Harry,

Are you sure it's a problems at the pix and not an issue of the httpd.conf
file on the SSL'ised webserver?  The reason I ask is you show yer pix
identifies the conenction attempt and yet do not see it really hitting the
httpd-ssl'ed logs/system.

thanks,

Ron DuFresne

On Thu, 25 Oct 2001, Harry Whitehouse wrote:

> Hello FireWallers!
> 
> On a PIX 520, I have three interface cards.
> 
>          OUTSIDE   -- Connnected to our ISP 65.203.54.1/24
>          INSIDE    -- A private network 20.0.0.1/24
>          PRN (DMZ) -- Another firm's (FIRM X) private network
> 56.238.64.128/26
> 
> I have a conduit established from the OUTSIDE to an server INSIDE
> at 20.0.0.179 to support www and 443 port access.  Works great!
> 
> I can further access the 20.0.0.174 server from the PRN(DMZ) mini-network
> from a
> client PC I established at a static address of 58.238.64.145.  I used
> another
> conduit statement (see below) to provide this access for port 80 and 443.
> Works great!
> 
> Now my problem:  I have a remote tester on the FIRM X's private network
> working from a
> terminal address 56.8.3.160.  He tries to access the 20.0.0.174 server via
> port
> 443, but he gets no response.  I *do* see his request in the PIX firewall
> log
> like this:
> 
>   <190>%PIX-6-302001: Built inbound TCP connection 358446 for faddr
>   56.80.3.160/1050 gaddr 56.238.64.141/443 laddr 20.0.0.174/443
> 
>   <190>%PIX-6-302002: Teardown TCP connection 358552 faddr 56.80.3.160/1058
> gaddr
>   56.238.64.141/443 laddr 20.0.0.174/443 duration 1:00:40 bytes 0
> (Conn-timeout)
> 
> So basically, he makes it in but gets no response (timeout).
> 
> Further, looking at my server log, I don't see his request hitting my
> default
> web page. (I'm not totally sure of this, but this is my current
> understanding.)
> 
> I've posted my configuration (abbreviated) below.  Can anyone
> see why my tester is having access problems while I can access the server
> through
> the firewall from my 58.238.64.145 test machine?  I'm concerned that my
> global statement
> for the PRN does not specify a range (I won't have any internal
> communications initiated
> from the 20.0.0.1 network to the 56.x.x.x world), that I'm not fully
> specifying
> the limited subnet of the PRN (DMZ) network, and that I have a single "route
> outside"
> statement (although the PIX instructions indicate that you should have only
> one
> route outside statement if you have more than 2 interface cards).
> 
> I'm over my head!  Can anyone help me?
> 
> TIA
> 
> Harry
> 
> 
> 
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 prn security50
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol http 443
> no fixup protocol rsh 514
> no fixup protocol h323 1720
> names
> interface ethernet0 10baset
> interface ethernet1 10baset
> interface ethernet2 10baset
> mtu outside 1500
> mtu inside 1500
> mtu prn 1500
> ip address outside 65.203.54.180 255.255.255.0
> ip address inside 20.0.0.1 255.0.0.0
> ip address prn 56.238.64.135 255.255.255.0
> global (outside) 1 65.203.54.160-65.203.54.178
> global (prn) 1 56.238.64.160
> nat (inside) 0 access-list 101
> nat (inside) 1 20.0.0.0 255.0.0.0 0 0
> static (inside,outside) 65.203.54.174 20.0.0.174 netmask 255.255.255.255 0 0
> static (inside,prn) 56.238.64.141 20.0.0.174 netmask 255.255.255.255 0 0
> conduit permit tcp host 65.203.54.174 eq 443 any
> conduit permit tcp host 65.203.54.174 eq www any
> conduit permit tcp host 56.238.64.141 eq www any
> conduit permit tcp host 56.238.64.141 eq 443 any
> route outside 0.0.0.0 0.0.0.0 65.203.54.1 1
> conduit permit icmp any any echo-reply
> 
> 
> 
> 
> 
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to