10-23-2007 10:48 AM - edited 03-11-2019 04:29 AM
Hi all.
I have an customer with pix versions 8. They are part of an monitoring setup. This application works with http traffic (web services) over an non-standard port. The pix is configured with the usual Acl, static and the default inspection rules.
This setup did work with version 7.x. Now is it updated and it doesn't pass traffic. The hitcount on my Acl also doesn't increase.
This problem occurs on an Pix v.8 and with an other customer on Asa v.8.
Is there any way to test and pass-through traffic on non-standard ports?
TIA,
Albert
10-23-2007 11:12 AM
Are you refering inbound traffic for particualr web server on inside? if this is correct it is assumed you have specify non-standard ports on your acl and the other end specify the non-standard port in their app query connecting to server.
the way to test from outside is simple telnet test.
e.g
telnet x.x.x.x PORT#
are any other inbound similar http services with proper static nat translations working? if the answer is no make sure you have "no sysopt noproxyarp outside"
10-23-2007 11:37 AM
I can attest to the "sysopt noproxyarp outside". The ASA decided to add the command when upgrading from 7 to 8. Remove it as jorge said and you should be ok.
10-23-2007 10:17 PM
Thank you both for your reply.
I tried the "no sysopt noproxyarp outside" but it did not resolve the issue.
In the setup at the customer site are also some DMZ services, which are fully functional. I am also able to telnet to the non-standard port from outside, but the monitor app doesn't connect. There are no hits on the Acl, en no connections in the "show conn".
Can it have something to do with the policy-maps ?
10-23-2007 11:31 PM
if you can hit the non-standard port from outside fine I would suspect is the monitor application, perhaps the monitor app requires TCP port range to be opened. When the monitor app client from outside queries the monitor server can you see if it hits the firewall outside interface at all? Did you do the telnet test from the monitor app? policy-maps application inspection is a possibility.
10-23-2007 11:50 PM
The monitor app configuration should be fine, because it worked when the customer worked with version 7. After the upgrade is functionality is gone :-(
The App at the central location polls every x minutes, but the hitcount on the Acl doesn't increase. So i assume it has something to do with an process that runs before the Acl, but what can it be?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: