port translation happens after packet is rejected ???

Discussion in 'Cisco' started by fred.fm, Nov 27, 2006.

  1. fred.fm

    fred.fm Guest

    Hi all
    a PIX 515E here at work. It has recently been upgraded from 6.3 to 7.21.

    Seems to me that it's since this upgrade that i encounter some strange
    problems.

    PIX has three interfaces : 1 for the Web (level 100), one for our intranet
    (level 0) IPs 192.168.0.0 and one for a DMZ (level 4) IPs 10.10.10.0.

    in the DMZ is a Web server (it's the only server in the DMZ).

    Last night, at home i recieved a newsletter from this web server (our web
    site) and just to test, i clicked the "unregister to the newsletter" link.
    I was under firefox ... the page never showed ... Instead there was a blank
    page : no message ....
    I tested the same link under IE6 and it did the same.
    I tested the site's index page but nothing showed.
    Nslookup found the site's IP without problem.
    I could surf every web site i could think of, but not this one ...

    After rebooting my PC, i could surf the site's index and other pages without
    a prob. So i thought it was a local problem.
    Nevermind, i noted my IP so that i could watch the PIX's log the next day.

    I found many lines about rejecting my connection and here we are, i don't
    understand what's happening.
    The fact is that, searching to the log, there are many people encoutering
    the same problems, but also many people surfing the site without probs at
    the same time.

    So here's some of the log lines i found

    Nov 27 10:56:44 192.168.1.254 %PIX-4-106023: Deny tcp src
    dmz:10.10.10.220/80 dst outside:81.51.10.184/1910 by access-group
    "dmz_access_in" [0x3e19d1ab, 0x0]

    Nov 27 11:55:42 192.168.1.254 %PIX-4-106023: Deny tcp src
    dmz:10.10.10.220/80 dst outside:86.204.128.134/3549 by access-group
    "dmz_access_in" [0x3e19d1ab, 0x0]

    Nov 27 11:56:55 192.168.1.254 %PIX-4-106023: Deny tcp src
    dmz:10.10.10.220/80 dst outside:86.204.128.134/3568 by access-group
    "dmz_access_in" [0x3e19d1ab, 0x0]

    Nov 27 11:56:58 192.168.1.254 %PIX-4-106023: Deny tcp src
    dmz:10.10.10.220/80 dst outside:86.204.128.134/3569 by access-group
    "dmz_access_in" [0x3e19d1ab, 0x0]

    Nov 27 11:57:53 192.168.1.254 %PIX-4-106023: Deny tcp src
    dmz:10.10.10.220/80 dst outside:86.204.128.134/3593 by access-group
    "dmz_access_in" [0x3e19d1ab, 0x0]

    Nov 27 11:58:05 192.168.1.254 %PIX-4-106023: Deny tcp src
    dmz:10.10.10.220/80 dst outside:86.204.128.134/3594 by access-group
    "dmz_access_in" [0x3e19d1ab, 0x0]

    Nov 27 11:58:12 192.168.1.254 %PIX-4-106023: Deny tcp src
    dmz:10.10.10.220/80 dst outside:86.204.128.134/3595 by access-group
    "dmz_access_in" [0x3e19d1ab, 0x0]

    Nov 27 11:58:29 192.168.1.254 %PIX-4-106023: Deny tcp src
    dmz:10.10.10.220/80 dst outside:86.204.128.134/3596 by access-group
    "dmz_access_in" [0x3e19d1ab, 0x0]

    Nov 27 11:59:28 192.168.1.254 %PIX-4-106023: Deny tcp src
    dmz:10.10.10.220/80 dst outside:86.204.128.134/3620 by access-group
    "dmz_access_in" [0x3e19d1ab, 0x0]


    What i don't understand is the outside port number (3620 for the last line
    here), cause there is a translation rule that should translate every
    DMZ-Outside 10.10.10.220/80 to my_public_ip/80
    Here's the rule :
    static (dmz,outside) tcp my_public_ip www 10.10.10.220 www netmask
    255.255.255.255

    As i understand it, it's like the rejection happend before the port
    translation, but i'm certanly wrong ;-)

    Any help/comment is greatly appreciated.

    Thanks for reading.

    Bye.
    Fred
    fred.fm, Nov 27, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Luislo
    Replies:
    3
    Views:
    4,914
  2. fred.fm
    Replies:
    2
    Views:
    615
    fred.fm
    Nov 28, 2006
  3. Replies:
    0
    Views:
    422
  4. Replies:
    1
    Views:
    1,010
    News Reader
    Jul 30, 2008
  5. Chris Roberts
    Replies:
    6
    Views:
    1,837
    Martin Gallagher
    Jul 23, 2011
Loading...

Share This Page