Solved

LAN subnet to DMZsubnet access with PIX 515E

Posted on 2007-03-26
23
870 Views
Last Modified: 2008-01-09
I can not reach host in my DMZ from my LAN.  We had multi honed Windows Web Server.  I just took over the network and was told by the previous Admin that this could create a loop.  I am not familiar with PIX at all so I am putting my access list, ip , and NAT info here to be analyzed by the experts here.  Please advise???!
I searched and found what seemed like the solution from another member here but I am just not certain as there was no response from the member to the expert saying that his solution worked.
It appears to me that there is no entry to NAT from the subnet of my DMZ 192.168.2.0 to my LAN subnet 192.168.1.0.


MatrixFW1# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Access_in; 24 elements
access-list Access_in line 1 extended permit icmp any host 67.103.180.198 (hitcnt=1560) 0x1c983445
access-list Access_in line 2 extended permit ip any host 67.103.180.198 (hitcnt=10523) 0x16c28239
access-list Access_in line 3 extended permit tcp any host 67.103.180.198 eq www (hitcnt=0) 0xcd121af
access-list Access_in line 4 extended permit tcp any host 67.103.180.198 eq https (hitcnt=0) 0x61586a17
access-list Access_in line 5 extended permit tcp any host 67.103.180.198 eq smtp (hitcnt=0) 0x5dc2e4ff
access-list Access_in line 6 extended permit tcp any host 67.103.180.197 eq www (hitcnt=350) 0x23a82c60
access-list Access_in line 7 extended permit tcp any host 67.103.180.197 eq smtp (hitcnt=9075) 0x17351e51
access-list Access_in line 8 extended permit tcp any host 67.103.180.197 eq pop3 (hitcnt=2) 0x42d2e53a
access-list Access_in line 9 extended permit tcp any host 67.103.180.197 eq https (hitcnt=2723) 0x8dcaa782
access-list Access_in line 10 extended permit tcp any host 67.103.180.197 eq imap4 (hitcnt=3) 0x9757a055
access-list Access_in line 11 extended permit tcp any host 67.103.180.198 eq ssh (hitcnt=0) 0xe141a612
access-list Access_in line 12 extended permit tcp any host 67.103.180.197 eq ssh (hitcnt=31) 0x131caa47
access-list Access_in line 13 extended permit tcp any host 67.103.180.197 eq pptp (hitcnt=14) 0x92ca501b
access-list Access_in line 14 extended permit gre any host 67.103.180.197 log informational interval 300 (hitcnt=82) 0x98c12557
access-list Access_in line 15 extended permit esp any host 67.103.180.197 log informational interval 300 (hitcnt=0) 0xe265760b
access-list Access_in line 16 extended permit udp any host 67.103.180.197 eq isakmp (hitcnt=0) 0x7f25ba14
access-list Access_in line 17 extended permit tcp any host 67.103.180.198 (hitcnt=0) 0xb7557f96
access-list Access_in line 18 extended permit udp any host 67.103.180.198 (hitcnt=0) 0xc14ee5bb
access-list Access_in line 19 extended permit udp any host 67.103.180.197 (hitcnt=2627) 0x218a7883
access-list Access_in line 20 extended permit tcp any host 67.103.180.198 eq domain (hitcnt=0) 0x12753803
access-list Access_in line 21 extended permit tcp any host 67.103.180.197 eq domain (hitcnt=0) 0x294dbec5
access-list Access_in line 22 extended permit udp any host 67.103.180.198 eq domain (hitcnt=0) 0xb17f8e59
access-list Access_in line 23 extended permit udp any host 67.103.180.197 eq domain (hitcnt=0) 0x9f49c99f
access-list Access_in line 24 extended permit icmp any host 67.103.180.197 (hitcnt=997) 0x591185cb
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                67.103.180.194  255.255.255.192 CONFIG
Ethernet1                inside                 192.168.1.1     255.255.255.0   CONFIG
Ethernet2                DMZ                    192.168.2.1     255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                67.103.180.194  255.255.255.192 CONFIG
Ethernet1                inside                 192.168.1.1     255.255.255.0   CONFIG
Ethernet2                DMZ                    192.168.2.1     255.255.255.0   CONFIG
MatrixFW1# show nat

NAT policies on Interface inside:
  match ip inside host 192.168.1.101 outside any
    static translation to 67.103.180.197
    translate_hits = 33494, untranslate_hits = 22697
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (67.103.180.195)
    translate_hits = 234668, untranslate_hits = 14019
  match ip inside 192.168.1.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.1.0 255.255.255.0 DMZ any
    dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
    translate_hits = 1758, untranslate_hits = 11

NAT policies on Interface DMZ:
  match ip DMZ host 192.168.2.42 outside any
    static translation to 67.103.180.198
    translate_hits = 2096, untranslate_hits = 12108
  match ip DMZ 192.168.2.0 255.255.255.0 outside any
    dynamic translation to pool 2 (67.103.180.196)
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 192.168.2.0 255.255.255.0 DMZ any
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
0
Comment
Question by:ioglyphics
  • 13
  • 10
23 Comments
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
It looks like you have PAT configured for traffic from the inside to the DMZ judging from the following line in your posted information:

