11-16-2010 11:20 AM - edited 03-11-2019 12:10 PM
We have recently added two Windows Server 2008 to our existing network. We have an access list for mail and www going to a Windows 2003 Server with no problem. When I create the access list statement to open a specfic port 1153 on a separate Internet IP address and then add the static route to the Windows 2008 server, I loose Internet connection to that server.
Currently I have statements
access-list mailin permit tcp any host X.X.X.44 eq smtp
access-list mailin permit tcp any host X.X.X.44 eq www
static (inside,outside) X.X.X.44 X.X.X.22 netmask 255.255.255.255 0 0
When I create the following statements
access-list mailin permit tcp any host X.X.X.45 eq 1153
static (inside,outside) X.X.X.45 X.X.X.28 netmask 255.255.255.255 0 0
I loose Internet connection on the Windows 2008 server.
Any Ideas..
11-16-2010 11:40 AM
Hmm doesn't make any sense.
Config looks good.
The only thing I can think of is that the address x.x.x.45 is not routed back to the firewall.
static (inside,outside) X.X.X.45 X.X.X.28 netmask 255.255.255.255 0 0
When you hit x.x.x.45 from a host on the internet do you see hit counts on this acl that you added for port 1153?
I guess not. You need to get with your ISP and ask them if they are routing traffic to the firewall's outside mac-address if traffic is destined to that address x.x.x.45
Before contacting the ISP - try this
Leave the current translation in place for this 2008 server - I am assuming it uses nat/global
configured a static pat
static (inside,outside) tcp interface 1153 x.x.x.28 1153 net 255.255.255.255
and see if this works.
-KS
11-16-2010 11:46 AM
static (inside,outside) tcp interface 1153 x.x.x.28 1153 net 255.255.255.255
Are you saying this statement exactly?
OR-
static (inside,outside) tcp X.X.X.45 1153 x.x.x.28 1153 net 255.255.255.255
11-16-2010 11:50 AM
Remove this:
static (inside,outside) tcp X.X.X.45 1153 x.x.x.28 1153 net 255.255.255.255
and add this
static (inside,outside) tcp interface 1153 x.x.x.28 1153 net 255.255.255.255
let the server take nat/global to go out to the internet just like other hosts. Use this above static pat only for port 1153.
Then try to access the server using the outside interface IP address on port 1153. Yes, that is correct syntax.
-KS
11-16-2010 12:06 PM
I added the statement you specified and it seems to be working
as of now. It normallys tkaes a few minutes for me to loose internet. I will check it a
gain in a little while.
Thanks
11-16-2010 12:15 PM
Why is the static route to the Windows 2003 server working properly but the
1153 port to the windows 2008 server not working the same way?
11-16-2010 01:12 PM
Russell,
Are you asking why the static pat to the interface IP works but, the 1-1 static that you added to the x.x.x.45 IP address fails?
It could be because the upstream router is not sending taffic to the the firewall for that IP address as I mentioned earlier. Check with your ISP and ask them if they are sending traffic to the x.x.x.45 address towards the firewall.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide