dmz issues

Unanswered Question

Hi


We have PIX version 7.0. Netscaler in the dmz, and virtual server ip is the 192.168.8.98 (dmz network 192.168.8.0). inside web server is 192.168.0.250 setup with virtual server. If I setup a static (dmz,outside) 12.x.x.x 192.168.8.98 netmask 255.255.255.255 0 0 and access-list permit www access, when http://12.x.x.x to access server get following message after build connection:


No route to 67.122.x.x from 192.168.0.250


Following is message from syslog:


2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302013: Built inbound TCP connection -1599250756 for vip-extranet:67.122.x.x/62523 (67.122.x.x/62523) to inside:192.168.0.250/8080 (192.168.0.250/8080)


2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-110001: No route to 67.122.x.x from 192.168.0.250



2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302014: Teardown TCP connection -1599251913 for vip-extranet:67.122.x.x/62115 to inside:192.168.0.250/8080 duration 0:00:30 bytes 0 SYN Timeout



I don't sure it is routing issue and I ping from 67.122.x.x to 12.x.x.x is fine. please help.


Thanks


ben

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 08/03/2007 - 11:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Ben


Could you send a copy of your pix config if possible. If not could you send the NAT statements, intreface addresses and routing table.


Jon

anandramapathy Fri, 08/03/2007 - 11:32
User Badges:
  • Bronze, 100 points or more

2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302013: Built inbound TCP connection -1599250756 for vip-extranet:67.122.x.x/62523 (67.122.x.x/62523) to inside:192.168.0.250/8080 (192.168.0.250/8080)


are you trying to acces your site using


http://12.x.x.x:8080 or

http://12.x.x.x


If it is

http://12.x.x.x:8080


is your netscaler doing Port re-direction from http ( 80 ) to 8080 ?


If no then then you have do it either on AS or Netscaler

Hi Jon


Following is related lines in the static lines

and show route:


nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.8.0 255.255.255.0

global (outside) 1 interface


static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0


C 192.168.8.0 255.255.255.0 is directly connected, vip-extranet


How to get routing table?


no static setup for the virtual server ip setup, but don't sure how to setup it for virtual server ip?


Thanks


ben

Jon Marshall Fri, 08/03/2007 - 12:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ben


routing table = "sh route"


Jon

Actions

This Discussion