11-07-2005 01:54 AM - edited 03-09-2019 12:57 PM
Hi,
I am using PIX 515e with outside IP x.x.x.76. I have a mail server put in DMZ, the global IP would be x.x.x.75, all NAT already been configured and it working fine.
After a period of time(2 - 4 weeks), the mail server cannot access to Internet. The DSL line is up since my Inside host can go online. My Inside host can access and ping Mail Server(with DMZ IP, not global ip). All configuration remain unchange. I had no idea what happening and how to solve it.
I tried to change my Outside IP to x.x.x.75 and it works, mail server can send and receive mail as normal. Then i just switch it back to x.x.x.76. I know this is not a correct way coz the problem will comes back.
Just wonder what is the cause on my case? is there any threshold or limit that cause this? or will a long period of silent (no traffic going through DMZ to Inside or Outside) affect this?
Thank you.
11-07-2005 05:25 AM
you mentioned, "the mail server can't access internet". just wondering if you are referring to ping or browsing or both.
also you mentioned you changed the pix outside ip from .76 yo .75 and it worked, as well as the mail server. do you mean you were doing port forwarding?
i understand that the config has not been modified, but would you please post it? just in case.
11-07-2005 06:38 PM
Thank for reply.
1) I mean that the mail server cannot go through outside interface, both ping and browsing.
2) I just issue "ip address outside x.x.x.75 255.255.255.248" to change ip and all back to normal where my mail server can access to outside (ping and browsing).
3) attached is my config for your reference.
Thank a lot!!
11-07-2005 07:41 PM
do "de ic t", then click off a ping from the mail server to the internet.
the output of "de ic t" would verify the xlate as well as the routing.
11-08-2005 12:05 AM
i do not have the PIX with me right now. I cannot test this.
I tried before do "show xlate" when the problem occur, no PAT entry found for the Mail server local IP map to global IP (i try to ping my ISP dns server and browsing). Does this help?
11-08-2005 03:26 AM
no pat entry at all for the mail server? if so, i guess you should do "de ic t" and kick off the ping from mail server to the internet.
in case the "de ic t" doesn't yield any output related to the mail server pinging, that means the connectivity is lost. if this is the case, try pinging the pix dmz interface from the mail server.
02-28-2006 03:02 AM
Hi jackko,
The problem come back twice after my first post. i know a bit long time ago, but hope to get your asistant.
My mail server in DMZ cannot access to Internet again. I did the "de ic t", i can see PIX receive the mail server ping request and translate ip from 192.168.1.1 to x.x.x.75. Below is the debug result:
29: ICMP echo-request from dmz:192.168.1.1 to 202.188.0.133 ID=15120 seq=14 length=64
30: ICMP echo-request: translating dmz:192.168.1.1/15120 to outside:x.x.x.75/5
31: ICMP echo-request from dmz:192.168.1.1 to 202.188.0.133 ID=15120 seq=15 length=64
32: ICMP echo-request: translating dmz:192.168.1.1/15120 to outside:x.x.x.75/5
All the inside host can access to Internet. (they are translating to outside int ip x.x.x.76 to route out).
While this happen, i try to disconnect PIX from internet and use my laptop to connect directly to modem to test x.x.x.75 and 76, both IPs is working.
To solve this, i just need to change the PIX outside int ip to x.x.x.75 (some how like trigger the line) and mail server in DMZ can ping out to internet. After that, i change back outside IP to x.x.x.76.
The problem is, is this caused by PIX fail to "global" the x.x.x.75? or ISP side having problem to talk with PIX?
Please help.... thanks a lot!!!!
03-06-2006 06:25 PM
Any one can help please? Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide