dmz issues

bma · ‎08-03-2007

Hi

We have PIX version 7.0. Netscaler in the dmz, and virtual server ip is the 192.168.8.98 (dmz network 192.168.8.0). inside web server is 192.168.0.250 setup with virtual server. If I setup a static (dmz,outside) 12.x.x.x 192.168.8.98 netmask 255.255.255.255 0 0 and access-list permit www access, when http://12.x.x.x to access server get following message after build connection:

No route to 67.122.x.x from 192.168.0.250

Following is message from syslog:

2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302013: Built inbound TCP connection -1599250756 for vip-extranet:67.122.x.x/62523 (67.122.x.x/62523) to inside:192.168.0.250/8080 (192.168.0.250/8080)

2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-110001: No route to 67.122.x.x from 192.168.0.250

2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302014: Teardown TCP connection -1599251913 for vip-extranet:67.122.x.x/62115 to inside:192.168.0.250/8080 duration 0:00:30 bytes 0 SYN Timeout

I don't sure it is routing issue and I ping from 67.122.x.x to 12.x.x.x is fine. please help.

Thanks

ben

Jon Marshall · ‎08-03-2007

Hi Ben

Could you send a copy of your pix config if possible. If not could you send the NAT statements, intreface addresses and routing table.

Jon

anandramapathy · ‎08-03-2007

2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302013: Built inbound TCP connection -1599250756 for vip-extranet:67.122.x.x/62523 (67.122.x.x/62523) to inside:192.168.0.250/8080 (192.168.0.250/8080)

are you trying to acces your site using

http://12.x.x.x:8080 or

http://12.x.x.x

If it is

http://12.x.x.x:8080

is your netscaler doing Port re-direction from http ( 80 ) to 8080 ?

If no then then you have do it either on AS or Netscaler

bma · ‎08-03-2007

Yes, I try both, all get same messages.

netscaler virture server can do re-direction from 80 to 8080.

Thanks

ben

bma · ‎08-03-2007

Hi Jon

Following is related lines in the static lines

and show route:

nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.8.0 255.255.255.0

global (outside) 1 interface

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

C 192.168.8.0 255.255.255.0 is directly connected, vip-extranet

How to get routing table?

no static setup for the virtual server ip setup, but don't sure how to setup it for virtual server ip?

Thanks

ben

Jon Marshall · ‎08-03-2007

Ben

routing table = "sh route"

Jon

bma · ‎08-03-2007

S 0.0.0.0 0.0.0.0 [1/0] via 12.x.x.1, outside

C 12.x.x.0 255.255.255.128 is directly connected, outside

S 192.168.0.0 255.255.255.0 [1/0] via 192.168.252.3, inside

C 192.168.8.0 255.255.255.0 is directly connected, dmz

C 192.168.252.0 255.255.255.0 is directly connected, inside

Ben

bma · ‎08-03-2007

Jon

Do you have any idea about Netscaler virtual server ip and phiscal server ip can be on different subnet? My issue is virtual ip and phiscal server ip in different subnet.

Thanks

en