I am attempting to forward SSL connections requests across a NAT into a Windows 2003 platform that is hosting a
SSL web server.

My SSL webserver is receiving the forwarded SYNs from the client, and responding, but that response ACK is getting lost.

I have a record of the ACK on the server but I get no record of it on the PIX. No ACLs appear to be triggered by the
ACK either.

The Management-subnet. as shown in the config below, is actually not being used for management but the interface 192.168.11.15 is.

The end result is that I get a SYN timeout message in the PIX logs when they are set to debugging level.

I have opened up a bunch of ACLs for debugging purposes but with no positive result.

Any thoughts?

name 192.168.1.80 BPM-server

name 192.168.1.64 BPM-server-subnet description Small subnet to hold BPM and AG servers
name 192.168.1.0 Management-subnet description Small subnet to manage devices
!
interface Ethernet0
 description Management interface for Vlab PIX
 nameif Vlab-1-mgmt
 security-level 100
 ip address 192.168.11.15 255.255.255.0 
 management-only
!
interface Ethernet1
 description This is used for management access and for the BPM and other demo servers
 nameif inside
 security-level 10
 ip address 192.168.1.2 255.255.255.0 
!
interface Ethernet2
 description This will provide external service to the Bell Privacy Manager demo and Sharepoint servers
 nameif BPM-Vlab-external-1
 security-level 20
 ip address xxx.yyy.zzz.67 255.255.255.248 
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object BPM-server-subnet 255.255.255.248
 network-object xxx.yyy.zzz.64 255.255.255.248
access-list 100 extended permit tcp Management-subnet 255.255.255.0 any 
access-list 100 extended permit ip any Management-subnet 255.255.255.0 
access-list 100 extended permit ip xxx.yyy.zzz.64 255.255.255.248 Management-subnet 255.255.255.0 
access-list BPM-Vlab-external-1_access_in extended permit icmp any xxx.yyy.zzz.64 255.255.255.248 
access-list BPM-Vlab-external-1_access_in extended permit ip any object-group DM_INLINE_NETWORK_1 
access-list inside_access_in extended permit udp host 192.168.1.1 host 192.168.1.2 
access-list 110 extended permit tcp any host xxx.yyy.zzz.67 eq https
access-list inside_access_in_1 extended permit udp host 192.168.1.1 host 192.168.1.2 
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any Management-subnet 255.255.255.0 
access-list BPM-Vlab-external-1_access_in_1 extended permit ip Management-subnet 255.255.255.0 any 
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any xxx.yyy.zzz.64 255.255.255.248 
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any any 


global (BPM-Vlab-external-1) 1 xxx.yyy.zzz.69
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,BPM-Vlab-external-1) tcp interface https BPM-server https netmask 255.255.255.255 
access-group 100 in interface inside
access-group BPM-Vlab-external-1_access_in_1 in interface BPM-Vlab-external-1
!
router rip
 version 2
!
route BPM-Vlab-external-1 0.0.0.0 0.0.0.0 xxx.yyy.zzz.68 1