NAT policies on Interface inside:
 match ip inside 192.168.1.0 255.255.255.0 DMZ any
    dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
    translate_hits = 1758, untranslate_hits = 11

You probably have a line in your PIX config that looks similar to the following:

global (DMZ) 1 interface

and either

nat (inside) 1 0.0.0.0 0.0.0.0
or
nat (inside) 1 192.168.1.0 255.255.255.0

What access list, if any, do you have applied to your DMZ interface?  There will be an "access-group" command that specifies the DMZ interface, similar to the following:

access-group <acl_name> in interface DMZ

If you have one applied, look at the ACL and see if it is explicitly blocking any traffic back to the inside.  If you're unsure, post the ACL and any access-group statements and we can take a look...you may wind up having to post the complete sanitized PIX config...
0
 

Author Comment

by:ioglyphics
Comment Utility
Thanks Batry,

I don't see a access group command exactly like the one you posted.  I pasted what I think you need to see below.






access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
access-group Access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
As long as traffic is initiated from the inside interface going to the DMZ interface (meaning higher security level interface to lower security level interface), then your current config should allow you to talk to the DMZ network segment.  Are you trying to initiate traffic from the DMZ to the inside or what exactly are you trying to do that isn't working?
0
 

Author Comment

by:ioglyphics
Comment Utility
Well we want to RDP and get to a Web App running on a single server in the DMZ (Host IP 192.168.2.42).

 I can't ping anything either, which I know that was disabled except for specific nodes.  The "cisco guy" that was working on this LAN in his spare time for the small company I now work for stated that he thinks we have wiring and or DNS issues which I know is not the case.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
If you want to enable pings from inside to DMZ, you'll need to allow the echo replies back to the inside from the DMZ...you can use these commands:

access-list acl_dmz_in permit icmp any any echo-reply
access-list acl_dmz_in in interface DMZ

Try that and see if you can ping the DMZ server and we'll go from there...
0
 

Author Comment

by:ioglyphics
Comment Utility
Yes I added the first line and it allowed me to ping the PIX.  I have SDM and am trying to find Pix Device Manager.  This might make things a bit easier for me to handle, but I don't know how to enable HTTP access to the PIX.  Further more, I want to enable access to a Web App running on 192.168.2.42.  How can I set this up?
By the way, I can RDP to the server, via ip address.  I suppose I will have to create a host file or enable DNS access to and from the DMZ and the my LAN.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
To enable HTTP access to the PIX from the inside network, enter these commands:

http 192.168.1.0 255.255.255.0 inside
http server enable

You will then be able to type https://192.168.1.x to get to the PDM where 192.168.1.x is the PIX inside interface IP.

>Further more, I want to enable access to a Web App running on 192.168.2.42.  How can I set this up?

It depends on where you want to access the web app from...the inside, outside, or both?
0
 

Author Comment

by:ioglyphics
Comment Utility
>It depends on where you want to access the web app from...the inside, outside, or both?

We can get to it from the outside now, but not from the inside.  Inside is what we need.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Instead of using the nat/global pair like you have now between the inside and dmz networks, try putting this in instead:

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

This will change your existing PAT translation method into a static one-to-one NAT for hosts on the inside network going to the DMZ network.  See if this fixes your web server connectivity issue, although what I see right now in your config should work...
0
 

Author Comment

by:ioglyphics
Comment Utility
I tried and got the following error....

 static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255$
ERROR: mapped-address conflict with existing static
  inside:192.168.1.0 to DMZ:192.168.1.0 netmask 255.255.255.0
Usage: [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        show running-config [all] static [<mapped_ip>]
        clear configure static
0
 

Author Comment

by:ioglyphics
Comment Utility
My DMZ subnet is 192.168.2.0.  If anything....is that what could be wrong with that command?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:ioglyphics
Comment Utility
On your reply below.....

>To enable HTTP access to the PIX from the inside network, enter these commands:
>http 192.168.1.0 255.255.255.0 inside
>http server enable
>You will then be able to type https://192.168.1.x to get to the PDM where 192.168.1.x is the PIX inside >interface IP.

I need HTTP access to a box in the DMZ with is in subnet 192.168.2.0

Wouldn't the appropriate command be "http 192.168.2.0 255.255.255.0 insode
                                                               http server enable
???
0
 

Author Comment

by:ioglyphics
Comment Utility
ignore that last post.....its 6:30 EST and my brain is fried....

I do need http access to the 192.168.2.1 subnet in the DMZ though....
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
No, you misunderstand.  The command:

http 192.168.1.0 255.255.255.0 inside

allows https access to the PIX itself for management using the PIX Device Manager.  If you want http traffic flow to the the DMZ segment from the inside, this is just a matter of implementing the proper translation through the PIX and access control using access lists if applicable.

