PIX: Inbound http fails to bring up a web page from server in DMZ; PIX logs shows :

Discussion in 'Cisco' started by J Bard, Jan 9, 2004.

  1. J Bard

    J Bard Guest

    Inbound http fails to bring up a web page from server in DMZ; PIX logs
    shows :
    302013: Built inbound TCP connection 26537 for outside:33.191.35.331/3393
    (24.19

    1.35.213/3393) to DMZ:192.168.2.121/80 (111.212.11.242/80)



    All the IP's are right The pages appears to time out for outside users.
    Inside I can get the web page.

    I have varied the static and access-list commands, and have tested again; no
    change.



    Original setup failed:

    static (DMZ,outside) tcp interface www 192.168.2.121 www netmask
    255.255.255.255

    0 0

    access-list EXTERNAL permit tcp any interface outside eq www



    I modified to the access list to

    access-list out2in permit tcp any host 111.212.11.242 eq www' command.



    The next test resulted in:

    Built local-host DMZ:192.168.2.121

    305011: Built static TCP translation from DMZ:192.168.2.121/80 to
    outside:155.21

    2.99.142/80

    302013: Built inbound TCP connection 26537 for outside:24.191.35.213/3393
    (24.19

    1.35.213/3393) to DMZ:192.168.2.121/80 (111.212.11.242/80)

    302014: Teardown TCP connection 26537 for outside:24.191.35.213/3393 to
    DMZ:192.

    168.2.121/80 duration 0:02:01 bytes 0 SYN Timeout

    305012: Teardown static TCP translation from DMZ:192.168.2.121/80 to
    outside:155

    ..212.99.142/80 duration 0:02:15

    302010: 0 in use, 274 most used



    I then changed the static to :

    static (DMZ,outside) 111.212.11.242 192.168.2.121

    and got:



    testname(config)# 609001: Built local-host DMZ:192.168.2.121

    305009: Built static translation from DMZ:192.168.2.121 to
    outside:155.212.99.14

    2

    302013: Built inbound TCP connection 26538 for outside:24.187.117.222/2864
    (24.1

    87.117.222/2864) to DMZ:192.168.2.121/80 (111.212.11.242/80)

    302014: Teardown TCP connection 26538 for outside:24.187.117.222/2864 to
    DMZ:192

    ..168.2.121/80 duration 0:02:01 bytes 0 SYN Timeout



    the whole damn thing follows:



    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 0 access-list inside_outbound_nat0_acl

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (DMZ,outside) tcp interface www 192.168.2.121 www netmask
    255.255.255.255

    0 0

    access-group out2in in interface outside

    route outside 0.0.0.0 0.0.0.0 155.212.99.141 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    aaa-server LOCAL protocol local

    aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

    http server enable

    http 192.168.0.31 255.255.255.255 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-pptp

    telnet 0.0.0.0 0.0.0.0 inside

    telnet timeout 33

    ssh timeout 5

    console timeout 0

    vpdn group PPTP-VPDN-GROUP accept dialin pptp

    vpdn group PPTP-VPDN-GROUP ppp authentication chap

    vpdn group PPTP-VPDN-GROUP client configuration address local xxxxxxxxxxt

    vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.65.2
    xxx.41.101.15

    vpdn group PPTP-VPDN-GROUP pptp echo 60

    vpdn group PPTP-VPDN-GROUP client authentication local

    vpdn username testname password *********

    vpdn enable outside

    username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2

    username robert password wqEpZlHyXB1vk/uT encrypted privilege 2

    terminal width 80

    Cryptochecksum:0239161e0c3xxxxxxxxxxxxxxxad9960

    : end

    testname(config)# 302010: 0 in use, 274 most used



    testname(config)#

    testname(config)# no access-list out2in permit tcp any interface outside eq$

    testname(config)# 111008: User 'enable_15' executed the 'no access-list
    out2i

    n permit tcp any interface outside eq www' command.



    testname(config)#

    testname(config)# access-list out2in permit tcp any interface eq www

    interface <eq> does not exist

    Usage: [no] access-list compiled

    [no] access-list deny-flow-max <n>

    [no] access-list alert-interval <secs>

    [no] access-list <id> compiled

    [no] access-list <id> [line <line-num>] remark <text>

    [no] access-list <id> [line <line-num>] deny|permit

    <protocol>|object-group <protocol_obj_grp_id>

    <sip> <smask> | interface <if_name> | object-group
    <network_obj_grp_id>

    [<operator> <port> [<port>] | object-group <service_obj_grp_id>]

    <dip> <dmask> | interface <if_name> | object-group
    <network_obj_grp_id>

    [<operator> <port> [<port>] | object-group <service_obj_grp_id>]

    [log [disable|default] | [<level>] [interval <secs>]]

    [no] access-list <id> [line <line-num>] deny|permit icmp

    <sip> <smask> | interface <if_name> | object-group
    <network_obj_grp_id>

    <dip> <dmask> | interface <if_name> | object-group
    <network_obj_grp_id>

    [<icmp_type> | object-group <icmp_type_obj_grp_id>]

    [log [disable|default] | [<level>] [interval <secs>]]

    Restricted ACLs for route-map use:

    [no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}

    testname(config)# access-list out2in permit tcp any host 111.212.11.242 e$

    testname(config)# 111008: User 'enable_15' executed the 'access-list out2in
    p

    ermit tcp any host 111.212.11.242 eq www' command.



    testname(config)# clear xlate

    testname(config)# 609002: Teardown local-host DMZ:192.168.2.121 duration
    0:37

    :38

    609002: Teardown local-host inside:192.168.0.33 duration 0:22:40

    111008: User 'enable_15' executed the 'clear xlate' command.



    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)# shw access-list

    Type help or '?' for a list of available commands.

    testname(config)# sh access-list

    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

    alert-interval 300

    access-list out2in; 2 elements

    access-list out2in line 1 permit icmp any any echo-reply (hitcnt=20)

    access-list out2in line 2 permit tcp any host xxx.xxx.11.242 eq www
    (hitcnt=0)

    access-list inside_outbound_nat0_acl; 1 elements

    access-list inside_outbound_nat0_acl line 1 permit ip any 192.168.0.192
    255.255.

    255.192 (hitcnt=30756874)

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)# clear xlate

    testname(config)# 111008: User 'enable_15' executed the 'clear xlate'
    command

    testname(config)# 302010: 0 in use, 274 most used

    609001: Built local-host DMZ:192.168.2.121

    305011: Built static TCP translation from DMZ:192.168.2.121/80 to
    outside:155.21

    2.99.142/80

    302013: Built inbound TCP connection 26537 for outside:24.191.35.213/3393
    (24.19

    1.35.213/3393) to DMZ:192.168.2.121/80 (111.212.11.242/80)

    302014: Teardown TCP connection 26537 for outside:24.191.35.213/3393 to
    DMZ:192.

    168.2.121/80 duration 0:02:01 bytes 0 SYN Timeout

    305012: Teardown static TCP translation from DMZ:192.168.2.121/80 to
    outside:155

    ..212.99.142/80 duration 0:02:15

    302010: 0 in use, 274 most used



    testname(config)# sh run

    : Saved

    :

    PIX Version 6.3(1)

    interface ethernet0 auto

    interface ethernet1 auto

    interface ethernet1 vlan2 logical

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    nameif vlan2 DMZ security50

    enable password RKu3p1CF3TrlG1v9 encrypted

    passwd FRou7zzj.tp5/Po3 encrypted

    hostname testname

    domain-name atcentral

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol ils 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    names

    access-list out2in permit icmp any any echo-reply

    access-list out2in permit tcp any host 111.212.11.242 eq www

    access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
    255.255.255.192



    pager lines 24

    logging on

    logging timestamp

    logging console informational

    logging buffered informational

    logging host inside 192.168.0.33

    mtu outside 1500

    mtu inside 1500

    ip address outside 111.212.11.242 255.255.255.252

    ip address inside 192.168.0.2 255.255.255.0

    ip address DMZ 192.168.2.1 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool boldsupport 192.168.0.200-192.168.0.230

    pdm location 192.168.0.31 255.255.255.255 inside

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 0 access-list inside_outbound_nat0_acl

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (DMZ,outside) tcp interface www 192.168.2.121 www netmask
    255.255.255.255

    0 0

    access-group out2in in interface outside

    route outside 0.0.0.0 0.0.0.0 155.212.99.141 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    aaa-server LOCAL protocol local

    aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

    http server enable

    http 192.168.0.31 255.255.255.255 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-pptp

    telnet 0.0.0.0 0.0.0.0 inside

    telnet timeout 33

    ssh timeout 5

    console timeout 0

    vpdn group PPTP-VPDN-GROUP accept dialin pptp

    vpdn group PPTP-VPDN-GROUP ppp authentication chap

    vpdn group PPTP-VPDN-GROUP client configuration address local xxxxxxxxxxx

    vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.xx.2
    xxx.41.1xx.15

    vpdn group PPTP-VPDN-GROUP pptp echo 60

    vpdn group PPTP-VPDN-GROUP client authentication local

    vpdn username testname password *********

    vpdn enable outside

    username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2

    username robert password wqEpZlHyXB1vk/uT encrypted privilege 2

    terminal width 80

    Cryptochecksum:0239161e0c3cd774be16db707bad9960

    : end

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)# show static

    static (DMZ,outside) tcp interface www 192.168.2.121www netmask
    255.255.255.255

    0 0

    testname(config)# show static

    static (DMZ,outside) tcp interface www 192.168.2.121 www netmask
    255.255.255.255

    0 0

    testname(config)#

    testname(config)# static (DMZ,outside) tcp interface www 192.168.2.121 www $

    ERROR: static overlaps with 111.212.11.242/80 to 192.168.2.121/80

    Usage: [no] static [(internal_if_name, external_if_name)]

    {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]

    [<max_conns> [<emb_limit> [<norandomseq>]]]

    [no] static [(internal_if_name, external_if_name)] {tcp|udp}

    {<global_ip>|interface} <global_port>

    <local_ip> <local_port> [dns] [netmask <mask>]

    [<max_conns> [<emb_limit> [<norandomseq>]]]

    testname(config)# 0 0

    Type help or '?' for a list of available commands.

    testname(config)# no static (DMZ,outside) tcp interface www 192.168.2.121 w$

    testname(config)# 111008: User 'enable_15' executed the 'no static
    (DMZ,outsi

    de) tcp interface www 192.168.2.121 www netmask 255.255.255.255' command.



    testname(config)#

    testname(config)#

    testname(config)# clear xlate

    testname(config)# 609002: Teardown local-host DMZ:192.168.2.121 duration
    0:15

    :59

    111008: User 'enable_15' executed the 'clear xlate' command.



