topic Re: Static xlate question in Network Security

Static xlate question

pondersean — Mon, 11 Mar 2019 17:04:38 GMT

Hello everyone,

I am configuring a PIX 501 for a small office situation, and have a server internally that is providing web-based services on two separate ports. What I want to do is map a public IP for each internal service on the same server.

The server is providing web services on ports 80 and 86, and I have configured the static nat as follows:

static (inside,outside) tcp 1.2.3.4 www 192.168.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.2.3.5 www 192.168.0.2 86 netmask 255.255.255.255 0 0

I also have my ACLs configured to allow traffic on port 80 to those two external IPs. When I look at the log, I see an error about "Deny inbound (no xlate)" for the second entry.

I'm sure that I'm just missing something simple, but for the life of me can't see it. Any help would be appreciated!

Thanks,

Sean

Re: Static xlate question

Kureli Sankar — Wed, 03 Feb 2010 01:20:20 GMT

I do not see anything wrong with the configuration. It appears correct.

Are you seeing these messages?

http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1052137

Pls. copy and paste the exact message. You can make changes to the IP address if you like to match the static pat lines above but, pls. leave the port numbers in tact.

-KS

Re: Static xlate question

pondersean — Wed, 03 Feb 2010 18:37:41 GMT

Interesting. I am now getting this message in the log:

305011: Built static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80

302013: Built inbound TCP connection 589110 for outside:/53099 (/53099) to inside:192.168.41.10/8501 (a.b.c.d/80)

And I see the hitcount for the permit ACLs incrementing. Yet I cannot actually hit the page, I get timed out. And then I see this:

302014: Teardown TCP connection 589117 for outside:/56504 to inside:192.168.41.10/8501 duration 0:02:01 bytes 0 SYN Timeout

305012: Teardown static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80 duration 0:02:04

Definitely odd. Any ideas?

-Sean

Re: Static xlate question

Kureli Sankar — Wed, 03 Feb 2010 18:55:10 GMT

305011: Built static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80

302013: Built inbound TCP connection 589110 for outside:/53099 (/53099) to inside:192.168.41.10/8501 (a.b.c.d/80)

302014: Teardown TCP connection 589117 for outside:/56504 to inside:192.168.41.10/8501 duration 0:02:01 bytes 0 SYN Timeout

305012: Teardown static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80 duration 0:02:04

static (inside,outside) tcp 1.2.3.4 www 192.168.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.2.3.5 www 192.168.0.2 86 netmask 255.255.255.255 0 0

The above logs don't match these IPs in the statics.

-KS

Re: Static xlate question

pondersean — Wed, 03 Feb 2010 20:57:50 GMT

You're right, sorry. I edited my paste to hide the IPs on the first one, and wasn't consistent. Here is current:

static (inside,outside) tcp a.b.c.x www 192.168.41.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp a.b.c.y www 192.168.41.10 8501 netmask 255.255.255.255 0 0

and log:

302013: Built inbound TCP connection 590854 for outside:/57930 (/57930) to inside:192.168.41.10/8501 (a.b.c.y/80)

302014: Teardown TCP connection 590854 for outside:/56911 to inside:192.168.41.10/8501 duration 0:02:01 bytes 0 SYN Timeout

And show xlate outputs:

PAT Global a.b.c.y(80) Local 192.168.41.10(8501)

So it looks like it is translating the IP correctly, and the ACL hitcount is incrementing every time I try to connect to the URL from the outside. Yet it's not completing the session and I'm getting SYN timeouts.

Sorry again for the confusion.

-Sean

Re: Static xlate question

Kureli Sankar — Wed, 03 Feb 2010 21:11:30 GMT

Sean,

static (inside,outside) tcp a.b.c.x www 192.168.41.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp a.b.c.y www 192.168.41.10 8501 netmask 255.255.255.255 0 0

and log:

302013: Built inbound TCP connection 590854 for outside:/57930 (/57930) to inside:192.168.41.10/8501 (a.b.c.y/80)

302014: Teardown TCP connection 590854 for outside:/56911 to inside:192.168.41.10/8501 duration 0:02:01 bytes 0 SYN Timeout

And show xlate outputs:

PAT Global a.b.c.y(80) Local 192.168.41.10(8501)

Are you sure this works internally? Looks like there is no response from the 192.168.41.10 server and that is the reason for the syn timeout syslogs. Does it really listen on tcp 8501?

Are you able to open a browser on that server 192.168.41.10 and load http://192.168.41.10:8501 and load the page? and other hosts in the same segment and other inside segments are able to load the page internally on this server?

-KS

Re: Static xlate question

pondersean — Wed, 03 Feb 2010 22:01:28 GMT

I just tested it on another system on the network, and it failed. Turns out my firewall config was correct, the app developer neglected to open up Windows firewall for the special ports he was utilizing. I went in and opened them, and everything is talking properly.

Thanks for the help, it is much appreciated!

-Sean

Re: Static xlate question

Kureli Sankar — Wed, 03 Feb 2010 22:06:03 GMT

This happens all the time. No worries. The syn timeout syslog gave it away. Logs are our best friend.

Got to remember that.

-KS