Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > port translation happens after packet is rejected ???

Reply
Thread Tools

port translation happens after packet is rejected ???

 
 
fred.fm
Guest
Posts: n/a
 
      11-27-2006
Hi all
a PIX 515E here at work. It has recently been upgraded from 6.3 to 7.21.

Seems to me that it's since this upgrade that i encounter some strange
problems.

PIX has three interfaces : 1 for the Web (level 100), one for our intranet
(level 0) IPs 192.168.0.0 and one for a DMZ (level 4) IPs 10.10.10.0.

in the DMZ is a Web server (it's the only server in the DMZ).

Last night, at home i recieved a newsletter from this web server (our web
site) and just to test, i clicked the "unregister to the newsletter" link.
I was under firefox ... the page never showed ... Instead there was a blank
page : no message ....
I tested the same link under IE6 and it did the same.
I tested the site's index page but nothing showed.
Nslookup found the site's IP without problem.
I could surf every web site i could think of, but not this one ...

After rebooting my PC, i could surf the site's index and other pages without
a prob. So i thought it was a local problem.
Nevermind, i noted my IP so that i could watch the PIX's log the next day.

I found many lines about rejecting my connection and here we are, i don't
understand what's happening.
The fact is that, searching to the log, there are many people encoutering
the same problems, but also many people surfing the site without probs at
the same time.

So here's some of the log lines i found

Nov 27 10:56:44 192.168.1.254 %PIX-4-106023: Deny tcp src
dmz:10.10.10.220/80 dst outside:81.51.10.184/1910 by access-group
"dmz_access_in" [0x3e19d1ab, 0x0]

Nov 27 11:55:42 192.168.1.254 %PIX-4-106023: Deny tcp src
dmz:10.10.10.220/80 dst outside:86.204.128.134/3549 by access-group
"dmz_access_in" [0x3e19d1ab, 0x0]

Nov 27 11:56:55 192.168.1.254 %PIX-4-106023: Deny tcp src
dmz:10.10.10.220/80 dst outside:86.204.128.134/3568 by access-group
"dmz_access_in" [0x3e19d1ab, 0x0]

Nov 27 11:56:58 192.168.1.254 %PIX-4-106023: Deny tcp src
dmz:10.10.10.220/80 dst outside:86.204.128.134/3569 by access-group
"dmz_access_in" [0x3e19d1ab, 0x0]

Nov 27 11:57:53 192.168.1.254 %PIX-4-106023: Deny tcp src
dmz:10.10.10.220/80 dst outside:86.204.128.134/3593 by access-group
"dmz_access_in" [0x3e19d1ab, 0x0]

Nov 27 11:58:05 192.168.1.254 %PIX-4-106023: Deny tcp src
dmz:10.10.10.220/80 dst outside:86.204.128.134/3594 by access-group
"dmz_access_in" [0x3e19d1ab, 0x0]

Nov 27 11:58:12 192.168.1.254 %PIX-4-106023: Deny tcp src
dmz:10.10.10.220/80 dst outside:86.204.128.134/3595 by access-group
"dmz_access_in" [0x3e19d1ab, 0x0]

Nov 27 11:58:29 192.168.1.254 %PIX-4-106023: Deny tcp src
dmz:10.10.10.220/80 dst outside:86.204.128.134/3596 by access-group
"dmz_access_in" [0x3e19d1ab, 0x0]

Nov 27 11:59:28 192.168.1.254 %PIX-4-106023: Deny tcp src
dmz:10.10.10.220/80 dst outside:86.204.128.134/3620 by access-group
"dmz_access_in" [0x3e19d1ab, 0x0]


What i don't understand is the outside port number (3620 for the last line
here), cause there is a translation rule that should translate every
DMZ-Outside 10.10.10.220/80 to my_public_ip/80
Here's the rule :
static (dmz,outside) tcp my_public_ip www 10.10.10.220 www netmask
255.255.255.255

As i understand it, it's like the rejection happend before the port
translation, but i'm certanly wrong

Any help/comment is greatly appreciated.

Thanks for reading.

Bye.
Fred

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
packet showing up on port 0 when I telnet to port 80? Chris Roberts Cisco 6 07-23-2011 08:43 AM
ip nat translation port-timeout -- WHICH port? Jon.R.Kibler@gmail.com Cisco 1 07-30-2008 10:04 PM
Summary of what happens to a packet as it enters and then leaves thePIX\ASA firewall - please correct if you see something wrong - thx t.eliason@eds.com Cisco 0 11-27-2007 08:00 AM
PIX 515 Rejection happens before port translation ??? fred.fm Cisco 2 11-28-2006 03:49 PM
What happens when type conversion between signed and unsigned happens? NM C++ 6 09-20-2006 05:39 PM



Advertisments