topic Can't connect inside host in Network Security

Can't connect inside host

BarryJoseph — Tue, 12 Mar 2019 03:19:04 GMT

I recently installed a Cisco router between my ISP and my PIX 501. Now I am unable to connect to inside servers. I think the problem is my static NAT entries on the PIX. Can anybody help me out? Thank you!

-Bk

Can't connect inside host

jumora — Tue, 17 Dec 2013 06:06:04 GMT

POst a digram, the show tech of the devices involved, show arp and show ip route of the router and show show arp and show route of the PIX. Also please give TCP/IP setttings of the server to understand how you are routing on that server.

Value our effort and rate the assistance!

Can't connect inside host

BarryJoseph — Tue, 17 Dec 2013 16:41:06 GMT

Hi Jumora,

Thanks for your response! I will gather the information you have requested and post it later this evening (since I don't currently have access to my LAN from outside). Let me clarify to let you know that prior to the change mentioned above I was able to access everything: my web server, PIX, and SSH to an internal linux host. Now I can't access any of these machines.

You asked about the TCP/IP settings of my server? I have included the IP address of my web server on the attached diagram (although I should have added /24 to indicate the subnet mask). I use static addresses for servers. Please let me know what else you need from the server. I can tell you that I haven't made any changes to any of my endpoint devices.

Here is the diagram. As I said I will provide the other information you requested later this evening. Also please let me know if you think of anything else I can provide that will be helpful.

Regards,

Can't connect inside host

jumora — Tue, 17 Dec 2013 17:53:03 GMT

Just the configurations and show would help me decipherer what is going on

I will wait for your posts

Value our effort and rate the assistance!

Re: Can't connect inside host

BarryJoseph — Wed, 18 Dec 2013 01:00:03 GMT

Hi Jumora,

Attached you will find the output of the SHOW commands you have requested. PIX is first, followed by the 1605 router. Please let me know what you think, and if there is additional info I can provide that will make it easier to see what is going on. Also I have hidden the public IP addresses in the router extracts. Let me know if I've removed anything that you need to see.

Thank you,

-Bk

(Apparently there's a limit #files to attach. The final Show ARP attachment will be on the way shortly)

Re: Can't connect inside host

BarryJoseph — Wed, 18 Dec 2013 01:00:56 GMT

And here's the 1605 Show ARP.....

Re: Can't connect inside host

jumora — Wed, 18 Dec 2013 17:20:32 GMT

You left the static PAT configuration on the PIX without migrating it to the router:

static (inside,outside) tcp interface 1701 192.168.1.202 www netmask 255.255.255.255 0 0

The correct line since you are doing NAT on the router would be:

static (inside,outside) tcp interface www 192.168.1.202 www netmask 255.255.255.255 0 0

The Access-list is already created on your PIX to allow incoming connections over port TCP/80 through the interface IP.

FYI: You should consider to NAT only on one device

Value our effort and rate the assistance!

Can't connect inside host

BarryJoseph — Wed, 18 Dec 2013 18:58:05 GMT

Thanks Jumora I can't wait to get home and try this tonight. I figured it was something like that I must have missed. Just wasn't quite sure where to place the entry.

So to be clear I should put "static (inside,outside) tcp interface www ...." instead of "static (inside,outside) tcp interface 1701..." like I had on the PIX? I still want it coming in over port 1701, but translating to www on the inside.

Also in regards to your FYI - I know I have some cleaning up to do. And I will be replacing the PIX with an ASA5505 in the next couple of weeks, so I want to streamline as much as possible. I will remove the NAT entries from the PIX as you have advised.

Thanks again - will chime back in tonight to let you know that it worked!

-BK

Can't connect inside host

BarryJoseph — Thu, 19 Dec 2013 00:06:13 GMT

Hi Jumora,

Well I got home - my high hopes were shot down really quickly! Let me tell you what happened:

- First problem was that I am no longer able to telnet into the 1605 router. I'm not prompted for a password; I get an error "Could not open connection to the host on port 23: Connect failed". Tried from another internal machine, with the same result. This is odd, since it worked yesterday when I pulled the "Show" commands for you. I thought it might be a security incident, but I don't see any changes to any of my configs. So I ended up consoling in to the router.

- Next I tried making the change you recommended. The syntax you provided is for a security appliance only I think; it didn't work on the router. So the conversion I came up with is:

IP NAT INSIDE SOURCE STATIC TCP 192.168.1.202 80 INTERFACE ETHERNET0 1701

Needless to say it didn't work. I eventually get a timeout from the client attempting to make the connection from outside. Does that syntax look correct to you? Or am I missing something else?

Final issue: I thought I would go ahead and clean up NAT entries from the PIX. I removed 2 entries:

- global (outside) 1 interface

- nat (inside) 1 0.0.0.0 0.0.0.0 0 0

After I did so, I lost internet connectivity. Is there something else I need to do first?

Sorry for so many issues. I just want to provide as much information as I can. Please let me know what I'm missing.

Thank you!

Brian

Can't connect inside host

jumora — Thu, 19 Dec 2013 00:53:06 GMT

If you are at home you can call me or give me your phone number so I can call and maybe help you out on a webex??

Value our effort and rate the assistance!

Can't connect inside host

BarryJoseph — Thu, 19 Dec 2013 02:40:45 GMT

Thanks for helping me resolve this!! Will post the final config if anybody wishes to see how jumora made it work.