Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
I seem to have a problem because of a conflict between the static PAT and the nat/global pool.I have a config with the following static's and ACL's. (184.108.40.206 and 192.168.10.3 are two address on the same adapter in the same server)static (dmz,outside) tcp 212.xx.xx.4 www 192.168.10.2 5080 netmask 255.255.255.255 0 0 static (dmz,outside) 212.xx.xx.5 192.168.10.3 netmask 255.255.255.255 0 0access-list 100 line 7 permit tcp any host 212.xx.xx.4 eq www access-list 100 line 8 permit tcp any host 212.xx.xx.5 eq ftp access-list 100 line 9 permit tcp any host 212.xx.xx.5 eq ftp-dataWith this new config when I have issued the "cl xlate" I can externally use the website and the FTP site.However, as soon as the server (220.127.116.11/3) connects to the internet the static PAT stops working:static (dmz,outside) tcp 212.xx.xx.4 www 192.168.10.2 5080 netmask 255.255.255.255 0 0Interestingly the one-to-one static (ftp) continues to work:If I do a "show xlate" it mentions a "Global 212.xx.xx.22 Local 192.168.10.2" . Presumably this is why it isn't working as it has now taken an address from the global pool and is no longer using 212.xx.xx.4. I'm not sure why this conflict happens? Any help much appreciated.Dan
Hello Dan,Please note that you have done a static for 192.168.10.2 only for the traffic on tcp local 5080. due to this any other traffic , like browsing etc will not be statically natted and will take a global IP. The ftp works because its a pure static NAT and not a static PAT as done for 192.168.10.2.Change the static PAT into a static NAt if the server 192.168.10.2 is going to use other applications:static(dmz,outside) 212.xx.xx.4 192.168.10.2 netmask 255.255.255.255 0 0.change this and let us know if it solves your problem.All the best.. rate all replies if found useful...
Hi dan,if you are going to access the webserver on port 5080 directly , by typing some sort of URL like www.xyz.com:5080 , then you can do a direct static NAT , as told by me in my last post and open port 5080 on the PIX for incoming connections..by doing this you can still reach the webserver on port 5080.. no need of static PAT..hope this helps..All the best !!