Harry,
Are you sure it's a problems at the pix and not an issue of the httpd.conf file on the SSL'ised webserver? The reason I ask is you show yer pix identifies the conenction attempt and yet do not see it really hitting the httpd-ssl'ed logs/system. thanks, Ron DuFresne On Thu, 25 Oct 2001, Harry Whitehouse wrote: > Hello FireWallers! > > On a PIX 520, I have three interface cards. > > OUTSIDE -- Connnected to our ISP 65.203.54.1/24 > INSIDE -- A private network 20.0.0.1/24 > PRN (DMZ) -- Another firm's (FIRM X) private network > 56.238.64.128/26 > > I have a conduit established from the OUTSIDE to an server INSIDE > at 20.0.0.179 to support www and 443 port access. Works great! > > I can further access the 20.0.0.174 server from the PRN(DMZ) mini-network > from a > client PC I established at a static address of 58.238.64.145. I used > another > conduit statement (see below) to provide this access for port 80 and 443. > Works great! > > Now my problem: I have a remote tester on the FIRM X's private network > working from a > terminal address 56.8.3.160. He tries to access the 20.0.0.174 server via > port > 443, but he gets no response. I *do* see his request in the PIX firewall > log > like this: > > <190>%PIX-6-302001: Built inbound TCP connection 358446 for faddr > 56.80.3.160/1050 gaddr 56.238.64.141/443 laddr 20.0.0.174/443 > > <190>%PIX-6-302002: Teardown TCP connection 358552 faddr 56.80.3.160/1058 > gaddr > 56.238.64.141/443 laddr 20.0.0.174/443 duration 1:00:40 bytes 0 > (Conn-timeout) > > So basically, he makes it in but gets no response (timeout). > > Further, looking at my server log, I don't see his request hitting my > default > web page. (I'm not totally sure of this, but this is my current > understanding.) > > I've posted my configuration (abbreviated) below. Can anyone > see why my tester is having access problems while I can access the server > through > the firewall from my 58.238.64.145 test machine? I'm concerned that my > global statement > for the PRN does not specify a range (I won't have any internal > communications initiated > from the 20.0.0.1 network to the 56.x.x.x world), that I'm not fully > specifying > the limited subnet of the PRN (DMZ) network, and that I have a single "route > outside" > statement (although the PIX instructions indicate that you should have only > one > route outside statement if you have more than 2 interface cards). > > I'm over my head! Can anyone help me? > > TIA > > Harry > > > > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 prn security50 > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol http 443 > no fixup protocol rsh 514 > no fixup protocol h323 1720 > names > interface ethernet0 10baset > interface ethernet1 10baset > interface ethernet2 10baset > mtu outside 1500 > mtu inside 1500 > mtu prn 1500 > ip address outside 65.203.54.180 255.255.255.0 > ip address inside 20.0.0.1 255.0.0.0 > ip address prn 56.238.64.135 255.255.255.0 > global (outside) 1 65.203.54.160-65.203.54.178 > global (prn) 1 56.238.64.160 > nat (inside) 0 access-list 101 > nat (inside) 1 20.0.0.0 255.0.0.0 0 0 > static (inside,outside) 65.203.54.174 20.0.0.174 netmask 255.255.255.255 0 0 > static (inside,prn) 56.238.64.141 20.0.0.174 netmask 255.255.255.255 0 0 > conduit permit tcp host 65.203.54.174 eq 443 any > conduit permit tcp host 65.203.54.174 eq www any > conduit permit tcp host 56.238.64.141 eq www any > conduit permit tcp host 56.238.64.141 eq 443 any > route outside 0.0.0.0 0.0.0.0 65.203.54.1 1 > conduit permit icmp any any echo-reply > > > > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