To troubleshoot why your static command gave you an error, please post the entire sanitized config and we can take a look.
0
 

Author Comment

by:ioglyphics
Comment Utility

OK....I am not sure what you meant by "sanitized", so I assumed you meant to clean up what might be secure info not meant for eyes other than myself.  That being said it is pasted below minus password commands, domain name, and the name we gave the device.  
To refresh this, my goals were to get to a Web App running on a server in the DMZ as well as RDP (which seems to be working now by using the IP address of the server, and logging in to the local Admin acct.)  DNS would be nice as well, but if in your oppinion this isn't a good idea that is fine, I am not  certain that it is needed or not to satisfy the first objective(access to the Web App).







PIX Version 7.2(2)
!
hostname
domain-name
enable
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 67.103.180.194 255.255.255.192
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!


ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
 retries 3
 timeout 3
 name-server 64.105.199.74
 name-server 64.105.159.250
 domain-name dms.local
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
access-group Access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.2.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 inside
http 67.103.180.192 255.255.255.192 outside
http 67.103.180.192 255.255.255.192 DMZ
http 67.103.180.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 67.103.180.192 255.255.255.192 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 64.105.199.74 interface outside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 216.200.93.8 source outside prefer
prompt hostname context
Cryptochecksum:472a7348a9fe3bd49a26d444dedac047
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Try removing the global (DMZ) command and enter the "net static" command again and then try to access your web app from the inside...just a test:

no global (DMZ) 1 interface
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

You may also have to perform a "clear xlat" command, but be careful doing this on a production firewall since any translations will be cleared out, meaning if someone is in the middle of downloading a file from the Internet or has some other active connection through the firewall it will be disconnected and they will have to reestablish their connection.
0
 

Author Comment

by:ioglyphics
Comment Utility
OK....the first command executed with no error.  The second one gave the error below.  I looked for the conflict and found that there was a similar statement with (DMZ,outside), so I switched what you sent me to (DMZ, inside), and it executed with no problem.  I did an clear xlate, and tried to get to the site, but it did now work.  I even tried "http://192.168.2.42:80" but got nothing, so it isn't DNS.  Still no access to it.  I am concerned that I won't be able to place a front in exchange server in the DMZ either for all the problems I am having with this.
What is your thoughts on multi-honed servers in the DMZ pointing back to the LAN's subnet.  NAT and or static routes should keep us from having to us multiple nics in servers but what else can I do at this point?


MatrixFW1(config)# static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255$
ERROR: mapped-address conflict with existing static
  inside:192.168.1.0 to DMZ:192.168.1.0 netmask 255.255.255.0
Usage: [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        show running-config [all] static [<mapped_ip>]
        clear configure static
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
I just duplicated your NAT setup on an ASA I have here and was able to to put in the net static command with no problem, so I'm not sure what the conflict could be based on your posted config.

How about we try running a capture to make sure that the traffic is getting to the ASA and coming back from the DMZ...try setting up two captures, one to apply to the inside interface and the other to the dmz interface:

access-list acl_inside_cap permit ip any host 192.168.2.42
access-list acl_dmz_cap permit ip host 192.168.2.42 any
capture insidecap access-list acl_inside_cap interface inside
capture dmzcap access-list acl_dmz_cap interface DMZ

Then try your accessing your web server from inside and then look at both captures to see if the PIX shows any traffic.

show capture insidecap
show capture dmzcap

This will tell us two things:  whether or not the inside traffic is making it to the PIX, and whether or not the DMZ web server traffic is trying to respond back to the inside.
0
 

Author Comment

by:ioglyphics
Comment Utility
OK....I pasted what I did and the results of the capture below.  



MatrixFW1(config)# access-list acl_inside_cap permit ip any host 192.168.2.42
MatrixFW1(config)# access-list acl_dmz_cap permit ip host 192.168.2.42 any
MatrixFW1(config)# capture insidecap access-list acl_inside_cap interface insi$
MatrixFW1(config)# capture dmzcap access-list acl_dmz_cap interface DMZ
MatrixFW1(config)# clear xlate
MatrixFW1(config)# show capture insidecap
0 packet captured
0 packet shown
MatrixFW1(config)# show capture dmzcap
1 packet captured
   1: 14:16:27.919675 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
1 packet shown
MatrixFW1(config)#

Then I did the show capture commands again after pinging the 192.168.2.42 host and got what you see below.


MatrixFW1(config)# show capture insidecap
4 packets captured
   1: 14:17:23.397104 192.168.1.221 > 192.168.2.42: icmp: echo request
   2: 14:17:28.678324 192.168.1.221 > 192.168.2.42: icmp: echo request
   3: 14:17:34.178472 192.168.1.221 > 192.168.2.42: icmp: echo request
   4: 14:17:39.678553 192.168.1.221 > 192.168.2.42: icmp: echo request
4 packets shown

