?
Solved

Server Internet Access

Posted on 2011-03-04
13
Medium Priority
?
1,263 Views
Last Modified: 2012-05-11
I have a server running a web application on port 8080.  My boss wanted it easier for customers to not have to put in the :8080 so I put in the following static NAT statements in my firewall (PIX 515 version 7.22)

static (dmz1,outside) tcp xxx.xxx.xxx.xxx www 192.168.1.54 8080 netmask 255.255.255.255
statiic (dmz1,outside) tcp xxx.xxx.xxx.xxx https 192.168.1.54 https netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 3389 192.168.1.54 3389 netmask 255.255.255.255
static (dmz1,outside) tcp xxx.xxx.xxx.xxx 6000 192.168.1.6000 netmask 255.255.255.255

Exerything has been working great, for quite some time, until someone tried to access the internet from the server and it isn't getting past my firewall.  Packet trace shows there is no NAT translation.

Not a big deal right now but am I missing something?  

ACLs are OK.

 
0
Comment
Question by:marrj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 8

Expert Comment

by:Saineolai
ID: 35040309
These NAT statements do not translate traffic outbound from the server destined for https and http ports outside of your network.  You will need additional NAT statements for the outbound traffic.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35047563
Do you have any access list statements on the dmz interface that might block the outgoing traffic?

Also you would need something like

global (outside) 1 interface Should be there allready for natting traffic from the inside
And
nat (dmz1) 1 192.168.1.0 255.255.255.0
0
 
LVL 1

Author Comment

by:marrj
ID: 35159314
All our other servers, as well as regular internet users, get NATed to the same external IP.
If I remove these and just have one static NAT the server can access the internet.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159587
That's what I was trying to say. You have to do the same for the DMZ as you did for the inside machines.
0
 
LVL 1

Author Comment

by:marrj
ID: 35159756
If I add the below NAT statement I get a few errors but the server gets access to the internet.
static (dmz1,outside) xxx.xxx.xxx.54 192.168.1.54 netmask 255.255.255.255

Below are the errors, but it accepts the command and like I said above, the server gets internet access.

WARNING: mapped-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
WARNING: real-address conflict with existing static
  TCP dmz1:192.168.1.54/8080 to outside:xxx.xxx.xxx.54/80 netmask 255.255.255.255
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35159785
Well that is a static, you normally use that to get from the out- to the inside. The normal thing to do is like I said: use a nat(dmz1) statement. So I repeat my question: do you have that in place?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160167
We don't have anything in our DMZ getting out unless there is a static NAT.  I think the problem is with the attempt at port redirection within the NAT statements.
0
 
LVL 1

Author Comment

by:marrj
ID: 35160182
In answer to your question there is not a nat statement for 192.168.1.0 network.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160206
That's correct, that could get in the way.
That's the reason I am hammering at the nat0 statement. You said We don't have anything in our DMZ getting out unless there is a static NAT. So you mean you don't want anything to get out, or it just doesn't get out?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160219
We don't want any of our servers getting out unless we NAT it and have a few ACL statements in place.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160281
So if you do: nat (dmz1) 1 192.168.1.54 255.255.255.255 and allow only specific ports out with an access list on the dmz interface?
0
 
LVL 1

Author Comment

by:marrj
ID: 35160621
That is what we do, just that we use the static command on the PIX. We have over 40 servers and I am the only one messing with the PIX.

I opened up this question because I wanted to know work around for the port redirection in that it was confusing my PIX for regular outbound traffic for this server.

In the course of trying things out I found that it will still take the normal static NAT statement, albeit you have to make the statement after you have the individual port nat statements or it will error out on the port nat statements.

0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35161072
Well, personally I think the nat(dmz1) would be a better alternative. But then again, that's up to you of course.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question