Solved

Server Internet Access

Posted on 2011-03-04
13
1,211 Views
Last Modified: 2012-05-11
I have a server running a web application on port 8080.  My boss wanted it easier for customers to not have to put in the :8080 so I put in the following static NAT statements in my firewall (PIX 515 version 7.22)

static (dmz1,outside) tcp xxx.xxx.xxx.xxx www 192.168.1.54 8080 netmask 255.255.255.255
statiic (dmz1,outside) tcp xxx.xxx.xxx.xxx https 192.168.1.54 https netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 3389 192.168.1.54 3389 netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 6000 192.168.1.6000 netmask 255.255.255.255

Exerything has been working great, for quite some time, until someone tried to access the internet from the server and it isn't getting past my firewall.  Packet trace shows there is no NAT translation.

Not a big deal right now but am I missing something?  

ACLs are OK.

 
0
Comment
Question by:marrj
  • 6
  • 6
13 Comments
 
LVL 8

Expert Comment

by:Saineolai
ID: 35040309
These NAT statements do not translate traffic outbound from the server destined for https and http ports outside of your network.  You will need additional NAT statements for the outbound traffic.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35047563
Do you have any access list statements on the dmz interface that might block the outgoing traffic?

Also you would need something like

global (outside) 1 interface Should be there allready for natting traffic from the inside
And
nat (dmz1) 1 192.168.1.0 255.255.255.0
0
 
LVL 1

Author Comment

by:marrj
ID: 35159314
All our other servers, as well as regular internet users, get NATed to the same external IP.
If I remove these and just have one static NAT the server can access the internet.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159587
That's what I was trying to say. You have to do the same for the DMZ as you did for the inside machines.
0
 
LVL 1

Author Comment

by:marrj
ID: 35159756
If I add the below NAT statement I get a few errors but the server gets access to the internet.
static (dmz1,outside) xxx.xxx.xxx.54 192.168.1.54 netmask 255.255.255.255

Below are the errors, but it accepts the command and like I said above, the server gets internet access.

WARNING: mapped-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
WARNING: real-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159785
Well that is a static, you normally use that to get from the out- to the inside. The normal thing to do is like I said: use a nat(dmz1) statement. So I repeat my question: do you have that in place?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160167
We don't have anything in our DMZ getting out unless there is a static NAT.  I think the problem is with the attempt at port redirection within the NAT statements.
0
 
LVL 1

Author Comment

by:marrj
ID: 35160182
In answer to your question there is not a nat statement for 192.168.1.0 network.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160206
That's correct, that could get in the way.
That's the reason I am hammering at the nat0 statement. You said We don't have anything in our DMZ getting out unless there is a static NAT. So you mean you don't want anything to get out, or it just doesn't get out?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160219
We don't want any of our servers getting out unless we NAT it and have a few ACL statements in place.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160281
So if you do: nat (dmz1) 1 192.168.1.54 255.255.255.255 and allow only specific ports out with an access list on the dmz interface?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160621
That is what we do, just that we use the static command on the PIX. We have over 40 servers and I am the only one messing with the PIX.

I opened up this question because I wanted to know work around for the port redirection in that it was confusing my PIX for regular outbound traffic for this server.

In the course of trying things out I found that it will still take the normal static NAT statement, albeit you have to make the statement after you have the individual port nat statements or it will error out on the port nat statements.

0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35161072
Well, personally I think the nat(dmz1) would be a better alternative. But then again, that's up to you of course.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Asa 5520 Configuration 3 75
sonicwall NSA exchange online logs 2 28
ASA 5506-X 7 83
slow vpn connection 9 63
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now