11-21-2003 02:04 AM - edited 02-20-2020 11:06 PM
I am attempting to port redirect from 1 external address to 2 internal machines 1 www and 1 smtp. all works fine for a few minutes, and then inbound traffic to the mailhost stops flowing. showing xlate tables shows build of inbound connections but no traffic flows. If I remove port redirection and have a static mapping for the machine there is no problem. Viewing the debug for the connection I get SYN timeout after timeout period ???
Any ideas most appreciated.
11-21-2003 07:31 AM
Hi,
Sounds like a mis-config. Can you post your configuration (with IP's consistently changed and passwords removed) for review? Also, the sh output you have would be helpful as well.
Scott
11-24-2003 03:18 AM
OLD confg that did not work.
access-list inbound permit tcp any host XX.XX.XX.195 eq https
access-list inbound permit tcp any host XX.XX.XX.194 eq smtp
access-list inbound permit tcp any host XX.XX.XX.194 eq www
access-list inbound deny ip any any
access-group inbound in interface outside
static (inside,outside) XX.XX.XX.195 192.168.255.12 netmask 255.255.255.255 20 0
static (inside,outside) tcp XX.XX.XX.194 smtp 192.168.255.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp XX.XX.XX.194 www 192.168.255.18 www netmask 255.255.255.255 0 0
NEW config that does.
access-list inbound permit tcp any host XX.XX.XX.195 eq https
access-list inbound permit tcp any host XX.XX.XX.194 eq smtp
access-list inbound permit tcp any host XX.XX.XX.197 eq www
access-list inbound deny ip any any
static (inside,outside) XX.XX.XX.195 192.168.255.12 netmask 255.255.255.255 20 0
static (inside,outside) XX.XX.XX.194 192.168.255.10 netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.197 192.168.255.18 netmask 255.255.255.255 0 0
access-group inbound in interface outside
11-24-2003 08:08 AM
Thanks. Clearly #2 is going to work but I am guessing this is not what you are wanting to configure. Can you post the rest of your config (specifically all of the NAT config)? Also, I would be interested in seeing the output from a 'sh x detail' when the problem is occuring.
Scott
11-24-2003 08:26 AM
FYI
The clear xlate allows traffic to flow normally for a while.
06-16-2004 06:43 AM
Did you ever find a solution to this? I am having the exact same issue. Thanks.
06-17-2004 02:25 AM
No solution yet!
Luckily I had a few IP's spare
11-24-2003 04:12 AM
Also if i do a clear xlate, traffic starts flowing again for a show time.
07-13-2004 07:46 AM
Hello all,
Did u find a work-around to this issue ? I have exactly the same problem resolved temporarily when doing a clear xlate.
Thanks for your help.
07-13-2004 09:11 AM
I found that adding a PAT statement to my config for that same IP address fixed my issue:
static (inside,outside) tcp 12.x.x.186 smtp 10.110.4.178 smtp netmask 255.255.255.255
Then
global (outside) 2 12.x.x.186
nat (inside) 2 10.110.4.178 255.255.255.255
That seemed to solve my issue. Good luck!
07-13-2004 05:53 PM
Your initial static translation had a 20 0 at the end of the static statement. That is your problem coz it allows 20 translated sessions for that IP. That is also when you do a clear xlate it starts to work again.
Thanks,
Faisal
07-28-2004 12:30 PM
I also noticed a similar scenario, https works sometimes and other times it doesn not, to fix that you have to disable your ip http server, or PDM.
08-05-2004 06:24 AM
So are you allowing remote hosts to access an internal server/service via the web but instead of http you are using https for more security?
I am about to implement this and was wondering if we would be better off using https then http? Although we were not doing "any host" just a specific remote IP from a customer.
But, if I do this i'd have to take out my pdm servicees to allow this to work reliably?
Thanks!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide