traffic to the .115 server.  I then added a Translation Rule that should route asp.test.com traffic to the .120 server, Apply and Save.  It's not working.  All traffic still goes to the .115 server.
0
Whah
Asked:
Whah
  • 10
  • 8
1 Solution
 
DewFreakCommented:
Post sho run
0
 
WhahAuthor Commented:
There are a lot of IPs I'd prefer not to post.  Is there something specifc I can send?
0
 
DewFreakCommented:
X them out.  Otherwise how can we help?  Let's see your NAT and access rules.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
WhahAuthor Commented:
Here's the original NAT:
static (inside,outside) 1.1.1.1 192.168.1.115 netmask 255.255.255.255 0 0

Here's the NAT I added:
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0


0
 
DewFreakCommented:
I assume you also updated the access-list:

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq http

Also, do you have the new inside host pointed to the correct gateway address (your firewall)?
0
 
WhahAuthor Commented:
Here's a screenshot of the Access List. AccessList
0
 
WhahAuthor Commented:
I haven't done much with the access list.  I'd like to see access to the .115 server fail so I know my NATing is working correctly.

Yes, the new inside host is configured with the correct gateway.
0
 
WhahAuthor Commented:
Here's all my static NAT.  I don't understand how any traffic is getting to .115

Result of firewall command: "show static"
static (inside,outside) 1.1.1.12 192.168.12 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.9 192.168.1.175 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.8 192.168.1.119 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.7 192.168.1.114 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.6 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.5 192.168.1.110 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.4 192.168.1.113 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.3 linux_box netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.2 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0
0
 
DewFreakCommented:
Ok, so I assume you are testing this from an outside source watching the log?  have you disabled the webserver on .115 to make sure you aren't seeing cached results.  When you do a sho run from the cli you don't see any reference to .115?
0
 
DewFreakCommented:
Yes, from that it should not be.  Assume you have rebooted the firewall to clear any weird ARP issues.  
0
 
WhahAuthor Commented:
I have a mobile broadband account and I've added its IP to the acceptible "Host/Networks" tab.  I wasn't able to access the .115 site until I did this.

I'm not watching the log.  I'm not sure what to watch or configure to watch.  I'll see what I can get going.

I disabled the web server and now I get, as expected, an "Unable to connect" page.  When I restart the service I'm back to the old .115 page.

Here's the .115 references:
name 192.168.1.115 IN_asp.test.com
network-object 1.1.1.115 255.255.255.255
access-list outside_access_in permit tcp object-group Access_to_asp.test.com host 1.1.1.115 object-group PublicAccess
static (inside,outside) 1.1.1.115 192.168.1.120 netmask 255.255.255.255 0 0
0
 
DewFreakCommented:
So, why not remove all references to the old .115 server?
0
 
WhahAuthor Commented:
It seems the only odd .115 entry looks to be name 192.168.1.115 IN_asp.test.com.  I believe that is just a group name.

I may have discribed the desired outcome poorly.  Here is a diagram that may be helpful. IP
0
 
WhahAuthor Commented:
Is there a log that will show what hits the PIX and where the traffic is going?
0
 
DewFreakCommented:
Are you using ASDM?  If so you can view the live log in there and filter easily to watch for traffic on that IP.
0
 
WhahAuthor Commented:
It doesn't look like it.  Under the loging node I see:  Logging Setup, PDM Logging, Syslog and Others
0
 
BITCoolerCommented:
Whah,  Did you restart / reboot your PIX 506e after you made your changes?

0
 
WhahAuthor Commented:
I haven't rebooted yet.  I'm thinking that's the next step.  I shouldn't have to though, right?
0
 
DewFreakCommented:
Shouldn't have to but as I said earlier, it never hurts to clear out ARP cache etc.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now