Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX, SSL, and Missing ACKs

I am attempting to forward SSL connections requests across a NAT into a Windows 2003 platform that is hosting a
SSL web server.

My SSL webserver is receiving the forwarded SYNs from the client, and responding, but that response ACK is getting lost.

I have a record of the ACK on the server but I get no record of it on the PIX. No ACLs appear to be triggered by the
ACK either.

The Management-subnet. as shown in the config below, is actually not being used for management but the interface 192.168.11.15 is.

The end result is that I get a SYN timeout message in the PIX logs when they are set to debugging level.

I have opened up a bunch of ACLs for debugging purposes but with no positive result.

Any thoughts?



name 192.168.1.80 BPM-server

name 192.168.1.64 BPM-server-subnet description Small subnet to hold BPM and AG servers
name 192.168.1.0 Management-subnet description Small subnet to manage devices
!
interface Ethernet0
 description Management interface for Vlab PIX
 nameif Vlab-1-mgmt
 security-level 100
 ip address 192.168.11.15 255.255.255.0 
 management-only
!
interface Ethernet1
 description This is used for management access and for the BPM and other demo servers
 nameif inside
 security-level 10
 ip address 192.168.1.2 255.255.255.0 
!
interface Ethernet2
 description This will provide external service to the Bell Privacy Manager demo and Sharepoint servers
 nameif BPM-Vlab-external-1
 security-level 20
 ip address xxx.yyy.zzz.67 255.255.255.248 
! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring same-security-traffic permit intra-interface object-group network DM_INLINE_NETWORK_1 network-object BPM-server-subnet 255.255.255.248 network-object xxx.yyy.zzz.64 255.255.255.248
access-list 100 extended permit tcp Management-subnet 255.255.255.0 any access-list 100 extended permit ip any Management-subnet 255.255.255.0 access-list 100 extended permit ip xxx.yyy.zzz.64 255.255.255.248 Management-subnet 255.255.255.0
access-list BPM-Vlab-external-1_access_in extended permit icmp any xxx.yyy.zzz.64 255.255.255.248 access-list BPM-Vlab-external-1_access_in extended permit ip any object-group DM_INLINE_NETWORK_1 access-list inside_access_in extended permit udp host 192.168.1.1 host 192.168.1.2 access-list 110 extended permit tcp any host xxx.yyy.zzz.67 eq https
access-list inside_access_in_1 extended permit udp host 192.168.1.1 host 192.168.1.2 access-list BPM-Vlab-external-1_access_in_1 extended permit ip any Management-subnet 255.255.255.0 access-list BPM-Vlab-external-1_access_in_1 extended permit ip Management-subnet 255.255.255.0 any access-list BPM-Vlab-external-1_access_in_1 extended permit ip any xxx.yyy.zzz.64 255.255.255.248
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any any
global (BPM-Vlab-external-1) 1 xxx.yyy.zzz.69
nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,BPM-Vlab-external-1) tcp interface https BPM-server https netmask 255.255.255.255 access-group 100 in interface inside access-group BPM-Vlab-external-1_access_in_1 in interface BPM-Vlab-external-1 ! router rip version 2 ! route BPM-Vlab-external-1 0.0.0.0 0.0.0.0 xxx.yyy.zzz.68 1

1 REPLY
Hall of Fame Super Blue

Re: PIX, SSL, and Missing ACKs

Couple of things -

1) your outside interface has a higher security level than your inside interface, is this what you want as it is not standard ?

2) You say you can see the server sending the ACK but do not see it on the pix. Is the servers default-gateway the pix ?

Jon

320
Views
0
Helpful
1
Replies
CreatePlease to create content