01-05-2011 06:49 AM - edited 03-11-2019 12:30 PM
Hi,
We have 2 security context configured on at PIX 525 with 8.0.2.
Users on context 1 should be able to reach webservers on context 2
I can not see in any logs that the traffic is being blocked, but it is not possible to get to the page.
From everywhere else it works fine from the internet, so the webservers are working fine.
If I ping from context 1 I get the right ip address of the webservers, so it does not look like a DNS issue.
So the question is, even I'm using 2 context does the firewall see it as one, so it things I'm trying to do hairpinning?
Or what can be the reason since it is blocking.
Best regards,
Erik Jacobsen
Solved! Go to Solution.
01-06-2011 07:48 AM
Hello,
Why you dont just try to run a packet-tracer in both context. Tray to take some captures as well. Does the context 1 knows how to reach the server? are you permiting this traffic in context 2? can u post the configuration.... that would make the things easier.
01-05-2011 07:42 AM
Is this cascading contexts? or is there a layer-3 device in between?
What is the topology?
source--ctx1--ctx2--server
or
source--ctx1--router--ctx2--server?
You need to watch the logs in both contexts for these IP addresses in question and see why it is failing.
There is no U-Turning here that I can see.
-KS
01-05-2011 12:07 PM
Hi,
I can not see why there should be a hairpinning or U-turn. But since it is working fine from other sites, but not from the other context, then I begin to suspect that it could be something like this.
Because we have 2 different webservers and it is the same issue with both of them.
the setup is user-context1-context2-webserver
Best regards,
Erik Jacobsen
01-05-2011 12:09 PM
PS. I have checked all Access-lists on both contexts and I there should not be anything blocking.
Erik
01-06-2011 07:48 AM
Hello,
Why you dont just try to run a packet-tracer in both context. Tray to take some captures as well. Does the context 1 knows how to reach the server? are you permiting this traffic in context 2? can u post the configuration.... that would make the things easier.
01-06-2011 02:53 PM
Hi,
I have been running the packet tracer on both contexts, and both of them is saying the traffic should be allowed.
My customer just told me that, it actually works some times.
So this is even more weird. Because normally it works or else it is blocked.
So we are looking a bit on his domain controllers, what have been changed here.
I also found out that I can not do a simply ssh to the firewall, only http and telnet works. Even it is configured correct.
So the firewall will be scheduled a reboot tomorrow afternone.
Thanks,
Erik Jacobsen
01-07-2011 02:41 AM
Hi,
Thanks for all your time.
We have now rebooted the pix 525, and now everything works.
and then we found out the "standby" pix did not work, so even more issues.
We have adviced the customer to change the pixes almost a year a go, to ASA firewalls. So maybe they soon will find the money :-)
Case closed.
Erik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide