08-03-2007 10:23 AM - edited 03-11-2019 03:53 AM
Hi
We have PIX version 7.0. Netscaler in the dmz, and virtual server ip is the 192.168.8.98 (dmz network 192.168.8.0). inside web server is 192.168.0.250 setup with virtual server. If I setup a static (dmz,outside) 12.x.x.x 192.168.8.98 netmask 255.255.255.255 0 0 and access-list permit www access, when http://12.x.x.x to access server get following message after build connection:
No route to 67.122.x.x from 192.168.0.250
Following is message from syslog:
2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302013: Built inbound TCP connection -1599250756 for vip-extranet:67.122.x.x/62523 (67.122.x.x/62523) to inside:192.168.0.250/8080 (192.168.0.250/8080)
2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-110001: No route to 67.122.x.x from 192.168.0.250
2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302014: Teardown TCP connection -1599251913 for vip-extranet:67.122.x.x/62115 to inside:192.168.0.250/8080 duration 0:00:30 bytes 0 SYN Timeout
I don't sure it is routing issue and I ping from 67.122.x.x to 12.x.x.x is fine. please help.
Thanks
ben
08-03-2007 11:12 AM
Hi Ben
Could you send a copy of your pix config if possible. If not could you send the NAT statements, intreface addresses and routing table.
Jon
08-03-2007 11:32 AM
2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302013: Built inbound TCP connection -1599250756 for vip-extranet:67.122.x.x/62523 (67.122.x.x/62523) to inside:192.168.0.250/8080 (192.168.0.250/8080)
are you trying to acces your site using
If it is
is your netscaler doing Port re-direction from http ( 80 ) to 8080 ?
If no then then you have do it either on AS or Netscaler
08-03-2007 11:47 AM
Yes, I try both, all get same messages.
netscaler virture server can do re-direction from 80 to 8080.
Thanks
ben
08-03-2007 11:40 AM
Hi Jon
Following is related lines in the static lines
and show route:
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 1 192.168.8.0 255.255.255.0
global (outside) 1 interface
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
C 192.168.8.0 255.255.255.0 is directly connected, vip-extranet
How to get routing table?
no static setup for the virtual server ip setup, but don't sure how to setup it for virtual server ip?
Thanks
ben
08-03-2007 12:22 PM
Ben
routing table = "sh route"
Jon
08-03-2007 12:41 PM
S 0.0.0.0 0.0.0.0 [1/0] via 12.x.x.1, outside
C 12.x.x.0 255.255.255.128 is directly connected, outside
S 192.168.0.0 255.255.255.0 [1/0] via 192.168.252.3, inside
C 192.168.8.0 255.255.255.0 is directly connected, dmz
C 192.168.252.0 255.255.255.0 is directly connected, inside
Ben
08-03-2007 01:20 PM
Jon
Do you have any idea about Netscaler virtual server ip and phiscal server ip can be on different subnet? My issue is virtual ip and phiscal server ip in different subnet.
Thanks
en
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide