PIX: Inbound http fails to bring up a web page from server in DMZ; PIX logs shows :

J Bard · Jan 9, 2004

Inbound http fails to bring up a web page from server in DMZ; PIX logs
shows :
302013: Built inbound TCP connection 26537 for outside:33.191.35.331/3393
(24.19

1.35.213/3393) to DMZ:192.168.2.121/80 (111.212.11.242/80)

All the IP's are right The pages appears to time out for outside users.
Inside I can get the web page.

I have varied the static and access-list commands, and have tested again; no
change.

Original setup failed:

static (DMZ,outside) tcp interface www 192.168.2.121 www netmask
255.255.255.255

0 0

access-list EXTERNAL permit tcp any interface outside eq www

I modified to the access list to

access-list out2in permit tcp any host 111.212.11.242 eq www' command.

The next test resulted in:

Built local-host DMZ:192.168.2.121

305011: Built static TCP translation from DMZ:192.168.2.121/80 to
outside:155.21

2.99.142/80

302013: Built inbound TCP connection 26537 for outside:24.191.35.213/3393
(24.19

1.35.213/3393) to DMZ:192.168.2.121/80 (111.212.11.242/80)

302014: Teardown TCP connection 26537 for outside:24.191.35.213/3393 to
DMZ:192.

168.2.121/80 duration 0:02:01 bytes 0 SYN Timeout

305012: Teardown static TCP translation from DMZ:192.168.2.121/80 to
outside:155

..212.99.142/80 duration 0:02:15

302010: 0 in use, 274 most used

I then changed the static to :

static (DMZ,outside) 111.212.11.242 192.168.2.121

and got:

testname(config)# 609001: Built local-host DMZ:192.168.2.121

305009: Built static translation from DMZ:192.168.2.121 to
outside:155.212.99.14

2

302013: Built inbound TCP connection 26538 for outside:24.187.117.222/2864
(24.1

87.117.222/2864) to DMZ:192.168.2.121/80 (111.212.11.242/80)

302014: Teardown TCP connection 26538 for outside:24.187.117.222/2864 to
DMZ:192

..168.2.121/80 duration 0:02:01 bytes 0 SYN Timeout

the whole damn thing follows:

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (DMZ,outside) tcp interface www 192.168.2.121 www netmask
255.255.255.255

0 0

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 155.212.99.141 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

http server enable

http 192.168.0.31 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 33

ssh timeout 5

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP client configuration address local xxxxxxxxxxt

vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.65.2
xxx.41.101.15

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username testname password *********

vpdn enable outside

username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2

username robert password wqEpZlHyXB1vk/uT encrypted privilege 2

terminal width 80

Cryptochecksum:0239161e0c3xxxxxxxxxxxxxxxad9960

: end

testname(config)# 302010: 0 in use, 274 most used

testname(config)#

testname(config)# no access-list out2in permit tcp any interface outside eq$

testname(config)# 111008: User 'enable_15' executed the 'no access-list
out2i

n permit tcp any interface outside eq www' command.

testname(config)#

testname(config)# access-list out2in permit tcp any interface eq www

interface <eq> does not exist

Usage: [no] access-list compiled

[no] access-list deny-flow-max <n>

[no] access-list alert-interval <secs>

[no] access-list <id> compiled

[no] access-list <id> [line <line-num>] remark <text>

[no] access-list <id> [line <line-num>] deny|permit

<protocol>|object-group <protocol_obj_grp_id>

<sip> <smask> | interface <if_name> | object-group
<network_obj_grp_id>

[<operator> <port> [<port>] | object-group <service_obj_grp_id>]

<dip> <dmask> | interface <if_name> | object-group
<network_obj_grp_id>

[<operator> <port> [<port>] | object-group <service_obj_grp_id>]

[log [disable|default] | [<level>] [interval <secs>]]

[no] access-list <id> [line <line-num>] deny|permit icmp

<sip> <smask> | interface <if_name> | object-group
<network_obj_grp_id>

<dip> <dmask> | interface <if_name> | object-group
<network_obj_grp_id>

[<icmp_type> | object-group <icmp_type_obj_grp_id>]

[log [disable|default] | [<level>] [interval <secs>]]

Restricted ACLs for route-map use:

[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}

testname(config)# access-list out2in permit tcp any host 111.212.11.242 e$

testname(config)# 111008: User 'enable_15' executed the 'access-list out2in
p

ermit tcp any host 111.212.11.242 eq www' command.

testname(config)# clear xlate

testname(config)# 609002: Teardown local-host DMZ:192.168.2.121 duration
0:37

:38

609002: Teardown local-host inside:192.168.0.33 duration 0:22:40

111008: User 'enable_15' executed the 'clear xlate' command.

testname(config)#

testname(config)#

testname(config)#

testname(config)# shw access-list

Type help or '?' for a list of available commands.

testname(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list out2in; 2 elements

access-list out2in line 1 permit icmp any any echo-reply (hitcnt=20)

access-list out2in line 2 permit tcp any host xxx.xxx.11.242 eq www
(hitcnt=0)

access-list inside_outbound_nat0_acl; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip any 192.168.0.192
255.255.

