11-22-2010 06:49 AM - edited 03-11-2019 12:12 PM
I am attempting to forward SSL connections requests across a NAT into a Windows 2003 platform that is hosting a
SSL web server.
My SSL webserver is receiving the forwarded SYNs from the client, and responding, but that response ACK is getting lost.
I have a record of the ACK on the server but I get no record of it on the PIX. No ACLs appear to be triggered by the
ACK either.
The Management-subnet. as shown in the config below, is actually not being used for management but the interface 192.168.11.15 is.
The end result is that I get a SYN timeout message in the PIX logs when they are set to debugging level.
I have opened up a bunch of ACLs for debugging purposes but with no positive result.
Any thoughts?
name 192.168.1.80 BPM-server
name 192.168.1.64 BPM-server-subnet description Small subnet to hold BPM and AG servers name 192.168.1.0 Management-subnet description Small subnet to manage devices ! interface Ethernet0 description Management interface for Vlab PIX nameif Vlab-1-mgmt security-level 100 ip address 192.168.11.15 255.255.255.0 management-only ! interface Ethernet1 description This is used for management access and for the BPM and other demo servers nameif inside security-level 10 ip address 192.168.1.2 255.255.255.0 ! interface Ethernet2 description This will provide external service to the Bell Privacy Manager demo and Sharepoint servers nameif BPM-Vlab-external-1 security-level 20 ip address xxx.yyy.zzz.67 255.255.255.248
! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring same-security-traffic permit intra-interface object-group network DM_INLINE_NETWORK_1 network-object BPM-server-subnet 255.255.255.248 network-object xxx.yyy.zzz.64 255.255.255.248
access-list 100 extended permit tcp Management-subnet 255.255.255.0 any access-list 100 extended permit ip any Management-subnet 255.255.255.0 access-list 100 extended permit ip xxx.yyy.zzz.64 255.255.255.248 Management-subnet 255.255.255.0
access-list BPM-Vlab-external-1_access_in extended permit icmp any xxx.yyy.zzz.64 255.255.255.248 access-list BPM-Vlab-external-1_access_in extended permit ip any object-group DM_INLINE_NETWORK_1 access-list inside_access_in extended permit udp host 192.168.1.1 host 192.168.1.2 access-list 110 extended permit tcp any host xxx.yyy.zzz.67 eq https
access-list inside_access_in_1 extended permit udp host 192.168.1.1 host 192.168.1.2 access-list BPM-Vlab-external-1_access_in_1 extended permit ip any Management-subnet 255.255.255.0 access-list BPM-Vlab-external-1_access_in_1 extended permit ip Management-subnet 255.255.255.0 any access-list BPM-Vlab-external-1_access_in_1 extended permit ip any xxx.yyy.zzz.64 255.255.255.248
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any anyglobal (BPM-Vlab-external-1) 1 xxx.yyy.zzz.69
nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,BPM-Vlab-external-1) tcp interface https BPM-server https netmask 255.255.255.255 access-group 100 in interface inside access-group BPM-Vlab-external-1_access_in_1 in interface BPM-Vlab-external-1 ! router rip version 2 ! route BPM-Vlab-external-1 0.0.0.0 0.0.0.0 xxx.yyy.zzz.68 1
11-22-2010 07:41 AM
Couple of things -
1) your outside interface has a higher security level than your inside interface, is this what you want as it is not standard ?
2) You say you can see the server sending the ACK but do not see it on the pix. Is the servers default-gateway the pix ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide