Re: Host unable to browse the web from dmz

efarkhondeh · ‎09-19-2003

I have webserver inside a pix dmz, I have configured it so I can access it from outside but the host can not access the Internet? any ideas?

gfullage · ‎09-19-2003

To access it from the outside you would have set up a satic and an ACL. For outbound traffic, his same static would be used to change the source address as it goes out.

Do you have an inbound access-list on the DMZ interface that would be stopping this traffic. Where is the DNS server that this web server uses for name lookups located, on the same DMZ interface or on the outside? Make sure it's not just a name lookup issue rather than a browsing issue.

If you're still stuck, then enable logging on the PIX, then try and browse from this server and see what the log tells you.

logging on

logging buff debug

sho logging

Post the results back here if you're not sure how to read them.

efarkhondeh · ‎09-23-2003

Glen, I,m out of the office for the next few days, I will post the result as soon as I get back. your help is very much appriciated. by the way I'm only having outbound connection issue, inbound I can access it no problem. It is pointing to a DNS server on the Internet.

jmia · ‎09-23-2003

Hi -

Do you get a response if you try command 'nslookup' from a inside client?

Thanks - Jay.

efarkhondeh · ‎09-23-2003

302013: Built outbound TCP connection 1242090 for outside:206.112.112.71/80 (206.112.112.71/80) to dmz:172.17.200.70/1331 (20

8.6.12.70/1331)

304002: Access denied URL http://www.microsoft.com/ SRC 172.17.200.70 DEST 206.112.112.71 on interface dmz

302014: Teardown TCP connection 1242090 for outside:206.112.112.71/80 to dmz:172.17.200.70/1331 duration 0:00:01 bytes 1652 U

auth Deny

106015: Deny TCP (no connection) from 206.112.112.71/80 to 208.6.12.70/1331 flags ACK on interface outside

305011: Built dynamic UDP translation from inside:172.17.100.23/4278 to outside:208.6.12.69/34035

305011: Built dynamic UDP translation from inside:172.17.100.23/5362 to outside:208.6.12.69/34036

302015: Built outbound UDP connection 1242091 for outside:204.117.214.10/53 (204.117.214.10/53) to inside:172.17.100.23/5362

(208.6.12.69/34036)

305011: Built dynamic UDP translation from inside:172.17.100.23/1279 to outside:208.6.12.69/34037

302015: Built outbound UDP connection 1242092 for outside:204.117.214.10/53 (204.117.214.10/53) to inside:172.17.100.23/1279

(208.6.12.69/34037)

302016: Teardown UDP connection 1242091 for outside:204.117.214.10/53 to inside:172.17.100.23/4278 duration 0:00:01 bytes 210

302016: Teardown UDP connection 1242092 for outside:204.117.214.10/53 to inside:172.17.100.23/4278 duration 0:00:01 bytes 210

305011: Built dynamic TCP translation from inside:172.17.100.7/53139 to outside:208.6.12.69/62572

302013: Built outbound TCP connection 1242093 for outside:194.90.9.19/25 (194.90.9.19/25) to inside:172.17.100.7/53139 (208.6

.12.69/62572)

106014: Deny inbound icmp src outside:208.6.12.65 dst inside:208.6.12.69 (type 3, code 13)

caciquepix(config)#

the Ip address 172.17.200.70 is the host on the DMZ interface which is denied access to url www.microsoft.com. I did an nslookup from the host and it does rsolve the name to an IP address...Please help

jmia · ‎09-26-2003

Eddie,

Looks like you have access-list issues for your DMZ, in saying this can you post your PIX config here or direct to myself at noc1@vodafone.net - Please change passwords/IPs etc.

Thanks - Jay.

mike-banks · ‎09-26-2003

What does the access list on your dmz look like?