Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Server Internet Access

Posted on 2011-03-04
13
1,225 Views
Last Modified: 2012-05-11
I have a server running a web application on port 8080.  My boss wanted it easier for customers to not have to put in the :8080 so I put in the following static NAT statements in my firewall (PIX 515 version 7.22)

static (dmz1,outside) tcp xxx.xxx.xxx.xxx www 192.168.1.54 8080 netmask 255.255.255.255
statiic (dmz1,outside) tcp xxx.xxx.xxx.xxx https 192.168.1.54 https netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 3389 192.168.1.54 3389 netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 6000 192.168.1.6000 netmask 255.255.255.255

Exerything has been working great, for quite some time, until someone tried to access the internet from the server and it isn't getting past my firewall.  Packet trace shows there is no NAT translation.

Not a big deal right now but am I missing something?  

ACLs are OK.

 
0
Comment
Question by:marrj
  • 6
  • 6
13 Comments
 
LVL 8

Expert Comment

by:Saineolai
ID: 35040309
These NAT statements do not translate traffic outbound from the server destined for https and http ports outside of your network.  You will need additional NAT statements for the outbound traffic.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35047563
Do you have any access list statements on the dmz interface that might block the outgoing traffic?

Also you would need something like

global (outside) 1 interface Should be there allready for natting traffic from the inside
And
nat (dmz1) 1 192.168.1.0 255.255.255.0
0
 
LVL 1

Author Comment

by:marrj
ID: 35159314
All our other servers, as well as regular internet users, get NATed to the same external IP.
If I remove these and just have one static NAT the server can access the internet.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159587
That's what I was trying to say. You have to do the same for the DMZ as you did for the inside machines.
0
 
LVL 1

Author Comment

by:marrj
ID: 35159756
If I add the below NAT statement I get a few errors but the server gets access to the internet.
static (dmz1,outside) xxx.xxx.xxx.54 192.168.1.54 netmask 255.255.255.255

Below are the errors, but it accepts the command and like I said above, the server gets internet access.

WARNING: mapped-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
WARNING: real-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159785
Well that is a static, you normally use that to get from the out- to the inside. The normal thing to do is like I said: use a nat(dmz1) statement. So I repeat my question: do you have that in place?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160167
We don't have anything in our DMZ getting out unless there is a static NAT.  I think the problem is with the attempt at port redirection within the NAT statements.
0
 
LVL 1

Author Comment

by:marrj
ID: 35160182
In answer to your question there is not a nat statement for 192.168.1.0 network.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160206
That's correct, that could get in the way.
That's the reason I am hammering at the nat0 statement. You said We don't have anything in our DMZ getting out unless there is a static NAT. So you mean you don't want anything to get out, or it just doesn't get out?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160219
We don't want any of our servers getting out unless we NAT it and have a few ACL statements in place.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160281
So if you do: nat (dmz1) 1 192.168.1.54 255.255.255.255 and allow only specific ports out with an access list on the dmz interface?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160621
That is what we do, just that we use the static command on the PIX. We have over 40 servers and I am the only one messing with the PIX.

I opened up this question because I wanted to know work around for the port redirection in that it was confusing my PIX for regular outbound traffic for this server.

In the course of trying things out I found that it will still take the normal static NAT statement, albeit you have to make the statement after you have the individual port nat statements or it will error out on the port nat statements.

0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35161072
Well, personally I think the nat(dmz1) would be a better alternative. But then again, that's up to you of course.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question