255.192 (hitcnt=30756874)

testname(config)#

testname(config)#

testname(config)#

testname(config)# clear xlate

testname(config)# 111008: User 'enable_15' executed the 'clear xlate'
command

testname(config)# 302010: 0 in use, 274 most used

609001: Built local-host DMZ:192.168.2.121

305011: Built static TCP translation from DMZ:192.168.2.121/80 to
outside:155.21

2.99.142/80

302013: Built inbound TCP connection 26537 for outside:24.191.35.213/3393
(24.19

1.35.213/3393) to DMZ:192.168.2.121/80 (111.212.11.242/80)

302014: Teardown TCP connection 26537 for outside:24.191.35.213/3393 to
DMZ:192.

168.2.121/80 duration 0:02:01 bytes 0 SYN Timeout

305012: Teardown static TCP translation from DMZ:192.168.2.121/80 to
outside:155

..212.99.142/80 duration 0:02:15

302010: 0 in use, 274 most used

testname(config)# sh run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan2 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan2 DMZ security50

enable password RKu3p1CF3TrlG1v9 encrypted

passwd FRou7zzj.tp5/Po3 encrypted

hostname testname

domain-name atcentral

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list out2in permit icmp any any echo-reply

access-list out2in permit tcp any host 111.212.11.242 eq www

access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
255.255.255.192

pager lines 24

logging on

logging timestamp

logging console informational

logging buffered informational

logging host inside 192.168.0.33

mtu outside 1500

mtu inside 1500

ip address outside 111.212.11.242 255.255.255.252

ip address inside 192.168.0.2 255.255.255.0

ip address DMZ 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool boldsupport 192.168.0.200-192.168.0.230

pdm location 192.168.0.31 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (DMZ,outside) tcp interface www 192.168.2.121 www netmask
255.255.255.255

0 0

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 155.212.99.141 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

http server enable

http 192.168.0.31 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 33

ssh timeout 5

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP client configuration address local xxxxxxxxxxx

vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.xx.2
xxx.41.1xx.15

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username testname password *********

vpdn enable outside

username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2

username robert password wqEpZlHyXB1vk/uT encrypted privilege 2

terminal width 80

Cryptochecksum:0239161e0c3cd774be16db707bad9960

: end

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)# show static

static (DMZ,outside) tcp interface www 192.168.2.121www netmask
255.255.255.255

0 0

testname(config)# show static

static (DMZ,outside) tcp interface www 192.168.2.121 www netmask
255.255.255.255

0 0

testname(config)#

testname(config)# static (DMZ,outside) tcp interface www 192.168.2.121 www $

ERROR: static overlaps with 111.212.11.242/80 to 192.168.2.121/80

Usage: [no] static [(internal_if_name, external_if_name)]

{<global_ip>|interface} <local_ip> [dns] [netmask <mask>]

[<max_conns> [<emb_limit> [<norandomseq>]]]

[no] static [(internal_if_name, external_if_name)] {tcp|udp}

{<global_ip>|interface} <global_port>

<local_ip> <local_port> [dns] [netmask <mask>]

[<max_conns> [<emb_limit> [<norandomseq>]]]

testname(config)# 0 0

Type help or '?' for a list of available commands.

testname(config)# no static (DMZ,outside) tcp interface www 192.168.2.121 w$

testname(config)# 111008: User 'enable_15' executed the 'no static
(DMZ,outsi

de) tcp interface www 192.168.2.121 www netmask 255.255.255.255' command.

testname(config)#

testname(config)#

testname(config)# clear xlate

testname(config)# 609002: Teardown local-host DMZ:192.168.2.121 duration
0:15

:59

111008: User 'enable_15' executed the 'clear xlate' command.

testname(config)#

testname(config)#

testname(config)#

testname(config)# sh static

testname(config)#

testname(config)#

testname(config)# static (DMZ,outside) 111.212.11.242 192.168.2.121

testname(config)# 111008: User 'enable_15' executed the 'static
(DMZ,outside)

111.212.11.242 192.168.2.121' command.

testname(config)#

testname(config)#

testname(config)# sh static

static (DMZ,outside) 111.212.11.242 192.168.2.121 netmask 255.255.255.255 0
0

testname(config)#

testname(config)#

testname(config)# clear xlate

testname(config)# 111008: User 'enable_15' executed the 'clear xlate'
command

..