    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)# sh static

    testname(config)#

    testname(config)#

    testname(config)# static (DMZ,outside) 111.212.11.242 192.168.2.121

    testname(config)# 111008: User 'enable_15' executed the 'static
    (DMZ,outside)

    111.212.11.242 192.168.2.121' command.



    testname(config)#

    testname(config)#

    testname(config)# sh static

    static (DMZ,outside) 111.212.11.242 192.168.2.121 netmask 255.255.255.255 0
    0

    testname(config)#

    testname(config)#

    testname(config)# clear xlate

    testname(config)# 111008: User 'enable_15' executed the 'clear xlate'
    command

    ..



    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)# 302010: 0 in use, 274 most used

    106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
    by ac

    cess-group "out2in"

    106011: Deny inbound (No xlate) udp src outside:65.96.110.81/2967 dst
    outside:15

    5.212.99.142/2967

    106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
    by ac

    cess-group "out2in"

    106011: Deny inbound (No xlate) udp src outside:65.96.110.81/2967 dst
    outside:15

    5.212.99.142/2967

    106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
    by ac

    cess-group "out2in"

    106011: Deny inbound (No xlate) udp src outside:65.96.110.81/2967 dst
    outside:15

    5.212.99.142/2967

    609001: Built local-host inside:192.168.0.41

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1808

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1808

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1808

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1810

    dst outside:216.92.69.104/110

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1810

    dst outside:216.92.69.104/110

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1810

    dst outside:216.92.69.104/110

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1811

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1813

    dst outside:209.68.16.115/110

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1813

    dst outside:209.68.16.115/110

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1811

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1816

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1813

    dst outside:209.68.16.115/110

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1818

    dst outside:209.68.1.171/110

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1818

    dst outside:209.68.1.171/110

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1816

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1818

    dst outside:209.68.1.171/110

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1820

    dst outside:209.68.1.21/110

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1820

    dst outside:209.68.1.21/110

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1811

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1820

    dst outside:209.68.1.21/110

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1822

    dst outside:207.217.121.216/110

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1822

    dst outside:207.217.121.216/110

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1816

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for tcp src
    inside:192.168.0.41/1822

    dst outside:207.217.121.216/110

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1811

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1811

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1816

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1816

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1811

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1811

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1816

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1816

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1823

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1823

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1823

    dst outside:198.6.1.122/53

    302010: 0 in use, 274 most used

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1824

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1824

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1824

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1824

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1824

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1824

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1824

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1825

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1825

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1825

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1825

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1825

    dst outside:198.6.1.122/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1825

    dst outside:216.41.101.15/53

    305006: portmap translation creation failed for udp src
    inside:192.168.0.41/1825

    dst outside:198.6.1.122/53



    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)#

    testname(config)# 609001: Built local-host DMZ:192.168.2.121

    305009: Built static translation from DMZ:192.168.2.121 to
    outside:155.212.99.14

    2

    302013: Built inbound TCP connection 26538 for outside:24.187.117.222/2864
    (24.1

    87.117.222/2864) to DMZ:192.168.2.121/80 (111.212.11.242/80)

    302014: Teardown TCP connection 26538 for outside:24.187.117.222/2864 to
    DMZ:192

    ..168.2.121/80 duration 0:02:01 bytes 0 SYN Timeout

    302010: 0 in use, 274 most used

    106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
    by ac

    cess-group "out2in"

    106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
    by ac

    cess-group "out2in"

    106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
    by ac

    cess-group "out2in"

    106023: Deny tcp src outside:68.72.217.168/3979 dst DMZ:111.212.11.242/135
    by ac

    cess-group "out2in"

    302010: 0 in use, 274 most used

    106023: Deny tcp src outside:216.77.70.61/4169 dst DMZ:111.212.11.242/135 by
    acc

    ess-group "out2in"

    106023: Deny tcp src outside:216.77.70.61/4169 dst DMZ:111.212.11.242/135 by
    acc

    ess-group "out2in"

    clear xlate

    testname(config)# 305010: Teardown static translation from DMZ:192.168.2.121

    to outside:111.212.11.242 duration 0:17:23

    609002: Teardown local-host DMZ:192.168.2.121 duration 0:17:23

    609002: Teardown local-host inside:192.168.0.41 duration 0:30:08

    111008: User 'enable_15' executed
     
    J Bard, Jan 9, 2004
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.