URL not able to open from public domain (sometime)

sudhir.rai · ‎12-24-2010

Hi all,

I am currently facing an interseting issue and it goes like this.....

We have one URL hosted on of the server which is access by both our private domain ( intranet domain) and public domain (internet domain).

For intranet users we have simply allow all the traffic from our doamin to access the server through firewall

firewall rules goes something like this :

eg from 10.x.x.x to 10.1.x.x on port 443

from here it goes to the Load balancer which load balances the traffic on two physical servers.

But for intranet user we have natted our internal ip to public ip and allow the rule on firewall

i.e natted to 10.x.x.x to 59.163.x.x

on firewall rule for outside outgoing

from any to 59.163.x.x on port 443

firewall rule for inside outgoing

any to 10.x.x.x on port 443

However for intranet users url is working fine. Bur for internet we are unable to open page, but this happens sometime

I have checked the logs on Firewall for ouside domain iit is allowing to go through server.

nslookup shows correct ip

Can you suggest the possible issue which is causing this problem (sometimes)

Kureli Sankar · ‎12-24-2010

Sudhir,

Not enough information.

Are both intranet and internet off the same interface - outside?

I belive you mixed up internet and intranet. What I highlighted in red is internet right?

But for intranet user we have natted our internal ip to public ip and allow the rule on firewall

i.e natted to 10.x.x.x to 59.163.x.x

Pls. provide a simple text based topology like this below, sh run static, sh nameif.

inside hosts---Firewall---internet

|

443(webserver)

So you are saying the inside hosts are able to reach the webserver using its internal address but, the internet users are not able to reach it using the mapped address 59.163.x.x?

If the loggs are allowing and traffic from the internet goes to the webserver do you know if the webserver responds to this flow? You are seing SYN timeout logs?

Gather captures on the firewall both on the internet and the interface where the 443 server is plugged into and see if you see the packets making it and response coming back.

cap capout int outside match tcp any host 59.163.x.x eq 443

cap capin int intranet match tcp any ho 10.x.x.x eq 443

-KS

sudhir.rai · ‎12-27-2010

Hi,

Below which is marked red is actually internet and not intranet sorry for the typo error

below are the answers of your question..

Q- So you are saying the inside hosts are able to reach the webserver using its internal address but, the internet users are not able to reach it using the mapped address 59.163.x.x?

Ans- Yes inside users are able to access the url , but some ( not all ) internet user are able to open the url

Q- If the loggs are allowing and traffic from the internet goes to the webserver do you know if the webserver responds to this flow? You are seing SYN timeout logs?

Ans- Yes firewall is showing me the logs (through real time log viewer) that is hitting the webserver.I am attaching the screen shot for the same..

Regarding the response from the webserver that i have not seen...please tell me the exact procedure to see the response from server side if u can , i will share the result with u

Q-Gather captures on the firewall both on the internet and the interface where the 443 server is plugged into and see if you see the packets making it and response coming back .

Ans- Same as above

for the commands which you have told me check , i have check in the firewall (through putty) when i hit the commands it does not show any thing...

command which i am trying is

cap capin int outside match tcp any host 59.163.51.174 eq 443
cap capout int newinside match tcp any ho 10.1.9.135 eq 443

note* - newinside is the zone where server 10.1.9.135 is hosted

and i have natted this ip with 59.163.51.174 and is resolving properly...

lly scenairo is their with other server , but it is accessable to both internal as well as outside users.

but when i check the same command for this server it too doesnt show me any logs...

command: cap capin int outside match tcp any host 59.163.51.150 eq 80

cap capout int inside match tcp any ho 10.1.0.138 eq 80

note* - inside is the zone where server 10.1.0.138 is hosted

Please suggest if am in right direction or something is missing......

Topology what you have mention is correct but only change is webserver is accessable through load balancer( 10.1.9.135 vip, and 10.1.9.15 & 10.1.9.16 is physical ip)

Also would like to tell you for some public ip not specific i have not seen the request hitting firewall at all, so would like it know whether its their local issue or something else......