Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
bma
Community Member

dmz issues

Hi

We have PIX version 7.0. Netscaler in the dmz, and virtual server ip is the 192.168.8.98 (dmz network 192.168.8.0). inside web server is 192.168.0.250 setup with virtual server. If I setup a static (dmz,outside) 12.x.x.x 192.168.8.98 netmask 255.255.255.255 0 0 and access-list permit www access, when http://12.x.x.x to access server get following message after build connection:

No route to 67.122.x.x from 192.168.0.250

Following is message from syslog:

2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302013: Built inbound TCP connection -1599250756 for vip-extranet:67.122.x.x/62523 (67.122.x.x/62523) to inside:192.168.0.250/8080 (192.168.0.250/8080)

2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-110001: No route to 67.122.x.x from 192.168.0.250

2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302014: Teardown TCP connection -1599251913 for vip-extranet:67.122.x.x/62115 to inside:192.168.0.250/8080 duration 0:00:30 bytes 0 SYN Timeout

I don't sure it is routing issue and I ping from 67.122.x.x to 12.x.x.x is fine. please help.

Thanks

ben

7 REPLIES
Hall of Fame Super Blue

Re: dmz issues

Hi Ben

Could you send a copy of your pix config if possible. If not could you send the NAT statements, intreface addresses and routing table.

Jon

Re: dmz issues

2007-08-03 16:02:01 UTC Local0.Info 192.168.x.1 Aug 03 2007 08:50:53 : %PIX-6-302013: Built inbound TCP connection -1599250756 for vip-extranet:67.122.x.x/62523 (67.122.x.x/62523) to inside:192.168.0.250/8080 (192.168.0.250/8080)

are you trying to acces your site using

http://12.x.x.x:8080 or

http://12.x.x.x

If it is

http://12.x.x.x:8080

is your netscaler doing Port re-direction from http ( 80 ) to 8080 ?

If no then then you have do it either on AS or Netscaler

bma
Community Member

Re: dmz issues

Yes, I try both, all get same messages.

netscaler virture server can do re-direction from 80 to 8080.

Thanks

ben

bma
Community Member

Re: dmz issues

Hi Jon

Following is related lines in the static lines

and show route:

nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.8.0 255.255.255.0

global (outside) 1 interface

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

C 192.168.8.0 255.255.255.0 is directly connected, vip-extranet

How to get routing table?

no static setup for the virtual server ip setup, but don't sure how to setup it for virtual server ip?

Thanks

ben

Hall of Fame Super Blue

Re: dmz issues

Ben

routing table = "sh route"

Jon

bma
Community Member

Re: dmz issues

S 0.0.0.0 0.0.0.0 [1/0] via 12.x.x.1, outside

C 12.x.x.0 255.255.255.128 is directly connected, outside

S 192.168.0.0 255.255.255.0 [1/0] via 192.168.252.3, inside

C 192.168.8.0 255.255.255.0 is directly connected, dmz

C 192.168.252.0 255.255.255.0 is directly connected, inside

Ben

bma
Community Member

Re: dmz issues

Jon

Do you have any idea about Netscaler virtual server ip and phiscal server ip can be on different subnet? My issue is virtual ip and phiscal server ip in different subnet.

Thanks

en

308
Views
0
Helpful
7
Replies
CreatePlease to create content