topic Re: Problem allowing port 80 through to DMZ in Network Security

Problem allowing port 80 through to DMZ

gecko2207 — Mon, 11 Mar 2019 09:52:23 GMT

I am having a strange problem. I have a new web server located in the DMZ off my PIX 515e firewall. I set up the access list and static mappings the same as I have for all of my other web servers in the DMZ. From outside, I can telnet to port 80 on the external IP addresses, but when I try to access the web page, it gives me a "Page cannot be displayed" error. I have tried to access the web page from the localhost on the server as well as from a server on the INSIDE network and I am able to connect so I know that the web server is serving pages properly. I have verified the accuracy of my access lists and static mappings and can't see anything that would cause this problem. Here is the config for one of the servers:

static (DMZ1,outside) 204.aaa.bbb.ccc 10.aaa.bbb.ccc netmask 255.255.255.255

access-list outside_acl extended permit tcp any host 204.aaa.bbb.ccc eq www

I have other servers with the same static and access list statements (with different IPs) and they are working fine.

Any thoughts? The software version is 7.1(1)

Re: Problem allowing port 80 through to DMZ

allcastr — Tue, 27 Mar 2007 15:47:17 GMT

Hello,

Can you post your configuration?

Re: Problem allowing port 80 through to DMZ

acomiskey — Tue, 27 Mar 2007 15:48:47 GMT

Is dns resolving correctly?

Re: Problem allowing port 80 through to DMZ

gecko2207 — Tue, 27 Mar 2007 16:25:34 GMT

I have attached a scrubbed version of my config.

As for DNS, I am trying to access by IP address so that shouldn't be a factor, but it is resolving correctly when I try to ping the URL.

Re: Problem allowing port 80 through to DMZ

acomiskey — Tue, 27 Mar 2007 17:15:25 GMT

Any logs? How bout a clear xlate...

Re: Problem allowing port 80 through to DMZ

gecko2207 — Tue, 27 Mar 2007 17:32:36 GMT

I tried clear xlate and even reloaded the PIX. Neither worked. As for logs, I have found a difference between the problem web page and the working one (both on the same server, different IPs). The working one builds the outside interface and then serves the URL. The one that isn't working build the outside and DMZ interfaces and then tries to access the URL. It then does something strange in that it gives an error of portmap translation creation failed for tcp src inside:(my pc's private IP). This is strange because my PC is on a different network behind another PIX 515e running NAT so it should only show the source address of the outside interface of that PIX (which it does when it builds the initial connection on the outside.

Here are some lines from the log showing the process:

6|Mar 26 2007 15:41:02|609002: Teardown local-host inside:10.1.1.50 duration 0:00:00

3|Mar 26 2007 15:41:02|305006: portmap translation creation failed for tcp src inside:10.1.1.50/1465 dst DMZ1:10.10.10.100/80

6|Mar 26 2007 15:41:02|609001: Built local-host inside:10.1.1.50

5|Mar 26 2007 15:41:02|304001: 65.1.1.100 Accessed URL 10.10.10.100:/

6|Mar 26 2007 15:41:01|302013: Built inbound TCP connection 1396326 for outside:65.1.1.100/63997 (65.1.1.100/63997) to DMZ1:10.10.10.100/80 (204.1.1.200/80)

6|Mar 26 2007 15:41:01|609001: Built local-host DMZ1:10.10.10.100

6|Mar 26 2007 15:41:01|609001: Built local-host outside:65.1.1.100

The IPs have been changed. They are as follows:

65.1.1.100 - NATd IP from the PIX that my PC sits behind.

10.1.1.50 - Private IP for my PC

10.10.10.100 - Private IP of server in DMZ

204.1.1.200 - Static NAT translation outside address for server in DMZ

Re: Problem allowing port 80 through to DMZ

acomiskey — Tue, 27 Mar 2007 17:40:20 GMT

do you have something like

static (inside,DMZ1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

Re: Problem allowing port 80 through to DMZ

abinjola — Tue, 27 Mar 2007 17:44:45 GMT

ok..can you try

disabling the Inspect http

Re: Problem allowing port 80 through to DMZ

gecko2207 — Tue, 27 Mar 2007 17:48:46 GMT

I do have a static statement set up for inside to DMZ1.

Re: Problem allowing port 80 through to DMZ

gecko2207 — Tue, 27 Mar 2007 19:22:56 GMT

I guess I could try that.... if that was the problem though, wouldn't it be across the board for all web servers?

Re: Problem allowing port 80 through to DMZ

hoogen_82 — Wed, 28 Mar 2007 06:35:48 GMT

static (DMZ1,outside) 204.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.255.255.255

THe above is your statement, instead try this(assuming 204.xxx.xxx.xxx is your outside interface address

static (DMZ1,outside) interface 10.xxx.xxx.xxx netmask 255.255.255.255

This should probably solve the problem.

-Hoogen

Re: Problem allowing port 80 through to DMZ

gecko2207 — Wed, 28 Mar 2007 15:19:59 GMT

Hoogen, thanks for the response. Unfortunately, the outside IP address for the static statement is a different address than the interface address.

Re: Problem allowing port 80 through to DMZ

David White — Wed, 28 Mar 2007 17:46:04 GMT

There isn't quite enough information here. However, the issue is with the following message:

3|Mar 26 2007 15:41:02|305006: portmap translation creation failed for tcp src inside:10.1.1.50/1465 dst DMZ1:10.10.10.100/80

This means that the PIX received a packet sourced from 10.1.1.50 on the inside interface, and destined to 10.10.10.100 on the DMZ1 interface. The packet matched a nat statement (most likely: nat (inside) 10 0.0.0.0 0.0.0.0), however upon matching the nat, it could not find a corresponding global statement on the DMZ1 interface.

Now, from your messages so far you seem to indicate that this packet should not have been received by this PIX on the inside interface. Is that correct? Or did I misunderstand something?

David.