MatrixFW1(config)# show capture dmzcap
455 packets captured
   1: 14:16:27.919675 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
   2: 14:16:30.897887 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
   3: 14:16:36.932919 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
   4: 14:16:49.003707 192.168.2.42.1026 > 64.105.199.74.53:  udp 35
   5: 14:16:49.027616 192.168.2.42.137 > 192.168.2.255.137:  udp 50
   6: 14:16:49.777440 192.168.2.42.137 > 192.168.2.255.137:  udp 50
   7: 14:16:50.527453 192.168.2.42.137 > 192.168.2.255.137:  udp 50
   8: 14:16:51.278107 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
   9: 14:16:54.233401 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
  10: 14:17:00.167868 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
  11: 14:17:12.241412 192.168.2.42.6001 > 255.255.255.255.6000:  udp 60
  12: 14:17:15.240847 192.168.2.42.6001 > 255.255.255.255.6000:  udp 60
  13: 14:17:18.240771 192.168.2.42.6001 > 255.255.255.255.6000:  udp 60
  14: 14:17:23.397516 192.168.2.42 > 192.168.1.221: icmp: echo reply
  15: 14:17:25.893020 192.168.2.42.138 > 192.168.2.255.138:  udp 201
  16: 14:17:28.678752 192.168.2.42 > 192.168.1.221: icmp: echo reply
  17: 14:17:34.178869 192.168.2.42 > 192.168.1.221: icmp: echo reply
  18: 14:17:34.344388 192.168.2.42.138 > 192.168.2.255.138:  udp 209
  19: 14:17:39.678981 192.168.2.42 > 192.168.1.221: icmp: echo reply
  20: 14:20:10.939740 192.168.2.42.80 > 64.135.56.101.37637: S 3309904106:3309904106(0) ack 3221270711 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  21: 14:20:11.377025 192.168.2.42.80 > 64.135.56.101.37637: . ack 3221270961 win 65285 <nop,nop,timestamp 28693992 334429472>
  22: 14:20:12.577133 192.168.2.42.80 > 64.135.56.101.37637: P 3309904107:3309904268(161) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
  23: 14:20:12.577225 192.168.2.42.80 > 64.135.56.101.37637: P 3309904268:3309904293(25) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
  24: 14:20:12.577530 192.168.2.42.80 > 64.135.56.101.37637: F 3309904293:3309904293(0) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
 25: 14:20:12.826815 192.168.2.42.80 > 64.135.56.101.37790: S 404173844:404173844(0) ack 1614232141 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  26: 14:20:13.111520 192.168.2.42.80 > 64.135.56.101.37790: P 404173845:404174006(161) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
  27: 14:20:13.111551 192.168.2.42.80 > 64.135.56.101.37790: P 404174006:404174031(25) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
  28: 14:20:13.111734 192.168.2.42.80 > 64.135.56.101.37790: F 404174031:404174031(0) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
  29: 14:20:13.300841 192.168.2.42.80 > 64.135.56.101.37827: S 4257023276:4257023276(0) ack 2155109319 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  30: 14:20:13.487279 192.168.2.42.80 > 64.135.56.101.37827: P 4257023277:4257023438(161) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
  31: 14:20:13.487325 192.168.2.42.80 > 64.135.56.101.37827: P 4257023438:4257023463(25) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
  32: 14:20:13.487493 192.168.2.42.80 > 64.135.56.101.37827: F 4257023463:4257023463(0) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
  33: 14:20:13.688608 192.168.2.42.80 > 64.135.56.101.37857: S 3709013395:3709013395(0) ack 4263653822 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  34: 14:20:13.884964 192.168.2.42.80 > 64.135.56.101.37857: P 3709013396:3709013557(161) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
  35: 14:20:13.884994 192.168.2.42.80 > 64.135.56.101.37857: P 3709013557:3709013582(25) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
  36: 14:20:13.885162 192.168.2.42.80 > 64.135.56.101.37857: F 3709013582:3709013582(0) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
  37: 14:20:14.066219 192.168.2.42.80 > 64.135.56.101.37891: S 2712132017:2712132017(0) ack 2042100800 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  38: 14:20:14.183919 192.168.2.42.80 > 64.135.56.101.37891: P 2712132018:2712132179(161) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
  39: 14:20:14.183950 192.168.2.42.80 > 64.135.56.101.37891: P 2712132179:2712132204(25) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
  40: 14:20:14.184133 192.168.2.42.80 > 64.135.56.101.37891: F 2712132204:2712132204(0) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
  41: 14:20:14.373805 192.168.2.42.80 > 64.135.56.101.37923: S 2150807489:2150807489(0) ack 2716383992 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  42: 14:20:14.562821 192.168.2.42.80 > 64.135.56.101.37923: P 2150807490:2150807651(161) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
