This may be a shot in the dark but did you have any static ARP
translations to the old virtual IP address either on the PIX itself or
the upstream router? If so, you'll need to update those to the new IP.
I've run into this problem changing VIP addresses in the Checkpoint /
Nokia world before. In this case the translations might be necessary
because the box itself won't respond with it's MAC to an ARP request to
an IP it doesn't think is its own. That's why the FW has to broker the
traffic. This paradigm may not apply to the PIX world but I thought it
would be worth checking out.
Good luck,
Scott
-----Original Message-----
From: loloinfo [mailto:loloinfo@wanadoo.fr]
Sent: Tuesday, March 15, 2005 1:50 PM
To: firewalls@securityfocus.com
Subject: Re: PIX not answering once IP address has changed
it's true with static translation but not with nat and global
statement.
----- Original Message -----
From: Guyler, Rik <mailto:rguyler@shp-dayton.org>
To: firewalls@securityfocus.com
Sent: Monday, March 14, 2005 2:23 PM
Subject: RE: PIX not answering once IP address has
changed
Jason, you are absolutely correct...the PIX does not
need bidirectional NAT statements. One NAT statement for each
translation is all that is needed.
Rik
-----Original Message-----
From: Jason Ha [mailto:JHa@verisign.com.au]
Sent: Thursday, March 10, 2005 4:22 PM
To: Boylan, Heather (STP); firewalls@securityfocus.com
Subject: RE: PIX not answering once IP address has
changed
Hi Heather,
Firstly, (and someone correct me if I'm wrong), you
shouldn't need to second of your static rules. A single outside to
inside static is sufficient. Traffic being generated from server1 to
outside will automatically take on the server1-alias IP address.
Anyhoo... There are one thing that really spring to
mind... Generally, when you make any changes to the PIX firewall's NAT
configurations (and certain other things such as interface
configurations and the like), you need to issue the "clear xlate"
command to clear the translation table.
Depending on how long you've been tackling this problem,
it may have fixed itself as the translation table clears itself every 3
hours anyway. However, it's something worth looking it. You can
determine if the translation is still using the old IP address you had
configured by issuing the "show xlate" command. If it is a case where
the translation still shows the previous IP address, then issue the
"clear xlate"
command. Note, that by issuing clear xlate, you will
kill any live connection which is reliant upon any translation. Hence,
you may want to be more specific and just kill that particular IP
address translation using "clear xlate global server1-alias-IP-address
netmask 255.255.255.255".
Hope this helps.
Regards,
Jason Ha [CISSP, CCSE, JNCIS-FWV]
Senior Security Engineer,
Security Operations Centre
VeriSign Australia
-----Original Message-----
From: Boylan, Heather (STP)
[mailto:heather.boylan@guidant.com]
Sent: Thursday, 10 March 2005 11:24 AM
To: firewalls@securityfocus.com
Subject: PIX not answering once IP address has changed
Let me start by saying please forgive me for using
non-Pix terminology...I have quite a bit of firewall experience, just no
formal PIX training.
I have a Pix with 2 interfaces -- outside and inside.
The outside interface is answering for a machine on the
inside named 'server1'.
I have created an object on the outside named
'server1-alias'
I have created an object on the inside named 'server1'
which is the real IP address of the server on the inside.
I have 2 static nat rules:
outside to inside; server1-alias to server1
inside to outside; server1 to server1-alias I
have a rule allowing all outside traffic access to server1 on all
appropriate (to our environment) tcp ports
The above worked great.
The problem came when I changed the IP address for
'server1-alias'...the Pix will not answer for this new address.
I have disabled and re-enabled the interface.
I have rebooted.
I have deleted the objects and nat rules and re-created
them.
I am out of ideas.
Some additional info -- being a PIX novice, I do use the
PDM. I have looked at the command line and the rules appear OK (I do
have other servers that have similar configurations to compare to --
they aren't relavent for my issue so have left them out).
If anyone has some thoughts on what I may have missed or
what I could try, I'd really appreciate it!!
Heather Boylan
"Any views expressed in this email are not those of the
Guidant Corporation"
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.