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)# 302010: 0 in use, 274 most used

106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
by ac

cess-group "out2in"

106011: Deny inbound (No xlate) udp src outside:65.96.110.81/2967 dst
outside:15

5.212.99.142/2967

106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
by ac

cess-group "out2in"

106011: Deny inbound (No xlate) udp src outside:65.96.110.81/2967 dst
outside:15

5.212.99.142/2967

106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
by ac

cess-group "out2in"

106011: Deny inbound (No xlate) udp src outside:65.96.110.81/2967 dst
outside:15

5.212.99.142/2967

609001: Built local-host inside:192.168.0.41

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1808

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1808

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1808

dst outside:198.6.1.122/53

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1810

dst outside:216.92.69.104/110

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1810

dst outside:216.92.69.104/110

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1810

dst outside:216.92.69.104/110

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1811

dst outside:216.41.101.15/53

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1813

dst outside:209.68.16.115/110

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1813

dst outside:209.68.16.115/110

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1811

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1816

dst outside:216.41.101.15/53

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1813

dst outside:209.68.16.115/110

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1818

dst outside:209.68.1.171/110

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1818

dst outside:209.68.1.171/110

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1816

dst outside:198.6.1.122/53

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1818

dst outside:209.68.1.171/110

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1820

dst outside:209.68.1.21/110

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1820

dst outside:209.68.1.21/110

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1811

dst outside:198.6.1.122/53

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1820

dst outside:209.68.1.21/110

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1822

dst outside:207.217.121.216/110

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1822

dst outside:207.217.121.216/110

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1816

dst outside:198.6.1.122/53

305006: portmap translation creation failed for tcp src
inside:192.168.0.41/1822

dst outside:207.217.121.216/110

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1811

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1811

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1816

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1816

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1811

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1811

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1816

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1816

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1823

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1823

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1823

dst outside:198.6.1.122/53

302010: 0 in use, 274 most used

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1824

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1824

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1824

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1824

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1824

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1824

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1824

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1825

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1825

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1825

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1825

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1825

dst outside:198.6.1.122/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1825

dst outside:216.41.101.15/53

305006: portmap translation creation failed for udp src
inside:192.168.0.41/1825

dst outside:198.6.1.122/53

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)#

testname(config)# 609001: Built local-host DMZ:192.168.2.121

305009: Built static translation from DMZ:192.168.2.121 to
outside:155.212.99.14

2

302013: Built inbound TCP connection 26538 for outside:24.187.117.222/2864
(24.1

87.117.222/2864) to DMZ:192.168.2.121/80 (111.212.11.242/80)

302014: Teardown TCP connection 26538 for outside:24.187.117.222/2864 to
DMZ:192

..168.2.121/80 duration 0:02:01 bytes 0 SYN Timeout

302010: 0 in use, 274 most used

106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
by ac

cess-group "out2in"

106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
by ac

cess-group "out2in"

106023: Deny udp src outside:65.96.110.81/2967 dst DMZ:111.212.11.242/2967
by ac

cess-group "out2in"

106023: Deny tcp src outside:68.72.217.168/3979 dst DMZ:111.212.11.242/135
by ac

cess-group "out2in"

302010: 0 in use, 274 most used

106023: Deny tcp src outside:216.77.70.61/4169 dst DMZ:111.212.11.242/135 by
acc

ess-group "out2in"

106023: Deny tcp src outside:216.77.70.61/4169 dst DMZ:111.212.11.242/135 by
acc

ess-group "out2in"

clear xlate

testname(config)# 305010: Teardown static translation from DMZ:192.168.2.121

to outside:111.212.11.242 duration 0:17:23

609002: Teardown local-host DMZ:192.168.2.121 duration 0:17:23

609002: Teardown local-host inside:192.168.0.41 duration 0:30:08

111008: User 'enable_15' executed

PIX: Inbound http fails to bring up a web page from server in DMZ; PIX logs shows :

J Bard Guest

Advertisements

Want to reply to this thread or ask your own question?

SMTP Telnet test fails from DMZ to inside via PIX 515

Load balanced web site with CSS 11050 shows own LB IP in IIS logs.

Pix problem; Can't accessing Web server on inside from DMZ

WinXP Home SP2 Logs on then Logs off

Win XP SP2 Logs in then Logs out

Win XP SP2 Logs in then Logs out

WinXP Home SP2 logs in then right away logs off

HTTP SOAP/HTTP GET/HTTP POST

PIX: Inbound http fails to bring up a web page from server in DMZ; PIX logs shows :

J Bard Guest

Advertisements

Want to reply to this thread or ask your own question?

Useful Searches