Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 374
  • Last Modified:

Re-routing behind the firewall

All IPs and domains below are sample.

I have a domain, asp.test.com.  It currently resolves to 1.1.1.1.  I have a PIX 506e that I thought was routing all 1.1.1.1 traffic to 192.168.1.115.  The .115 server is going away and .120 is coming online.  I wanted to leave the internet's DNS the same so any traffic destined for asp.test.com would go to 1.1.1.1 but I want the PIX to route traffic to the .120 server rather than the .115 server.

I'm using the PIX PDM.  So far I've removed the Translation Rule that I thought sent traffic to the .115 server.  I then added a Translation Rule that should route asp.test.com traffic to the .120 server, Apply and Save.  It's not working.  All traffic still goes to the .115 server.
0
Whah
Asked:
Whah
  • 10
  • 8
1 Solution
 
DewFreakCommented:
Post sho run
0
 
WhahAuthor Commented:
There are a lot of IPs I'd prefer not to post.  Is there something specifc I can send?
0
 
DewFreakCommented:
X them out.  Otherwise how can we help?  Let's see your NAT and access rules.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
WhahAuthor Commented:
Here's the original NAT:
static (inside,outside) 1.1.1.1 192.168.1.115 netmask 255.255.255.255 0 0

Here's the NAT I added:
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0


0
 
DewFreakCommented:
I assume you also updated the access-list:

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq http

Also, do you have the new inside host pointed to the correct gateway address (your firewall)?
0
 
WhahAuthor Commented:
Here's a screenshot of the Access List. AccessList
0
 
WhahAuthor Commented:
I haven't done much with the access list.  I'd like to see access to the .115 server fail so I know my NATing is working correctly.

Yes, the new inside host is configured with the correct gateway.
0
 
WhahAuthor Commented:
Here's all my static NAT.  I don't understand how any traffic is getting to .115

Result of firewall command: "show static"
static (inside,outside) 1.1.1.12 192.168.12 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.9 192.168.1.175 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.8 192.168.1.119 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.7 192.168.1.114 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.6 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.5 192.168.1.110 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.4 192.168.1.113 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.3 linux_box netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.2 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.1 192.168.1.120 netmask 255.255.255.255 0 0
0
 
DewFreakCommented:
Ok, so I assume you are testing this from an outside source watching the log?  have you disabled the webserver on .115 to make sure you aren't seeing cached results.  When you do a sho run from the cli you don't see any reference to .115?
0
 
DewFreakCommented:
Yes, from that it should not be.  Assume you have rebooted the firewall to clear any weird ARP issues.  
0
 
WhahAuthor Commented:
I have a mobile broadband account and I've added its IP to the acceptible "Host/Networks" tab.  I wasn't able to access the .115 site until I did this.

I'm not watching the log.  I'm not sure what to watch or configure to watch.  I'll see what I can get going.

I disabled the web server and now I get, as expected, an "Unable to connect" page.  When I restart the service I'm back to the old .115 page.

Here's the .115 references:
name 192.168.1.115 IN_asp.test.com
network-object 1.1.1.115 255.255.255.255
access-list outside_access_in permit tcp object-group Access_to_asp.test.com host 1.1.1.115 object-group PublicAccess
static (inside,outside) 1.1.1.115 192.168.1.120 netmask 255.255.255.255 0 0
0
 
DewFreakCommented:
So, why not remove all references to the old .115 server?
0
 
WhahAuthor Commented:
It seems the only odd .115 entry looks to be name 192.168.1.115 IN_asp.test.com.  I believe that is just a group name.

I may have discribed the desired outcome poorly.  Here is a diagram that may be helpful. IP
0
 
WhahAuthor Commented:
Is there a log that will show what hits the PIX and where the traffic is going?
0
 
DewFreakCommented:
Are you using ASDM?  If so you can view the live log in there and filter easily to watch for traffic on that IP.
0
 
WhahAuthor Commented:
It doesn't look like it.  Under the loging node I see:  Logging Setup, PDM Logging, Syslog and Others
0
 
BITCoolerCommented:
Whah,  Did you restart / reboot your PIX 506e after you made your changes?

0
 
WhahAuthor Commented:
I haven't rebooted yet.  I'm thinking that's the next step.  I shouldn't have to though, right?
0
 
DewFreakCommented:
Shouldn't have to but as I said earlier, it never hurts to clear out ARP cache etc.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now