A problem wherein a https website hosted inside one of the dmz segments is not working from the web.
I did some captures but they dont let me anywhere.
Internet--Router--Level1Firewall--Level2Firewall(module on 6509)--Router(leaseline link)--Router(LL link)--Core Switch--Firewall3
The server is on dmz leg of Firewall3. Rules are put in place to ensure traffic is allowed on Level1/Level 2 firewall & firewall 3.
Nat is being used on the level 1 firewall. i can see the traffic request on level 2 firewall towards the server. But none on the Firewall 3. ping connectivity from Level1firewall to this server and back is good.
nat bypass rules & static translation is been put on firewall3.
Request will get in to Firewall 3 by an interface called local and then it should go to the dmz zone to fetch the page.
I tried geting capture on level 3 firewall by having acl placed on the local interface as well as dmz interface. I can see the request towards server but only with Syn set.
Nothing else is seen on firewall 3 or on Level2 firewall. Which interface and how should the capture be applied for best results.
Thank You for the response. diag is the attached topology. Server is on Site B and access will always be using Site A as transit.
Following are the highlights of each component:
nat is done here for the server ip.
the source is set to be source natted to the firewall's local ip, so that requests reaching further inside the network are seen as local ip of the firewall.(this is to overcome any issues, as SiteB also has its own internet link, which is not to be used for this purpose.)
All rules are correspondingly set.
rules to allow the access
Server is connected on the dmz area of this firewall via a layer2 switch
Rules are allowed to permit the request to server on its "Input" interface connected to 6500switch.(coming from SiteA).
no connections are seen on firewall 3 logs when any attempt is made to connect to server. only capture gives syn towards server on the "Input" interface.
connections leaving on Level2 firewall can be seen for request to server on both ingress & egress interface & capture output gives syn flags set on Firewall 2 for the request to server.
Please suggest, also let know if the information is unclear.
I can ping across from LL Router 2 to the destination.
Apologies, left out to include in the diagram. Site B has its own internet link which is not to be used. There are nat0 rules to prevent some local subnets going out of that & i did add my subnets in question to test, but still doesnt work.
Another thing i found is on firewall 3
"Denied ICMP type=0, from laddr Test_Server on interface DMZ to 10.59.59.102: no matching session"
This was when i tried ping to server from the layer 3 switch at site B.10.59.59.102 is the IP of the interface on Layer 3 switch connected to inside of firewall 3.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...