  43: 14:20:14.562882 192.168.2.42.80 > 64.135.56.101.37923: P 2150807651:2150807676(25) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
  44: 14:20:14.563035 192.168.2.42.80 > 64.135.56.101.37923: F 2150807676:2150807676(0) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
  45: 14:20:14.712197 192.168.2.42.80 > 64.135.56.101.37955: S 1445811166:1445811166(0) ack 2994243033 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  46: 14:20:14.836199 192.168.2.42.80 > 64.135.56.101.37955: P 1445811167:1445811328(161) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
  47: 14:20:14.836245 192.168.2.42.80 > 64.135.56.101.37955: P 1445811328:1445811353(25) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
  48: 14:20:14.836413 192.168.2.42.80 > 64.135.56.101.37955: F 1445811353:1445811353(0) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
 49: 14:20:15.009459 192.168.2.42.80 > 64.135.56.101.37986: S 1979492240:1979492240(0) ack 2097525844 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  50: 14:20:15.171835 192.168.2.42.80 > 64.135.56.101.37986: . ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
  51: 14:20:15.176687 192.168.2.42.80 > 64.135.56.101.37986: P 1979492241:1979492402(161) ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
  52: 14:20:15.176748 192.168.2.42.80 > 64.135.56.101.37986: P 1979492402:1979492427(25) ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
  53: 14:20:15.176916 192.168.2.42.80 > 64.135.56.101.37986: F 1979492427:1979492427(0) ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
  54: 14:20:15.361553 192.168.2.42.80 > 64.135.56.101.38026: S 694877552:694877552(0) ack 2693937960 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  55: 14:20:15.605925 192.168.2.42.80 > 64.135.56.101.38026: P 694877553:694877714(161) ack 2693938229 win 65266 <nop,nop,timestamp 28694034 334429914>
  56: 14:20:15.606001 192.168.2.42.80 > 64.135.56.101.38026: P 694877714:694877739(25) ack 2693938229 win 65266 <nop,nop,timestamp 28694034 334429914>
  57: 14:20:15.606139 192.168.2.42.80 > 64.135.56.101.38026: F 694877739:694877739(0) ack 2693938229 win 65266 <nop,nop,timestamp 28694034 334429914>
  58: 14:20:15.839800 192.168.2.42.80 > 64.135.56.101.38065: S 3836959143:3836959143(0) ack 3836680779 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  59: 14:20:16.132790 192.168.2.42.80 > 64.135.56.101.38065: P 3836959144:3836959305(161) ack 3836681031 win 65283 <nop,nop,timestamp 28694039 334429961>
  60: 14:20:16.132836 192.168.2.42.80 > 64.135.56.101.38065: P 3836959305:3836959330(25) ack 3836681031 win 65283 <nop,nop,timestamp 28694039 334429961>
  61: 14:20:16.133019 192.168.2.42.80 > 64.135.56.101.38065: F 3836959330:3836959330(0) ack 3836681031 win 65283 <nop,nop,timestamp 28694039 334429961>
  62: 14:20:16.338163 192.168.2.42.80 > 64.135.56.101.38102: S 1015241587:1015241587(0) ack 2332362723 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  63: 14:20:16.539217 192.168.2.42.80 > 64.135.56.101.38102: P 1015241588:1015241749(161) ack 2332362986 win 65272 <nop,nop,timestamp 28694043 334430012>
  64: 14:20:16.539263 192.168.2.42.80 > 64.135.56.101.38102: P 1015241749:1015241774(25) ack 2332362986 win 65272 <nop,nop,timestamp 28694043 334430012>
  65: 14:20:16.539431 192.168.2.42.80 > 64.135.56.101.38102: F 1015241774:1015241774(0) ack 2332362986 win 65272 <nop,nop,timestamp 28694043 334430012>
  66: 14:20:16.725441 192.168.2.42.80 > 64.135.56.101.38135: S 4197620638:4197620638(0) ack 187312697 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  67: 14:20:16.983225 192.168.2.42.80 > 64.135.56.101.38135: P 4197620639:4197620800(161) ack 187312989 win 65243 <nop,nop,timestamp 28694047 334430032>
  68: 14:20:16.983256 192.168.2.42.80 > 64.135.56.101.38135: P 4197620800:4197620825(25) ack 187312989 win 65243 <nop,nop,timestamp 28694047 334430032>
  69: 14:20:16.983439 192.168.2.42.80 > 64.135.56.101.38135: F 4197620825:4197620825(0) ack 187312989 win 65243 <nop,nop,timestamp 28694047 334430032>
  70: 14:20:17.229617 192.168.2.42.80 > 64.135.56.101.38169: S 2827474678:2827474678(0) ack 3328118603 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  71: 14:20:17.468969 192.168.2.42.80 > 64.135.56.101.38169: P 2827474679:2827474840(161) ack 3328118874 win 65264 <nop,nop,timestamp 28694052 334430101>
  72: 14:20:17.469030 192.168.2.42.80 > 64.135.56.101.38169: P 2827474840:2827474865(25) ack 3328118874 win 65264 <nop,nop,timestamp 28694052 334430101>


