Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
0
Helpful
5
Replies

Cisco PIX 515E Static Translation Question

Tim Miller
Level 1
Level 1

‎09-24-2015 11:32 AM - edited ‎03-11-2019 11:38 PM

I have the following static entries in my firewall.  One works and the other doesn't.  I just added the second entry below today and I see it build in my logs but no connection is established to the remote end.

 

static (inside,ICS) 192.168.50.97 192.168.88.97 netmask 255.255.255.255 0 0  works

static (inside,ICS) 192.168.50.14 192.168.80.14 netmask 255.255.255.255 0 0  will not work

 

log results for working connection

2015-09-24 10:59:43 Local4.Info 192.168.80.5 Sep 24 2015 10:17:46: %PIX-6-302013: Built inbound TCP connection 9422018 for ICS:192.168.50.9/59667 (192.168.50.9/59667) to inside:192.168.80.97/25 (192.168.50.97/25)
2015-09-24 10:59:44 Local4.Info 192.168.80.5 Sep 24 2015 10:17:47: %PIX-6-302014: Teardown TCP connection 9422018 for ICS:192.168.50.9/59667 to inside:192.168.80.97/25 duration 0:00:01 bytes 1367 TCP Reset-O

 

log results for non working connection

2015-09-24 11:03:56 Local4.Info 192.168.80.5 Sep 24 2015 10:21:59: %PIX-6-302013: Built inbound TCP connection 9422280 for ICS:192.168.50.9/59676 (192.168.50.9/59676) to inside:192.168.80.14/25 (192.168.50.14/25)

then nothing else gets logged and the connection from the host drops
 

 

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎09-24-2015 11:54 AM

Tim

Scratch that, I think I am reading the logs incorrectly.

Can you just confirm that the static statements are correct as they don't quite match up with the logs.

Jon

0 Helpful

Tim Miller
Level 1
Level 1
In response to Jon Marshall

‎09-24-2015 12:28 PM

Jon, The static statements match our physical configuration and we are simply trying to connect from host 192.168.50.9 to translated addresses that connect to both 192.168.80.97 and 192.168.80.14.

The connection works and I'm fine to 192.168.80.97's translated address.  No luck to .14.

 

Thanks

 

.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Tim Miller

‎09-24-2015 12:31 PM

Tim

Yes, sorry, had a bit of a moment reading the logs :-)

Do you have any acls that could be blocking the connection ?

Does the server that isn't working have the same default gateway as the one that is ?

Jon

 

0 Helpful

Tim Miller
Level 1
Level 1
In response to Jon Marshall

‎09-24-2015 12:40 PM

I'm not seeing any acsls but the gateway question does make me think of something that we had to do as a workaround many moons ago.  It could be as simple as a route that I've had to manually put in place.

 

Thanks for that question.

0 Helpful

Peter Koltl
Level 7
Level 7
In response to Tim Miller

‎09-26-2015 12:44 PM

please type

show conn det long | inc 192.168.50.14|192.168.80.14

while connecting

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card