Http doesn't pass through Pix/Asa version 8

Unanswered Question
Oct 23rd, 2007
User Badges:

Hi all.

I have an customer with pix versions 8. They are part of an monitoring setup. This application works with http traffic (web services) over an non-standard port. The pix is configured with the usual Acl, static and the default inspection rules.

This setup did work with version 7.x. Now is it updated and it doesn't pass traffic. The hitcount on my Acl also doesn't increase.

This problem occurs on an Pix v.8 and with an other customer on Asa v.8.


Is there any way to test and pass-through traffic on non-standard ports?


TIA,

Albert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Tue, 10/23/2007 - 11:12
User Badges:
  • Green, 3000 points or more

Are you refering inbound traffic for particualr web server on inside? if this is correct it is assumed you have specify non-standard ports on your acl and the other end specify the non-standard port in their app query connecting to server.


the way to test from outside is simple telnet test.


e.g

telnet x.x.x.x PORT#


are any other inbound similar http services with proper static nat translations working? if the answer is no make sure you have "no sysopt noproxyarp outside"


acomiskey Tue, 10/23/2007 - 11:37
User Badges:
  • Green, 3000 points or more

I can attest to the "sysopt noproxyarp outside". The ASA decided to add the command when upgrading from 7 to 8. Remove it as jorge said and you should be ok.

leeflang Tue, 10/23/2007 - 22:17
User Badges:

Thank you both for your reply.

I tried the "no sysopt noproxyarp outside" but it did not resolve the issue.

In the setup at the customer site are also some DMZ services, which are fully functional. I am also able to telnet to the non-standard port from outside, but the monitor app doesn't connect. There are no hits on the Acl, en no connections in the "show conn".

Can it have something to do with the policy-maps ?

JORGE RODRIGUEZ Tue, 10/23/2007 - 23:31
User Badges:
  • Green, 3000 points or more

if you can hit the non-standard port from outside fine I would suspect is the monitor application, perhaps the monitor app requires TCP port range to be opened. When the monitor app client from outside queries the monitor server can you see if it hits the firewall outside interface at all? Did you do the telnet test from the monitor app? policy-maps application inspection is a possibility.

leeflang Tue, 10/23/2007 - 23:50
User Badges:

The monitor app configuration should be fine, because it worked when the customer worked with version 7. After the upgrade is functionality is gone :-(

The App at the central location polls every x minutes, but the hitcount on the Acl doesn't increase. So i assume it has something to do with an process that runs before the Acl, but what can it be?


Actions

This Discussion