03-27-2007 08:31 AM - edited 03-11-2019 02:52 AM
I am having a strange problem. I have a new web server located in the DMZ off my PIX 515e firewall. I set up the access list and static mappings the same as I have for all of my other web servers in the DMZ. From outside, I can telnet to port 80 on the external IP addresses, but when I try to access the web page, it gives me a "Page cannot be displayed" error. I have tried to access the web page from the localhost on the server as well as from a server on the INSIDE network and I am able to connect so I know that the web server is serving pages properly. I have verified the accuracy of my access lists and static mappings and can't see anything that would cause this problem. Here is the config for one of the servers:
static (DMZ1,outside) 204.aaa.bbb.ccc 10.aaa.bbb.ccc netmask 255.255.255.255
access-list outside_acl extended permit tcp any host 204.aaa.bbb.ccc eq www
I have other servers with the same static and access list statements (with different IPs) and they are working fine.
Any thoughts? The software version is 7.1(1)
03-27-2007 08:47 AM
Hello,
Can you post your configuration?
03-27-2007 08:48 AM
Is dns resolving correctly?
03-27-2007 09:25 AM
03-27-2007 10:15 AM
Any logs? How bout a clear xlate...
03-27-2007 10:32 AM
I tried clear xlate and even reloaded the PIX. Neither worked. As for logs, I have found a difference between the problem web page and the working one (both on the same server, different IPs). The working one builds the outside interface and then serves the URL. The one that isn't working build the outside and DMZ interfaces and then tries to access the URL. It then does something strange in that it gives an error of portmap translation creation failed for tcp src inside:(my pc's private IP). This is strange because my PC is on a different network behind another PIX 515e running NAT so it should only show the source address of the outside interface of that PIX (which it does when it builds the initial connection on the outside.
Here are some lines from the log showing the process:
6|Mar 26 2007 15:41:02|609002: Teardown local-host inside:10.1.1.50 duration 0:00:00
3|Mar 26 2007 15:41:02|305006: portmap translation creation failed for tcp src inside:10.1.1.50/1465 dst DMZ1:10.10.10.100/80
6|Mar 26 2007 15:41:02|609001: Built local-host inside:10.1.1.50
5|Mar 26 2007 15:41:02|304001: 65.1.1.100 Accessed URL 10.10.10.100:/
6|Mar 26 2007 15:41:01|302013: Built inbound TCP connection 1396326 for outside:65.1.1.100/63997 (65.1.1.100/63997) to DMZ1:10.10.10.100/80 (204.1.1.200/80)
6|Mar 26 2007 15:41:01|609001: Built local-host DMZ1:10.10.10.100
6|Mar 26 2007 15:41:01|609001: Built local-host outside:65.1.1.100
The IPs have been changed. They are as follows:
65.1.1.100 - NATd IP from the PIX that my PC sits behind.
10.1.1.50 - Private IP for my PC
10.10.10.100 - Private IP of server in DMZ
204.1.1.200 - Static NAT translation outside address for server in DMZ
03-27-2007 10:40 AM
do you have something like
static (inside,DMZ1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
03-27-2007 10:48 AM
I do have a static statement set up for inside to DMZ1.
03-27-2007 10:44 AM
ok..can you try
disabling the Inspect http
03-27-2007 12:22 PM
I guess I could try that.... if that was the problem though, wouldn't it be across the board for all web servers?
03-27-2007 11:35 PM
static (DMZ1,outside) 204.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.255.255.255
THe above is your statement, instead try this(assuming 204.xxx.xxx.xxx is your outside interface address
static (DMZ1,outside) interface 10.xxx.xxx.xxx netmask 255.255.255.255
This should probably solve the problem.
-Hoogen
03-28-2007 08:19 AM
Hoogen, thanks for the response. Unfortunately, the outside IP address for the static statement is a different address than the interface address.
03-28-2007 10:46 AM
There isn't quite enough information here. However, the issue is with the following message:
3|Mar 26 2007 15:41:02|305006: portmap translation creation failed for tcp src inside:10.1.1.50/1465 dst DMZ1:10.10.10.100/80
This means that the PIX received a packet sourced from 10.1.1.50 on the inside interface, and destined to 10.10.10.100 on the DMZ1 interface. The packet matched a nat statement (most likely: nat (inside) 10 0.0.0.0 0.0.0.0), however upon matching the nat, it could not find a corresponding global statement on the DMZ1 interface.
Now, from your messages so far you seem to indicate that this packet should not have been received by this PIX on the inside interface. Is that correct? Or did I misunderstand something?
David.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: