cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
741
Views
0
Helpful
4
Replies

PIX 7.X & 6.3 --- TCP 443 vs TCP 444

swapnendum
Level 1
Level 1

Hi All,

We have a webserver hosted on DMZ.

A Static PAT on port 443 results in intermittent connection (Internet explorer displays Page cant be display immediately and sometimes works fine) while a STATIC Port redirection from 444 port makes the webserver work fine.

The Static PAT below looks something like this.

Works fine => static (DMZ,outside) tcp 213.X.X.X 444 10.153.122.55 https netmask 255.255.255.255 0

Doesn?t work properly. Intermittent drops => static (DMZ,outside) tcp 213.X.X.X https 10.153.122.55 https netmask 255.255.255.255 0

My question is what is it that PIX does for TCP 443 and not for TCP 444? Is there a way to stop the SYN protection on PIX ?

The packet capture on PIX/Client/Server shows that the client is sending a RST when PIX is listening on 443. Client completes the TCP handshake properly if PIX is listening on 444. I have tried changing MTU, changing TCP timeouts, adding ?norandomseq? to the static . Anything I?m missing ?

All FIXUP/Inspections have been truned off. The configuration for 443 and 444 are exactly same.

If I change my firewall frm PIX to Microsoft ISA, it works absolutely fine. So I know PIX is the culprit here.

I have a TAC open for this but nothing much happening from there.

4 Replies 4

JBDanford2002
Level 1
Level 1

Is there any other device using 213.X.X.X as an IP address? Can you post a scrubbed config?

there i nothing much in the config...a STATIC PAT and ACL on OUTSIDE...here is the current config....i have tried removing all fixups, disabling floodguard..setting MTU, setting MSS..norandomseq.....the configs have been reverted back to default as of now...

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

no fixup protocol dns

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ACL_OUTSIDE permit tcp any host 213.X.X.X eq https log

access-list ACL_OUTSIDE permit tcp any host 213.X.X.X eq 3389 log

access-list ACL_OUTSIDE deny ip any any log

pager lines 24

logging on

logging monitor debugging

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside X.X.X.X 255.255.255.0

ip address inside 10.153.122.56 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

static (inside,outside) tcp 213.X.X.X 3389 10.153.122.55 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp 213.X.X.X www 10.153.122.55 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 213.X.X.X https 10.153.122.55 https netmask 255.255.255.255 0 0 norandomseq

access-group ACL_OUTSIDE in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

Are you port forwarding the IP address that is assigned to your outside interface?

Yes.

During my current test YES since i didnt have any free public IP. I have made sure that the internal http server of PIX is disabled so tht there is no conflict.

I have tried it without using the Outside IP as well , also Static NAT has been tried instead of static PAT. All these resulting in intermittent connectivity to the webserver.

any comments ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: