I am attempting to forward SSL connections requests across a NAT into a Windows 2003 platform that is hosting a
SSL web server.
My SSL webserver is receiving the forwarded SYNs from the client, and responding, but that response ACK is getting lost.
I have a record of the ACK on the server but I get no record of it on the PIX. No ACLs appear to be triggered by the
ACK either.
The Management-subnet. as shown in the config below, is actually not being used for management but the interface 192.168.11.15 is.
The end result is that I get a SYN timeout message in the PIX logs when they are set to debugging level.
I have opened up a bunch of ACLs for debugging purposes but with no positive result.
Any thoughts?
name 192.168.1.80 BPM-server
name 192.168.1.64 BPM-server-subnet description Small subnet to hold BPM and AG servers
name 192.168.1.0 Management-subnet description Small subnet to manage devices
!
interface Ethernet0
description Management interface for Vlab PIX
nameif Vlab-1-mgmt
security-level 100
ip address 192.168.11.15 255.255.255.0
management-only
!
interface Ethernet1
description This is used for management access and for the BPM and other demo servers
nameif inside
security-level 10
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet2
description This will provide external service to the Bell Privacy Manager demo and Sharepoint servers
nameif BPM-Vlab-external-1
security-level 20
ip address xxx.yyy.zzz.67 255.255.255.248
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object BPM-server-subnet 255.255.255.248
network-object xxx.yyy.zzz.64 255.255.255.248
access-list 100 extended permit tcp Management-subnet 255.255.255.0 any
access-list 100 extended permit ip any Management-subnet 255.255.255.0
access-list 100 extended permit ip xxx.yyy.zzz.64 255.255.255.248 Management-subnet 255.255.255.0
access-list BPM-Vlab-external-1_access_in extended permit icmp any xxx.yyy.zzz.64 255.255.255.248
access-list BPM-Vlab-external-1_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit udp host 192.168.1.1 host 192.168.1.2
access-list 110 extended permit tcp any host xxx.yyy.zzz.67 eq https
access-list inside_access_in_1 extended permit udp host 192.168.1.1 host 192.168.1.2
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any Management-subnet 255.255.255.0
access-list BPM-Vlab-external-1_access_in_1 extended permit ip Management-subnet 255.255.255.0 any
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any xxx.yyy.zzz.64 255.255.255.248
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any any
global (BPM-Vlab-external-1) 1 xxx.yyy.zzz.69
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,BPM-Vlab-external-1) tcp interface https BPM-server https netmask 255.255.255.255
access-group 100 in interface inside
access-group BPM-Vlab-external-1_access_in_1 in interface BPM-Vlab-external-1
!
router rip
version 2
!
route BPM-Vlab-external-1 0.0.0.0 0.0.0.0 xxx.yyy.zzz.68 1