Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem allowing port 80 through to DMZ

I am having a strange problem. I have a new web server located in the DMZ off my PIX 515e firewall. I set up the access list and static mappings the same as I have for all of my other web servers in the DMZ. From outside, I can telnet to port 80 on the external IP addresses, but when I try to access the web page, it gives me a "Page cannot be displayed" error. I have tried to access the web page from the localhost on the server as well as from a server on the INSIDE network and I am able to connect so I know that the web server is serving pages properly. I have verified the accuracy of my access lists and static mappings and can't see anything that would cause this problem. Here is the config for one of the servers:

static (DMZ1,outside) 204.aaa.bbb.ccc 10.aaa.bbb.ccc netmask 255.255.255.255

access-list outside_acl extended permit tcp any host 204.aaa.bbb.ccc eq www

I have other servers with the same static and access list statements (with different IPs) and they are working fine.

Any thoughts? The software version is 7.1(1)

12 REPLIES
New Member

Re: Problem allowing port 80 through to DMZ

Hello,

Can you post your configuration?

Green

Re: Problem allowing port 80 through to DMZ

Is dns resolving correctly?

New Member

Re: Problem allowing port 80 through to DMZ

I have attached a scrubbed version of my config.

As for DNS, I am trying to access by IP address so that shouldn't be a factor, but it is resolving correctly when I try to ping the URL.

Green

Re: Problem allowing port 80 through to DMZ

Any logs? How bout a clear xlate...

New Member

Re: Problem allowing port 80 through to DMZ

I tried clear xlate and even reloaded the PIX. Neither worked. As for logs, I have found a difference between the problem web page and the working one (both on the same server, different IPs). The working one builds the outside interface and then serves the URL. The one that isn't working build the outside and DMZ interfaces and then tries to access the URL. It then does something strange in that it gives an error of portmap translation creation failed for tcp src inside:(my pc's private IP). This is strange because my PC is on a different network behind another PIX 515e running NAT so it should only show the source address of the outside interface of that PIX (which it does when it builds the initial connection on the outside.

Here are some lines from the log showing the process:

6|Mar 26 2007 15:41:02|609002: Teardown local-host inside:10.1.1.50 duration 0:00:00

3|Mar 26 2007 15:41:02|305006: portmap translation creation failed for tcp src inside:10.1.1.50/1465 dst DMZ1:10.10.10.100/80

6|Mar 26 2007 15:41:02|609001: Built local-host inside:10.1.1.50

5|Mar 26 2007 15:41:02|304001: 65.1.1.100 Accessed URL 10.10.10.100:/

6|Mar 26 2007 15:41:01|302013: Built inbound TCP connection 1396326 for outside:65.1.1.100/63997 (65.1.1.100/63997) to DMZ1:10.10.10.100/80 (204.1.1.200/80)

6|Mar 26 2007 15:41:01|609001: Built local-host DMZ1:10.10.10.100

6|Mar 26 2007 15:41:01|609001: Built local-host outside:65.1.1.100

The IPs have been changed. They are as follows:

65.1.1.100 - NATd IP from the PIX that my PC sits behind.

10.1.1.50 - Private IP for my PC

10.10.10.100 - Private IP of server in DMZ

204.1.1.200 - Static NAT translation outside address for server in DMZ

Green

Re: Problem allowing port 80 through to DMZ

do you have something like

static (inside,DMZ1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

New Member

Re: Problem allowing port 80 through to DMZ

I do have a static statement set up for inside to DMZ1.

Cisco Employee

Re: Problem allowing port 80 through to DMZ

ok..can you try

disabling the Inspect http

New Member

Re: Problem allowing port 80 through to DMZ

I guess I could try that.... if that was the problem though, wouldn't it be across the board for all web servers?

Silver

Re: Problem allowing port 80 through to DMZ

static (DMZ1,outside) 204.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.255.255.255

THe above is your statement, instead try this(assuming 204.xxx.xxx.xxx is your outside interface address

static (DMZ1,outside) interface 10.xxx.xxx.xxx netmask 255.255.255.255

This should probably solve the problem.

-Hoogen

New Member

Re: Problem allowing port 80 through to DMZ

Hoogen, thanks for the response. Unfortunately, the outside IP address for the static statement is a different address than the interface address.

Cisco Employee

Re: Problem allowing port 80 through to DMZ

There isn't quite enough information here. However, the issue is with the following message:

3|Mar 26 2007 15:41:02|305006: portmap translation creation failed for tcp src inside:10.1.1.50/1465 dst DMZ1:10.10.10.100/80

This means that the PIX received a packet sourced from 10.1.1.50 on the inside interface, and destined to 10.10.10.100 on the DMZ1 interface. The packet matched a nat statement (most likely: nat (inside) 10 0.0.0.0 0.0.0.0), however upon matching the nat, it could not find a corresponding global statement on the DMZ1 interface.

Now, from your messages so far you seem to indicate that this packet should not have been received by this PIX on the inside interface. Is that correct? Or did I misunderstand something?

David.

161
Views
0
Helpful
12
Replies
CreatePlease to create content