I do have some trouble to get my dmz settings working. I have a reverse proxy, located in the dmz, which is supposed to redirect all http traffice to a certain domain to web server that is in the inside network. The PIX does NAT all connections originating for inside and dmz (perimeter):
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (perimeter) 1 0.0.0.0 0.0.0.0 0 0
First of all I created a static to outside for my reverse proxy:
Now what happens is (or at least I assume it): A host connections to the IP x.x.x.x for a http request. The PIX passes the request to the reverse proxy using the acl 100. The reverse proxy picks up the request and processes it respectively forwards it to the internal web server. The answer is sent back to the reverse proxy and then it tries to transmit the response back to the requester. Actually this should work based on the inferface definition of the security level: inside 100, perimeter 50, outside 0. But the responses does not get through to the outside anymore. I guess it must be somewhere between the reverse proxy and the PIX since the network connections (a) is hold between reverse proxy and requester and a new connection (b) is hold by reverse proxy and inside web server.
Does anyone have a clue on how to solve this problem?
Your config look good. You can capture packets in DMZ to examine incoming & outgoing packets, you should be able to identify where is the problem. If not, you need to go deeper by using debug/syslog feature on PIX to see if it has something wrong.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...