Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
5
Replies

PIX 506 doesn't work with STATIC entry

Lifeware.ch
Level 1
Level 1

‎08-15-2003 01:06 PM - edited ‎02-20-2020 10:56 PM

Hi

We got a couple PIX all running 6.3(1). For some strange reason on one of them I can not create a static translation for a server (http). As soon as I enter the static-command the server is unable to get onto the internet and is also invisible to the internet. In other words the static doesn't create what it should - it just breaks the servers connection to the internet.

I got the same commands running on a different box and they work there (www, smtp, and so on).

relevant commands:

--------------------

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

access-list ACL_OUT permit tcp any host 210.4.6.7 eq www

static (inside,outside) 210.4.6.7 192.168.1.100 netmask 255.255.255.255 0 0

Thanks for any help

0 Helpful
5 Replies 5

gfullage
Cisco Employee
Cisco Employee

‎08-15-2003 06:14 PM

Sounds like your ISP hasn't allocated or routed 210.4.6.7 to you correctly. When you add this static in, any outbound traffic from this web server is going to be changed to 210.4.6.7. when that traffic returns, if your ISP is not routing that IP address to you properly then the packets aren't going to get to you. Check with them and make sure they've got everything set up correctly for that IP address.

0 Helpful

Lifeware.ch
Level 1
Level 1
In response to gfullage

‎08-15-2003 06:43 PM

I have pluged a pc directly onto the outside router and set the IP to 210.4.6.7 - as expected it worked. With the firewall I can even ping the ip. When I remove

access-list ACL_OUT permit icmp any any

then it stops responding to pings.

So it responds to pings although the box is not able to connect to the internet?!

I've never had a Pix play such games on me. This is usually a 2 minute job... (static then access-list).

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to Lifeware.ch

‎08-15-2003 08:45 PM

OK, good testing.

I can telnet to 210.4.6.7 on port 80 from here and I get connected, so if this is currently behind the PIX then the IP connectivity sems to be working OK. However, web browsing from here doesn't show up anything.

We really need to see the syslogs on the PIX to see what's going on. Do the following:

> logging on

> logging buffer debug

then try a connection from the outside to this web server, and also try an outbound connection from this web server, then send us the log file.

Also, keep in mind that if you've had a PC on the outside at 210.4.6.7 and then you move this behind the PIX, you will need to clear the ARP table on your outside router, since the ARP entry won't time out for 3 hours (on a Cisco router anyway).

0 Helpful

tvanginneken
Level 4
Level 4

‎08-16-2003 05:42 AM

Hi,

try removing your static command and replace it with this one:

static (inside,outside) tcp 210.4.6.7 www 192.168.1.100 www netmask 255.255.255.255

Kind Regards,

Tom

static (inside,outside) tcp interface 80 92.168.1.1080 $

0 Helpful

Lifeware.ch
Level 1
Level 1
In response to tvanginneken

‎08-16-2003 05:21 PM

I connected today via SSH and changed the static command to:

static(inside,outside) interface 192.168.1.100

In that second I lost the SSH connection and was unable to reconnect.

Btw the ip 210.4.6.7 is just fictous.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card