Problems with Windows Server 2008 and static route on Pix

mcburneyr · ‎11-16-2010

We have recently added two Windows Server 2008 to our existing network. We have an access list for mail and www going to a Windows 2003 Server with no problem. When I create the access list statement to open a specfic port 1153 on a separate Internet IP address and then add the static route to the Windows 2008 server, I loose Internet connection to that server.

Currently I have statements

access-list mailin permit tcp any host X.X.X.44 eq smtp
access-list mailin permit tcp any host X.X.X.44 eq www

static (inside,outside) X.X.X.44 X.X.X.22 netmask 255.255.255.255 0 0

When I create the following statements

access-list mailin permit tcp any host X.X.X.45 eq 1153

static (inside,outside) X.X.X.45 X.X.X.28 netmask 255.255.255.255 0 0

I loose Internet connection on the Windows 2008 server.

Any Ideas..

Kureli Sankar · ‎11-16-2010

Hmm doesn't make any sense.

Config looks good.

The only thing I can think of is that the address x.x.x.45 is not routed back to the firewall.

static (inside,outside) X.X.X.45 X.X.X.28 netmask 255.255.255.255 0 0

When you hit x.x.x.45 from a host on the internet do you see hit counts on this acl that you added for port 1153?

I guess not. You need to get with your ISP and ask them if they are routing traffic to the firewall's outside mac-address if traffic is destined to that address x.x.x.45

Before contacting the ISP - try this

Leave the current translation in place for this 2008 server - I am assuming it uses nat/global

configured a static pat

static (inside,outside) tcp interface 1153 x.x.x.28 1153 net 255.255.255.255

and see if this works.

-KS

mcburneyr · ‎11-16-2010

static (inside,outside) tcp interface 1153 x.x.x.28 1153 net 255.255.255.255

Are you saying this statement exactly?

OR-

static (inside,outside) tcp X.X.X.45 1153 x.x.x.28 1153 net 255.255.255.255

Kureli Sankar · ‎11-16-2010

Remove this:

static (inside,outside) tcp X.X.X.45 1153 x.x.x.28 1153 net 255.255.255.255

and add this

static (inside,outside) tcp interface 1153 x.x.x.28 1153 net 255.255.255.255

let the server take nat/global to go out to the internet just like other hosts. Use this above static pat only for port 1153.

Then try to access the server using the outside interface IP address on port 1153. Yes, that is correct syntax.

-KS

mcburneyr · ‎11-16-2010

I added the statement you specified and it seems to be working

as of now. It normallys tkaes a few minutes for me to loose internet. I will check it a

gain in a little while.

Thanks

mcburneyr · ‎11-16-2010

Why is the static route to the Windows 2003 server working properly but the

1153 port to the windows 2008 server not working the same way?

Kureli Sankar · ‎11-16-2010

Russell,

Are you asking why the static pat to the interface IP works but, the 1-1 static that you added to the x.x.x.45 IP address fails?

It could be because the upstream router is not sending taffic to the the firewall for that IP address as I mentioned earlier. Check with your ISP and ask them if they are sending traffic to the x.x.x.45 address towards the firewall.

-KS