there is about 200+ lines of the same.....your thoughts?
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
I see where the dmz web server sent echo replies back to the 192.168.1.221 host your were pinging it from, but I don't see any traffic where you tried to access the web server by surfing to it....try to access the web server by going to http://192.168.2.42 from 192.168.1.221 and then post the capture results...

Do a clear capture <capture_name> on both captures first, so we can see fresh results...
0
 

Author Comment

by:ioglyphics
Comment Utility
OK I did so here by trying to reach http://192.168.2.42:80, but it failed.  I did the capture commands again and got what you see below.

MatrixFW1(config)# show capture insidecap
442 packets captured
   1: 14:17:23.397104 192.168.1.221 > 192.168.2.42: icmp: echo request
   2: 14:17:28.678324 192.168.1.221 > 192.168.2.42: icmp: echo request
   3: 14:17:34.178472 192.168.1.221 > 192.168.2.42: icmp: echo request
   4: 14:17:39.678553 192.168.1.221 > 192.168.2.42: icmp: echo request
   5: 14:55:59.007644 192.168.1.221.2751 > 192.168.2.42.3389: S 2224449108:2224449108(0) win 65535 <mss 1460,nop,nop,sackOK>
   6: 14:55:59.008269 192.168.1.221.2751 > 192.168.2.42.3389: . ack 1690145402 win 65535
   7: 14:55:59.008788 192.168.1.221.2751 > 192.168.2.42.3389: P 2224449109:2224449156(47) ack 1690145402 win 65535
   8: 14:55:59.010619 192.168.1.221.2751 > 192.168.2.42.3389: F 2224449156:2224449156(0) ack 1690145421 win 65516
   9: 14:56:01.295013 192.168.1.221.2752 > 192.168.2.42.3389: S 588115189:588115189(0) win 65535 <mss 1460,nop,nop,sackOK>
  10: 14:56:01.295669 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209866004 win 65535
  11: 14:56:01.296081 192.168.1.221.2752 > 192.168.2.42.3389: P 588115190:588115237(47) ack 209866004 win 65535
  12: 14:56:01.297912 192.168.1.221.2752 > 192.168.2.42.3389: P 588115237:588115665(428) ack 209866023 win 65516
  13: 14:56:01.298858 192.168.1.221.2752 > 192.168.2.42.3389: P 588115665:588115677(12) ack 209866360 win 65179
  14: 14:56:01.298888 192.168.1.221.2752 > 192.168.2.42.3389: P 588115677:588115685(8) ack 209866360 win 65179
  15: 14:56:01.299484 192.168.1.221.2752 > 192.168.2.42.3389: P 588115685:588115697(12) ack 209866371 win 65168
  16: 14:56:01.299880 192.168.1.221.2752 > 192.168.2.42.3389: P 588115697:588115709(12) ack 209866386 win 65153
  17: 14:56:01.300323 192.168.1.221.2752 > 192.168.2.42.3389: P 588115709:588115721(12) ack 209866401 win 65138
  18: 14:56:01.300750 192.168.1.221.2752 > 192.168.2.42.3389: P 588115721:588115733(12) ack 209866416 win 65123
  19: 14:56:01.301131 192.168.1.221.2752 > 192.168.2.42.3389: P 588115733:588115745(12) ack 209866431 win 65108
  20: 14:56:01.301543 192.168.1.221.2752 > 192.168.2.42.3389: P 588115745:588115757(12) ack 209866446 win 65093
  21: 14:56:01.402506 192.168.1.221.2752 > 192.168.2.42.3389: P 588115757:588115851(94) ack 209866461 win 65078
  22: 14:56:01.412210 192.168.1.221.2752 > 192.168.2.42.3389: P 588115851:588116236(385) ack 209866461 win 65078
  23: 14:56:01.511844 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209866889 win 64650
  24: 14:56:01.585190 192.168.1.221.2752 > 192.168.2.42.3389: P 588116236:588116774(538) ack 209866889 win 64650
 25: 14:56:01.585281 192.168.1.221.2752 > 192.168.2.42.3389: P 588116774:588116822(48) ack 209866889 win 64650
  26: 14:56:01.585403 192.168.1.221.2752 > 192.168.2.42.3389: P 588116822:588116874(52) ack 209866889 win 64650
  27: 14:56:01.585449 192.168.1.221.2752 > 192.168.2.42.3389: P 588116874:588116926(52) ack 209866889 win 64650
  28: 14:56:01.586288 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209867041 win 64498
  29: 14:56:01.654705 192.168.1.221.2752 > 192.168.2.42.3389: P 588116926:588116974(48) ack 209867041 win 64498
  30: 14:56:02.985758 192.168.1.221.2752 > 192.168.2.42.3389: . 588116974:588118354(1380) ack 209867041 win 64498
  31: 14:56:02.985819 192.168.1.221.2752 > 192.168.2.42.3389: P 588118354:588118395(41) ack 209867041 win 64498
  32: 14:56:02.985895 192.168.1.221.2752 > 192.168.2.42.3389: . 588118395:588119775(1380) ack 209867041 win 64498
  33: 14:56:02.985941 192.168.1.221.2752 > 192.168.2.42.3389: P 588119775:588119816(41) ack 209867041 win 64498
  34: 14:56:02.985987 192.168.1.221.2752 > 192.168.2.42.3389: . 588119816:588121196(1380) ack 209867041 win 64498
  35: 14:56:02.986032 192.168.1.221.2752 > 192.168.2.42.3389: P 588121196:588121237(41) ack 209867041 win 64498
  36: 14:56:02.986109 192.168.1.221.2752 > 192.168.2.42.3389: . 588121237:588122617(1380) ack 209867041 win 64498
  37: 14:56:02.986170 192.168.1.221.2752 > 192.168.2.42.3389: P 588122617:588122658(41) ack 209867041 win 64498
  38: 14:56:02.986231 192.168.1.221.2752 > 192.168.2.42.3389: . 588122658:588124038(1380) ack 209867041 win 64498
  39: 14:56:02.986307 192.168.1.221.2752 > 192.168.2.42.3389: P 588124038:588124079(41) ack 209867041 win 64498
  40: 14:56:02.986490 192.168.1.221.2752 > 192.168.2.42.3389: . 588124079:588125459(1380) ack 209867041 win 64498
  41: 14:56:02.986536 192.168.1.221.2752 > 192.168.2.42.3389: P 588125459:588125500(41) ack 209867041 win 64498
  42: 14:56:02.986628 192.168.1.221.2752 > 192.168.2.42.3389: . 588125500:588126880(1380) ack 209867041 win 64498
  43: 14:56:02.986673 192.168.1.221.2752 > 192.168.2.42.3389: P 588126880:588126921(41) ack 209867041 win 64498
  44: 14:56:02.986780 192.168.1.221.2752 > 192.168.2.42.3389: . 588126921:588128301(1380) ack 209867041 win 64498
  45: 14:56:02.986826 192.168.1.221.2752 > 192.168.2.42.3389: P 588128301:588128342(41) ack 209867041 win 64498
  46: 14:56:02.986856 192.168.1.221.2752 > 192.168.2.42.3389: . 588128342:588129722(1380) ack 209867041 win 64498
  47: 14:56:02.986963 192.168.1.221.2752 > 192.168.2.42.3389: P 588129722:588129763(41) ack 209867041 win 64498
  48: 14:56:02.986994 192.168.1.221.2752 > 192.168.2.42.3389: P 588129763:588130392(629) ack 209867041 win 64498



MatrixFW1(config)# show capture dmzcap
1257 packets captured
   1: 14:16:27.919675 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
   2: 14:16:30.897887 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
   3: 14:16:36.932919 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
   4: 14:16:49.003707 192.168.2.42.1026 > 64.105.199.74.53:  udp 35
   5: 14:16:49.027616 192.168.2.42.137 > 192.168.2.255.137:  udp 50
   6: 14:16:49.777440 192.168.2.42.137 > 192.168.2.255.137:  udp 50
   7: 14:16:50.527453 192.168.2.42.137 > 192.168.2.255.137:  udp 50
   8: 14:16:51.278107 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
   9: 14:16:54.233401 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
  10: 14:17:00.167868 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
  11: 14:17:12.241412 192.168.2.42.6001 > 255.255.255.255.6000:  udp 60
  12: 14:17:15.240847 192.168.2.42.6001 > 255.255.255.255.6000:  udp 60
  13: 14:17:18.240771 192.168.2.42.6001 > 255.255.255.255.6000:  udp 60
  14: 14:17:23.397516 192.168.2.42 > 192.168.1.221: icmp: echo reply
  15: 14:17:25.893020 192.168.2.42.138 > 192.168.2.255.138:  udp 201
  16: 14:17:28.678752 192.168.2.42 > 192.168.1.221: icmp: echo reply
  17: 14:17:34.178869 192.168.2.42 > 192.168.1.221: icmp: echo reply
  18: 14:17:34.344388 192.168.2.42.138 > 192.168.2.255.138:  udp 209
  19: 14:17:39.678981 192.168.2.42 > 192.168.1.221: icmp: echo reply
  20: 14:20:10.939740 192.168.2.42.80 > 64.135.56.101.37637: S 3309904106:3309904106(0) ack 3221270711 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  21: 14:20:11.377025 192.168.2.42.80 > 64.135.56.101.37637: . ack 3221270961 win 65285 <nop,nop,timestamp 28693992 334429472>
  22: 14:20:12.577133 192.168.2.42.80 > 64.135.56.101.37637: P 3309904107:3309904268(161) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
  23: 14:20:12.577225 192.168.2.42.80 > 64.135.56.101.37637: P 3309904268:3309904293(25) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
  24: 14:20:12.577530 192.168.2.42.80 > 64.135.56.101.37637: F 3309904293:3309904293(0) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
 25: 14:20:12.826815 192.168.2.42.80 > 64.135.56.101.37790: S 404173844:404173844(0) ack 1614232141 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  26: 14:20:13.111520 192.168.2.42.80 > 64.135.56.101.37790: P 404173845:404174006(161) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
  27: 14:20:13.111551 192.168.2.42.80 > 64.135.56.101.37790: P 404174006:404174031(25) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
  28: 14:20:13.111734 192.168.2.42.80 > 64.135.56.101.37790: F 404174031:404174031(0) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
  29: 14:20:13.300841 192.168.2.42.80 > 64.135.56.101.37827: S 4257023276:4257023276(0) ack 2155109319 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  30: 14:20:13.487279 192.168.2.42.80 > 64.135.56.101.37827: P 4257023277:4257023438(161) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
  31: 14:20:13.487325 192.168.2.42.80 > 64.135.56.101.37827: P 4257023438:4257023463(25) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
  32: 14:20:13.487493 192.168.2.42.80 > 64.135.56.101.37827: F 4257023463:4257023463(0) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
  33: 14:20:13.688608 192.168.2.42.80 > 64.135.56.101.37857: S 3709013395:3709013395(0) ack 4263653822 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  34: 14:20:13.884964 192.168.2.42.80 > 64.135.56.101.37857: P 3709013396:3709013557(161) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
  35: 14:20:13.884994 192.168.2.42.80 > 64.135.56.101.37857: P 3709013557:3709013582(25) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
  36: 14:20:13.885162 192.168.2.42.80 > 64.135.56.101.37857: F 3709013582:3709013582(0) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
  37: 14:20:14.066219 192.168.2.42.80 > 64.135.56.101.37891: S 2712132017:2712132017(0) ack 2042100800 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  38: 14:20:14.183919 192.168.2.42.80 > 64.135.56.101.37891: P 2712132018:2712132179(161) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
  39: 14:20:14.183950 192.168.2.42.80 > 64.135.56.101.37891: P 2712132179:2712132204(25) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
  40: 14:20:14.184133 192.168.2.42.80 > 64.135.56.101.37891: F 2712132204:2712132204(0) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
  41: 14:20:14.373805 192.168.2.42.80 > 64.135.56.101.37923: S 2150807489:2150807489(0) ack 2716383992 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  42: 14:20:14.562821 192.168.2.42.80 > 64.135.56.101.37923: P 2150807490:2150807651(161) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
  43: 14:20:14.562882 192.168.2.42.80 > 64.135.56.101.37923: P 2150807651:2150807676(25) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
  44: 14:20:14.563035 192.168.2.42.80 > 64.135.56.101.37923: F 2150807676:2150807676(0) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
  45: 14:20:14.712197 192.168.2.42.80 > 64.135.56.101.37955: S 1445811166:1445811166(0) ack 2994243033 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
  46: 14:20:14.836199 192.168.2.42.80 > 64.135.56.101.37955: P 1445811167:1445811328(161) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
  47: 14:20:14.836245 192.168.2.42.80 > 64.135.56.101.37955: P 1445811328:1445811353(25) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
  48: 14:20:14.836413 192.168.2.42.80 > 64.135.56.101.37955: F 1445811353:1445811353(0) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>

