topic Re: Problems with Windows Server 2008 and static route on Pix in Network Security

Problems with Windows Server 2008 and static route on Pix

mcburneyr — Mon, 11 Mar 2019 19:10:16 GMT

We have recently added two Windows Server 2008 to our existing network. We have an access list for mail and www going to a Windows 2003 Server with no problem. When I create the access list statement to open a specfic port 1153 on a separate Internet IP address and then add the static route to the Windows 2008 server, I loose Internet connection to that server.

Currently I have statements

access-list mailin permit tcp any host X.X.X.44 eq smtp
access-list mailin permit tcp any host X.X.X.44 eq www

static (inside,outside) X.X.X.44 X.X.X.22 netmask 255.255.255.255 0 0

When I create the following statements

access-list mailin permit tcp any host X.X.X.45 eq 1153

static (inside,outside) X.X.X.45 X.X.X.28 netmask 255.255.255.255 0 0

I loose Internet connection on the Windows 2008 server.

Any Ideas..

Re: Problems with Windows Server 2008 and static route on Pix

Kureli Sankar — Tue, 16 Nov 2010 19:40:14 GMT

Hmm doesn't make any sense.

Config looks good.

The only thing I can think of is that the address x.x.x.45 is not routed back to the firewall.

static (inside,outside) X.X.X.45 X.X.X.28 netmask 255.255.255.255 0 0

When you hit x.x.x.45 from a host on the internet do you see hit counts on this acl that you added for port 1153?

I guess not. You need to get with your ISP and ask them if they are routing traffic to the firewall's outside mac-address if traffic is destined to that address x.x.x.45

Before contacting the ISP - try this

Leave the current translation in place for this 2008 server - I am assuming it uses nat/global

configured a static pat

static (inside,outside) tcp interface 1153 x.x.x.28 1153 net 255.255.255.255

and see if this works.

-KS

Re: Problems with Windows Server 2008 and static route on Pix

mcburneyr — Tue, 16 Nov 2010 19:46:43 GMT

static (inside,outside) tcp interface 1153 x.x.x.28 1153 net 255.255.255.255

Are you saying this statement exactly?

OR-

static (inside,outside) tcp X.X.X.45 1153 x.x.x.28 1153 net 255.255.255.255

Re: Problems with Windows Server 2008 and static route on Pix

Kureli Sankar — Tue, 16 Nov 2010 19:50:39 GMT

Remove this:

static (inside,outside) tcp X.X.X.45 1153 x.x.x.28 1153 net 255.255.255.255

and add this

static (inside,outside) tcp interface 1153 x.x.x.28 1153 net 255.255.255.255

let the server take nat/global to go out to the internet just like other hosts. Use this above static pat only for port 1153.

Then try to access the server using the outside interface IP address on port 1153. Yes, that is correct syntax.

-KS

Re: Problems with Windows Server 2008 and static route on Pix

mcburneyr — Tue, 16 Nov 2010 20:06:58 GMT

I added the statement you specified and it seems to be working

as of now. It normallys tkaes a few minutes for me to loose internet. I will check it a

gain in a little while.

Thanks

Re: Problems with Windows Server 2008 and static route on Pix

mcburneyr — Tue, 16 Nov 2010 20:15:05 GMT

Why is the static route to the Windows 2003 server working properly but the

1153 port to the windows 2008 server not working the same way?

Re: Problems with Windows Server 2008 and static route on Pix

Kureli Sankar — Tue, 16 Nov 2010 21:12:55 GMT

Russell,

Are you asking why the static pat to the interface IP works but, the 1-1 static that you added to the x.x.x.45 IP address fails?

It could be because the upstream router is not sending taffic to the the firewall for that IP address as I mentioned earlier. Check with your ISP and ask them if they are sending traffic to the x.x.x.45 address towards the firewall.

-KS