cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1272
Views
0
Helpful
2
Replies

Issue with communication between servers on DMZ and inside

imroz_khan
Level 1
Level 1

We have ASA 5550, I have a citirx server in the dmz which is natted statically to a public ip address for port 443. The dmz server communicate with our internal server (i.e. AD) for LDAP authentication. I have a static transparent nat from inside to dmz for the internal server's communcation with dmz.

When accessing the application from inside the network on the internal web server it works perfectly fine and authenticates with the AD.

But when accessing from outside, the reach the citrix server and then the AD authentication fails, basically it works intermitantly. I have tried to check the communcation from the DMZ server to the internal server and the icmp works perfectly fine, even I am able to telnet on the ports specified on the internal servers from the DMZ servers. I tried to look into the logs on the ASA and this is something that looks suspicious to me.

Feb 16 Teardown TCP connection 47646475 for dmz1:CITRIX-DMZ1/47179 to inside:inside-server/80 duration 0:00:00 bytes 1230 TCP FINs

Feb 16Built inbound TCP connection 47646476 for dmz1:CITRIX-DMZ1/47180 (CITRIX-DMZ1/47180) to inside:inside-server/80 (inside-server/80)

Feb 16Teardown TCP connection 47646476 for dmz1:CITRIX-DMZ1/47180 to inside:inside-server/80 duration 0:00:00 bytes 3824 TCP FINs

Feb 16Built inbound TCP connection 47646477 for dmz1:CITRIX-DMZ1/47181 (CITRIX-DMZ1/47181) to inside:inside-server/80 (inside-server/80)

Feb 16 Teardown TCP connection 47646477 for dmz1:CITRIX-DMZ1/47181 to inside:inside-server/80 duration 0:00:00 bytes 1224 TCP FINs

Feb 16 Built inbound TCP connection 47646478 for dmz1:CITRIX-DMZ1/47182 (CITRIX-DMZ1/47182) to inside:inside-server/80 (inside-server/80)

Feb 16 Teardown TCP connection 47646478 for dmz1:CITRIX-DMZ1/47182 to inside:inside-server/80 duration 0:00:00 bytes 1230 TCP FINs

Feb 16  Built inbound TCP connection 47646479 for dmz1:CITRIX-DMZ1/47183 (CITRIX-DMZ1/47183) to inside:inside-server/80 (inside-server/80)

Feb 16 Teardown TCP connection 47646479 for dmz1:CITRIX-DMZ1/47183 to inside:inside-server/80 duration 0:00:00 bytes 1229 TCP FINs

Feb 16 Built inbound TCP connection 47646480 for dmz1:CITRIX-DMZ1/47184 (CITRIX-DMZ1/47184) to inside:inside-server/80 (inside-server/80)

Feb 16 Teardown TCP connection 47646480 for dmz1:CITRIX-DMZ1/47184 to inside:inside-server/80 duration 0:00:00 bytes 1228 TCP FINs

Deny TCP (no connection) from inside-server/49244 to CITRIX-DMZ1/443 flags RST  on interface inside

Could any one please let me know what might be the issue, its looks like the tcp connection is timing out not sure.

2 Replies 2

imroz_khan
Level 1
Level 1

One more thing, I see another log on the ASA

Deny TCP (no connection) from inside-server1/80 to inside-server2/49573 flags SYN ACK  on interface dmz

These two servers are on the inside network, one is the web server for internal users and other is the apps server. I donot understand why is this communication reaching the ASA, these servers are on the same subnet behind the inside interface of the ASA so they should directly communicate.

fb_webuser
Level 6
Level 6

A couple of long shots.

Is it possible that your firewall is only allowing traffic in if there is traffic out. So when you access from outside if someone else inside is accessing it works, but if you are on your own it gets blocked.

How are you managing routes? Check the routing tables on the Citrix VPS do they change at all ?

---

Posted by WebUser Stuart Gall

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: