cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
0
Helpful
5
Replies

Http doesn't pass through Pix/Asa version 8

leeflang
Level 1
Level 1

Hi all.

I have an customer with pix versions 8. They are part of an monitoring setup. This application works with http traffic (web services) over an non-standard port. The pix is configured with the usual Acl, static and the default inspection rules.

This setup did work with version 7.x. Now is it updated and it doesn't pass traffic. The hitcount on my Acl also doesn't increase.

This problem occurs on an Pix v.8 and with an other customer on Asa v.8.

Is there any way to test and pass-through traffic on non-standard ports?

TIA,

Albert

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

Are you refering inbound traffic for particualr web server on inside? if this is correct it is assumed you have specify non-standard ports on your acl and the other end specify the non-standard port in their app query connecting to server.

the way to test from outside is simple telnet test.

e.g

telnet x.x.x.x PORT#

are any other inbound similar http services with proper static nat translations working? if the answer is no make sure you have "no sysopt noproxyarp outside"

Jorge Rodriguez

I can attest to the "sysopt noproxyarp outside". The ASA decided to add the command when upgrading from 7 to 8. Remove it as jorge said and you should be ok.

Thank you both for your reply.

I tried the "no sysopt noproxyarp outside" but it did not resolve the issue.

In the setup at the customer site are also some DMZ services, which are fully functional. I am also able to telnet to the non-standard port from outside, but the monitor app doesn't connect. There are no hits on the Acl, en no connections in the "show conn".

Can it have something to do with the policy-maps ?

if you can hit the non-standard port from outside fine I would suspect is the monitor application, perhaps the monitor app requires TCP port range to be opened. When the monitor app client from outside queries the monitor server can you see if it hits the firewall outside interface at all? Did you do the telnet test from the monitor app? policy-maps application inspection is a possibility.

Jorge Rodriguez

The monitor app configuration should be fine, because it worked when the customer worked with version 7. After the upgrade is functionality is gone :-(

The App at the central location polls every x minutes, but the hitcount on the Acl doesn't increase. So i assume it has something to do with an process that runs before the Acl, but what can it be?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: