Solved

Server Internet Access

Posted on 2011-03-04
13
1,184 Views
Last Modified: 2012-05-11
I have a server running a web application on port 8080.  My boss wanted it easier for customers to not have to put in the :8080 so I put in the following static NAT statements in my firewall (PIX 515 version 7.22)

static (dmz1,outside) tcp xxx.xxx.xxx.xxx www 192.168.1.54 8080 netmask 255.255.255.255
statiic (dmz1,outside) tcp xxx.xxx.xxx.xxx https 192.168.1.54 https netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 3389 192.168.1.54 3389 netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 6000 192.168.1.6000 netmask 255.255.255.255

Exerything has been working great, for quite some time, until someone tried to access the internet from the server and it isn't getting past my firewall.  Packet trace shows there is no NAT translation.

Not a big deal right now but am I missing something?  

ACLs are OK.

 
0
Comment
Question by:marrj
  • 6
  • 6
13 Comments
 
LVL 8

Expert Comment

by:Saineolai
ID: 35040309
These NAT statements do not translate traffic outbound from the server destined for https and http ports outside of your network.  You will need additional NAT statements for the outbound traffic.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35047563
Do you have any access list statements on the dmz interface that might block the outgoing traffic?

Also you would need something like

global (outside) 1 interface Should be there allready for natting traffic from the inside
And
nat (dmz1) 1 192.168.1.0 255.255.255.0
0
 
LVL 1

Author Comment

by:marrj
ID: 35159314
All our other servers, as well as regular internet users, get NATed to the same external IP.
If I remove these and just have one static NAT the server can access the internet.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159587
That's what I was trying to say. You have to do the same for the DMZ as you did for the inside machines.
0
 
LVL 1

Author Comment

by:marrj
ID: 35159756
If I add the below NAT statement I get a few errors but the server gets access to the internet.
static (dmz1,outside) xxx.xxx.xxx.54 192.168.1.54 netmask 255.255.255.255

Below are the errors, but it accepts the command and like I said above, the server gets internet access.

WARNING: mapped-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
WARNING: real-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159785
Well that is a static, you normally use that to get from the out- to the inside. The normal thing to do is like I said: use a nat(dmz1) statement. So I repeat my question: do you have that in place?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:marrj
ID: 35160167
We don't have anything in our DMZ getting out unless there is a static NAT.  I think the problem is with the attempt at port redirection within the NAT statements.
0
 
LVL 1

Author Comment

by:marrj
ID: 35160182
In answer to your question there is not a nat statement for 192.168.1.0 network.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160206
That's correct, that could get in the way.
That's the reason I am hammering at the nat0 statement. You said We don't have anything in our DMZ getting out unless there is a static NAT. So you mean you don't want anything to get out, or it just doesn't get out?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160219
We don't want any of our servers getting out unless we NAT it and have a few ACL statements in place.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160281
So if you do: nat (dmz1) 1 192.168.1.54 255.255.255.255 and allow only specific ports out with an access list on the dmz interface?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160621
That is what we do, just that we use the static command on the PIX. We have over 40 servers and I am the only one messing with the PIX.

I opened up this question because I wanted to know work around for the port redirection in that it was confusing my PIX for regular outbound traffic for this server.

In the course of trying things out I found that it will still take the normal static NAT statement, albeit you have to make the statement after you have the individual port nat statements or it will error out on the port nat statements.

0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35161072
Well, personally I think the nat(dmz1) would be a better alternative. But then again, that's up to you of course.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now