What do you think?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
The following lines from your inside capture show that your traffic is trying to access the RDP port (TCP 3389) instead of the HTTP (TCP 80) port:

1: 14:17:23.397104 192.168.1.221 > 192.168.2.42: icmp: echo request
   2: 14:17:28.678324 192.168.1.221 > 192.168.2.42: icmp: echo request
   3: 14:17:34.178472 192.168.1.221 > 192.168.2.42: icmp: echo request
   4: 14:17:39.678553 192.168.1.221 > 192.168.2.42: icmp: echo request
   5: 14:55:59.007644 192.168.1.221.2751 > 192.168.2.42.3389: S 2224449108:2224449108(0) win 65535 <mss 1460,nop,nop,sackOK>
   6: 14:55:59.008269 192.168.1.221.2751 > 192.168.2.42.3389: . ack 1690145402 win 65535
   7: 14:55:59.008788 192.168.1.221.2751 > 192.168.2.42.3389: P 2224449109:2224449156(47) ack 1690145402 win 65535
   8: 14:55:59.010619 192.168.1.221.2751 > 192.168.2.42.3389: F 2224449156:2224449156(0) ack 1690145421 win 65516
   9: 14:56:01.295013 192.168.1.221.2752 > 192.168.2.42.3389: S 588115189:588115189(0) win 65535 <mss 1460,nop,nop,sackOK>
  10: 14:56:01.295669 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209866004 win 65535
  11: 14:56:01.296081 192.168.1.221.2752 > 192.168.2.42.3389: P 588115190:588115237(47) ack 209866004 win 65535
  12: 14:56:01.297912 192.168.1.221.2752 > 192.168.2.42.3389: P 588115237:588115665(428) ack 209866023 win 65516

Very strange...try accessing http://192.168.2.42 instead of http://192.168.2.42:80

The :80 should be implied by the "http" at the beginning of the URL...you should not have to specify :80
0
 

Author Comment

by:ioglyphics
Comment Utility
I did http://192.168.2.42 but no luck.  I RDP'ed to the server and tried to access the site there and it didn't work which is strange as well.  Sorry to say I am on a wild goose chase and I have you right along with me.  If you can't get to the site on the host, I suppose getting to it from another host would not work either.  

Try going to http://demo.dmsva.com and let me know if you can get to it.  I think the issue is not with the DMZ but with DNS. You can't get to it locally without using localhost.  That works when on the server.  That is all we need in my opinion.

Thanks for all you help man.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now