Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Server Internet Access

Posted on 2011-03-04
13
Medium Priority
?
1,280 Views
Last Modified: 2012-05-11
I have a server running a web application on port 8080.  My boss wanted it easier for customers to not have to put in the :8080 so I put in the following static NAT statements in my firewall (PIX 515 version 7.22)

static (dmz1,outside) tcp xxx.xxx.xxx.xxx www 192.168.1.54 8080 netmask 255.255.255.255
statiic (dmz1,outside) tcp xxx.xxx.xxx.xxx https 192.168.1.54 https netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 3389 192.168.1.54 3389 netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 6000 192.168.1.6000 netmask 255.255.255.255

Exerything has been working great, for quite some time, until someone tried to access the internet from the server and it isn't getting past my firewall.  Packet trace shows there is no NAT translation.

Not a big deal right now but am I missing something?  

ACLs are OK.

 
0
Comment
Question by:marrj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 8

Expert Comment

by:Saineolai
ID: 35040309
These NAT statements do not translate traffic outbound from the server destined for https and http ports outside of your network.  You will need additional NAT statements for the outbound traffic.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35047563
Do you have any access list statements on the dmz interface that might block the outgoing traffic?

Also you would need something like

global (outside) 1 interface Should be there allready for natting traffic from the inside
And
nat (dmz1) 1 192.168.1.0 255.255.255.0
0
 
LVL 1

Author Comment

by:marrj
ID: 35159314
All our other servers, as well as regular internet users, get NATed to the same external IP.
If I remove these and just have one static NAT the server can access the internet.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159587
That's what I was trying to say. You have to do the same for the DMZ as you did for the inside machines.
0
 
LVL 1

Author Comment

by:marrj
ID: 35159756
If I add the below NAT statement I get a few errors but the server gets access to the internet.
static (dmz1,outside) xxx.xxx.xxx.54 192.168.1.54 netmask 255.255.255.255

Below are the errors, but it accepts the command and like I said above, the server gets internet access.

WARNING: mapped-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
WARNING: real-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159785
Well that is a static, you normally use that to get from the out- to the inside. The normal thing to do is like I said: use a nat(dmz1) statement. So I repeat my question: do you have that in place?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160167
We don't have anything in our DMZ getting out unless there is a static NAT.  I think the problem is with the attempt at port redirection within the NAT statements.
0
 
LVL 1

Author Comment

by:marrj
ID: 35160182
In answer to your question there is not a nat statement for 192.168.1.0 network.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160206
That's correct, that could get in the way.
That's the reason I am hammering at the nat0 statement. You said We don't have anything in our DMZ getting out unless there is a static NAT. So you mean you don't want anything to get out, or it just doesn't get out?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160219
We don't want any of our servers getting out unless we NAT it and have a few ACL statements in place.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160281
So if you do: nat (dmz1) 1 192.168.1.54 255.255.255.255 and allow only specific ports out with an access list on the dmz interface?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160621
That is what we do, just that we use the static command on the PIX. We have over 40 servers and I am the only one messing with the PIX.

I opened up this question because I wanted to know work around for the port redirection in that it was confusing my PIX for regular outbound traffic for this server.

In the course of trying things out I found that it will still take the normal static NAT statement, albeit you have to make the statement after you have the individual port nat statements or it will error out on the port nat statements.

0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35161072
Well, personally I think the nat(dmz1) would be a better alternative. But then again, that's up to you of course.
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question