09-01-2003 03:55 AM - edited 02-20-2020 10:57 PM
Hi,
I do have some trouble to get my dmz settings working. I have a reverse proxy, located in the dmz, which is supposed to redirect all http traffice to a certain domain to web server that is in the inside network. The PIX does NAT all connections originating for inside and dmz (perimeter):
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (perimeter) 1 0.0.0.0 0.0.0.0 0 0
First of all I created a static to outside for my reverse proxy:
static (perimeter,outside) x.x.x.x 192.168.109.52 netmask 255.255.255.255 0 0
Then I permitted access to the reverse proxy:
access-list 100 permit tcp any host x.x.x.x eq www
And bound the access-list to the outside interface:
access-group 100 in interface outside
So far so good, everythings working at this point. But as soon as I add an access-list for using the web server in the inside network, it interrupts my connection flow.
Excemption to nat from inside to dmz:
static (inside,perimeter) 192.168.108.0 192.168.108.0 netmask 255.255.255.0 0 0
static (inside,perimeter) 192.168.107.0 192.168.107.0 netmask 255.255.255.0 0 0
Permit access to the inside web server:
access-list 200 permit tcp host 192.168.109.52 host 192.168.108.34 eq 7777
Now what happens is (or at least I assume it): A host connections to the IP x.x.x.x for a http request. The PIX passes the request to the reverse proxy using the acl 100. The reverse proxy picks up the request and processes it respectively forwards it to the internal web server. The answer is sent back to the reverse proxy and then it tries to transmit the response back to the requester. Actually this should work based on the inferface definition of the security level: inside 100, perimeter 50, outside 0. But the responses does not get through to the outside anymore. I guess it must be somewhere between the reverse proxy and the PIX since the network connections (a) is hold between reverse proxy and requester and a new connection (b) is hold by reverse proxy and inside web server.
Does anyone have a clue on how to solve this problem?
Thanks in advance.
Kai Keong Ng
09-01-2003 04:40 AM
Hi Kay Keong,
Your config look good. You can capture packets in DMZ to examine incoming & outgoing packets, you should be able to identify where is the problem. If not, you need to go deeper by using debug/syslog feature on PIX to see if it has something wrong.
Regards
Ben
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide