Problem allowing port 80 through to DMZ

gecko2207 · ‎03-27-2007

I am having a strange problem. I have a new web server located in the DMZ off my PIX 515e firewall. I set up the access list and static mappings the same as I have for all of my other web servers in the DMZ. From outside, I can telnet to port 80 on the external IP addresses, but when I try to access the web page, it gives me a "Page cannot be displayed" error. I have tried to access the web page from the localhost on the server as well as from a server on the INSIDE network and I am able to connect so I know that the web server is serving pages properly. I have verified the accuracy of my access lists and static mappings and can't see anything that would cause this problem. Here is the config for one of the servers:

static (DMZ1,outside) 204.aaa.bbb.ccc 10.aaa.bbb.ccc netmask 255.255.255.255

access-list outside_acl extended permit tcp any host 204.aaa.bbb.ccc eq www

I have other servers with the same static and access list statements (with different IPs) and they are working fine.

Any thoughts? The software version is 7.1(1)

allcastr · ‎03-27-2007

Hello,

Can you post your configuration?

acomiskey · ‎03-27-2007

Is dns resolving correctly?

gecko2207 · ‎03-27-2007

I have attached a scrubbed version of my config.

As for DNS, I am trying to access by IP address so that shouldn't be a factor, but it is resolving correctly when I try to ping the URL.

acomiskey · ‎03-27-2007

Any logs? How bout a clear xlate...

gecko2207 · ‎03-27-2007

I tried clear xlate and even reloaded the PIX. Neither worked. As for logs, I have found a difference between the problem web page and the working one (both on the same server, different IPs). The working one builds the outside interface and then serves the URL. The one that isn't working build the outside and DMZ interfaces and then tries to access the URL. It then does something strange in that it gives an error of portmap translation creation failed for tcp src inside:(my pc's private IP). This is strange because my PC is on a different network behind another PIX 515e running NAT so it should only show the source address of the outside interface of that PIX (which it does when it builds the initial connection on the outside.

Here are some lines from the log showing the process:

6|Mar 26 2007 15:41:02|609002: Teardown local-host inside:10.1.1.50 duration 0:00:00

3|Mar 26 2007 15:41:02|305006: portmap translation creation failed for tcp src inside:10.1.1.50/1465 dst DMZ1:10.10.10.100/80

6|Mar 26 2007 15:41:02|609001: Built local-host inside:10.1.1.50

5|Mar 26 2007 15:41:02|304001: 65.1.1.100 Accessed URL 10.10.10.100:/

6|Mar 26 2007 15:41:01|302013: Built inbound TCP connection 1396326 for outside:65.1.1.100/63997 (65.1.1.100/63997) to DMZ1:10.10.10.100/80 (204.1.1.200/80)

6|Mar 26 2007 15:41:01|609001: Built local-host DMZ1:10.10.10.100

6|Mar 26 2007 15:41:01|609001: Built local-host outside:65.1.1.100

The IPs have been changed. They are as follows:

65.1.1.100 - NATd IP from the PIX that my PC sits behind.

10.1.1.50 - Private IP for my PC

10.10.10.100 - Private IP of server in DMZ

204.1.1.200 - Static NAT translation outside address for server in DMZ

acomiskey · ‎03-27-2007

do you have something like

static (inside,DMZ1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

gecko2207 · ‎03-27-2007

I do have a static statement set up for inside to DMZ1.

abinjola · ‎03-27-2007

ok..can you try

disabling the Inspect http

gecko2207 · ‎03-27-2007

I guess I could try that.... if that was the problem though, wouldn't it be across the board for all web servers?

hoogen_82 · ‎03-27-2007

static (DMZ1,outside) 204.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.255.255.255

THe above is your statement, instead try this(assuming 204.xxx.xxx.xxx is your outside interface address

static (DMZ1,outside) interface 10.xxx.xxx.xxx netmask 255.255.255.255

This should probably solve the problem.

-Hoogen

gecko2207 · ‎03-28-2007

Hoogen, thanks for the response. Unfortunately, the outside IP address for the static statement is a different address than the interface address.

David White · ‎03-28-2007

There isn't quite enough information here. However, the issue is with the following message:

3|Mar 26 2007 15:41:02|305006: portmap translation creation failed for tcp src inside:10.1.1.50/1465 dst DMZ1:10.10.10.100/80

This means that the PIX received a packet sourced from 10.1.1.50 on the inside interface, and destined to 10.10.10.100 on the DMZ1 interface. The packet matched a nat statement (most likely: nat (inside) 10 0.0.0.0 0.0.0.0), however upon matching the nat, it could not find a corresponding global statement on the DMZ1 interface.

Now, from your messages so far you seem to indicate that this packet should not have been received by this PIX on the inside interface. Is that correct? Or did I misunderstand something?

David.