Cannot access external network w/o static NAT

Toggle sidebar Toggle sidebar
C

Cooky

Golden Member
Apr 2, 2002
1,408
0
76
I was working on our Pix firewall and noticed an entry that maps a server's internal IP to an external public IP through static NAT.

I then deleted that entry because the server is one of our Windows DC's and I don't see why it has to be made available outside of our internal network.

After I removed that line, the server cannot access anything but our internal network. So I put that line back and the connection is back.

Why would static NAT affect whether or not that server can access external networks??
 
G

Goosemaster

Lifer
Apr 10, 2001
48,775
3
81
Check your DHCP pool settigns and everything that would affect a new computer when getting on the net.

I assume that the DC has a static IP.....that might need to be modified.
 
C

Cooky

Golden Member
Apr 2, 2002
1,408
0
76
It was the DC server that couldn't get to external network...what does DHCP have to do w/ it??
DHCP scope is completely different from the static IP ranges anyway...

I suspected something wrong w/ the Pix; after a reload the server can connect w/o a problem.
 
G

GreyMittens

Member
Nov 1, 2005
174
0
0
Originally posted by: Cooky
It was the DC server that couldn't get to external network...what does DHCP have to do w/ it??
DHCP scope is completely different from the static IP ranges anyway...

I suspected something wrong w/ the Pix; after a reload the server can connect w/o a problem.
Click to expand...

What a rude response to a guy who's just offering some ideas...

 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: Cooky
It was the DC server that couldn't get to external network...what does DHCP have to do w/ it??
DHCP scope is completely different from the static IP ranges anyway...

I suspected something wrong w/ the Pix; after a reload the server can connect w/o a problem.
Click to expand...

cooky, what probably happened is there was still the static address translation on the pix. removing the static from the config didn't delete the translation.

whenever you make any nat changes you must clear the xlate table.

clear xlate *

Never forget rule #1 - it is NEVER a network problem
;)
 
P

petey117

Senior member
Jul 24, 2003
755
0
0
also, you have to
allow any any
as the last rule in your pix config. of course this also depends on the model pix and ios version
i have found in the older versions, if you do not have that line, and the traffic going in or out of that box do not match an allow rule, it drops the packets
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom