About to pull my hair out :(

[CarolinaCountryBoy]

Hi guys,

Me again. I have my firewall ALMOST doing what it needs to do. I think i've stared at it too long and I cant see the forest for the trees anymore. The firewall is in a remote datacenter, I CAN connect to it.

This should be simple - but part of it isnt working. Basically, i have 3 servers. A PDC, BDC and a Backup Server. I can connect to the PDC on the ports i've outlined. But, I CANT communicate with the BDC or BACKUP Server... What am I doing wrong?


The BDC should have incoming ports 80, 443 open for inbound traffic

The Backup Server should have incoming ports 80, 308, 443, 2003 open for inbound connections.

Any help would be GREATLY appreciated!!!!!

Jim

PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.244 InsideIPAddress
name 10.0.0.240 Server-PDC
name 10.0.0.241 Server-BDC
name 10.0.0.242 Server-BackUP
access-list acl-in deny icmp any any mask-request
access-list acl-in permit icmp any any
access-list acl-in permit tcp any host 200.200.200.3 eq www
access-list acl-in permit tcp any host 200.200.200.3 eq https
access-list acl-in permit tcp any host 200.200.200.1 eq smtp
access-list acl-in permit tcp any host 200.200.200.1 eq pop3
access-list acl-in permit tcp any host 200.200.200.1 eq www
access-list acl-in permit tcp any host 200.200.200.1 eq https
access-list acl-in permit tcp any host 200.200.200.2 eq www
access-list acl-in permit tcp any host 200.200.200.2 eq https
access-list acl-in permit tcp any host 200.200.200.2 eq 2003
access-list acl-in permit tcp any host 200.200.200.2 eq 308
access-list acl-in deny ip any any log
access-list in permit tcp any host 200.200.200.2
pager lines 200
mtu outside 1500
mtu inside 1500
ip address outside 200.200.200.200 255.255.255.240
ip address inside InsideIPAddress 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location Server-BDC 255.255.255.255 inside
pdm location Server-BackUP 255.255.255.255 inside
pdm location InsideIPAddress 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) 200.200.200.1 Server-BDC netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.2 Server-BackUP netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.3 Server-PDC netmask 255.255.255.255 0 0
access-group acl-in in interface outside
route outside 0.0.0.0 0.0.0.0 200.200.200.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community nytemon
no snmp-server enable traps
floodguard enable
telnet Server-PDC 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
nytepix#

 

[CarolinaCountryBoy]

Brent, (supergrrover) are you around today? Could you look at this for me?

thanks,

jim

 

[brianinms]

Can you post the output of a show xlate?

 

[Supergrrover]

It looks good.
I have had this happen before - try this.
Delete the statics and recreate them using the IP addresses and not the host name.
You can also change the global
global (outside) 1 interface
to the actual IP of the outside interface. Clear xlates and give it a go.

Do one at a time and test. I forget which combination worked.
Let me know how it goes.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[CarolinaCountryBoy]

Brent,

THANK YOU! Are you ready for this? I am under such pressure to get this system up I was about to go crazy. What was blowing me away was the fact that I could communicate with ONE of the servers! It turns out that in my haste I NEGLECTED to change some settings on the other two servers!!

What got me on that trail was the fact that I took out the ICMP blanking but still couldnt talk to them. Once I put all the server settings in - SHAZAM! Worked like a champ! Geesh.. you'd think as long as i've been in this that I would slow down and be methodical (like i USUALLY am).

Thanks again for looking at it!

Jim

 

[Supergrrover]

Yeah, I generally start with the servers but I have had this happen before when the servers were configured correctly. Glad it works.

Just a quick question - North Carolina?
Go Heels!! (unless your a Duke fan - ick!)


Brent
Systems Engineer / Consultant
CCNP, CCSP