help with PIX nat'ing

Status
Not open for further replies.
C

cyr0n_k0r

Supreme [H]ardness
Joined
Mar 30, 2001
Messages
5,360
So I am running Pix 515E on 6.3

I had a friend using some IP's that were pointed to one of my virtual machines, but I had him move them over to some other IP's since I needed to reclaim them.

The IP's he was using was
x.x.x.6
x.x.x.7

all entries from the firewall have been modified correctly, and x.x.x.7 now correctly points to the new server, but for some reason x.x.x.6 just does not forward correctly. It's like the server isn't there. If I point lets say x.x.x.99 to the server everything works fine, something funky is up with this x.x.x.6 IP.

I have a feeling something is maintaining some kind of open connection or something but the "show conn" doesn't list anything that I can see going to any of the old or new internal IP's.

Here are the relevant configs.

object-group service rps tcp
port-object eq www

access-list acl_out permit tcp any host x.x.x.6 object-group rps
static (inside,outside) x.x.x.6 10.128.1.32 netmask 255.255.255.255 0 0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
Click to expand...

firewall# ping 10.128.1.32
10.128.1.32 response received -- 0ms
10.128.1.32 response received -- 0ms
10.128.1.32 response received -- 0ms



So the firewall sees the IP, but when trying to access the server from the outside I am not seeing anything. I've confirmed the server is working and I can get the web interface on the local server, and from other servers inside the LAN.
 
Did you do a "clear xlate" after you modified the static statement?

Also, I'm pretty sure your ping is working except the "echo-reply" from the server is just being dropped by the PIX. I don't remember the 6.3 commands since they are different than 7.x+ but I'm pretty sure you need to add that to the config.

Also, a "sh arp" will let you know if the host is actually reachable versus "pinging". Personally I rarely use ping to troubleshoot anything involving a firewall.

And upgrade that thing to 7.anything while you are at it. 6.3 was crap to work on. Conduit commands FTMFL.
 
oh man! clear xlate worked!!!

I need to research that command.

And I know I know about 6.3. I am retiring it and replacing it with dual 5505 ASA's in about 2 more months.
 
Status
Not open for further replies.
Back
Top