Hello FireWallers!
On a PIX 520, I have three interface cards.
OUTSIDE -- Connnected to our ISP 65.203.54.1/24
INSIDE -- A private network 20.0.0.1/24
PRN (DMZ) -- Another firm's (FIRM X) private network
56.238.64.128/26
I have a conduit established from the OUTSIDE to an server INSIDE
at 20.0.0.179 to support www and 443 port access. Works great!
I can further access the 20.0.0.174 server from the PRN(DMZ) mini-network
from a
client PC I established at a static address of 58.238.64.145. I used
another
conduit statement (see below) to provide this access for port 80 and 443.
Works great!
Now my problem: I have a remote tester on the FIRM X's private network
working from a
terminal address 56.8.3.160. He tries to access the 20.0.0.174 server via
port
443, but he gets no response. I *do* see his request in the PIX firewall
log
like this:
<190>%PIX-6-302001: Built inbound TCP connection 358446 for faddr
56.80.3.160/1050 gaddr 56.238.64.141/443 laddr 20.0.0.174/443
<190>%PIX-6-302002: Teardown TCP connection 358552 faddr 56.80.3.160/1058
gaddr
56.238.64.141/443 laddr 20.0.0.174/443 duration 1:00:40 bytes 0
(Conn-timeout)
So basically, he makes it in but gets no response (timeout).
Further, looking at my server log, I don't see his request hitting my
default
web page. (I'm not totally sure of this, but this is my current
understanding.)
I've posted my configuration (abbreviated) below. Can anyone
see why my tester is having access problems while I can access the server
through
the firewall from my 58.238.64.145 test machine? I'm concerned that my
global statement
for the PRN does not specify a range (I won't have any internal
communications initiated
from the 20.0.0.1 network to the 56.x.x.x world), that I'm not fully
specifying
the limited subnet of the PRN (DMZ) network, and that I have a single "route
outside"
statement (although the PIX instructions indicate that you should have only
one
route outside statement if you have more than 2 interface cards).
I'm over my head! Can anyone help me?
TIA
Harry
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 prn security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol http 443
no fixup protocol rsh 514
no fixup protocol h323 1720
names
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 10baset
mtu outside 1500
mtu inside 1500
mtu prn 1500
ip address outside 65.203.54.180 255.255.255.0
ip address inside 20.0.0.1 255.0.0.0
ip address prn 56.238.64.135 255.255.255.0
global (outside) 1 65.203.54.160-65.203.54.178
global (prn) 1 56.238.64.160
nat (inside) 0 access-list 101
nat (inside) 1 20.0.0.0 255.0.0.0 0 0
static (inside,outside) 65.203.54.174 20.0.0.174 netmask 255.255.255.255 0 0
static (inside,prn) 56.238.64.141 20.0.0.174 netmask 255.255.255.255 0 0
conduit permit tcp host 65.203.54.174 eq 443 any
conduit permit tcp host 65.203.54.174 eq www any
conduit permit tcp host 56.238.64.141 eq www any
conduit permit tcp host 56.238.64.141 eq 443 any
route outside 0.0.0.0 0.0.0.0 65.203.54.1 1
conduit permit icmp any any echo-reply
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
