ioglyphics
asked on
LAN subnet to DMZsubnet access with PIX 515E
I can not reach host in my DMZ from my LAN. We had multi honed Windows Web Server. I just took over the network and was told by the previous Admin that this could create a loop. I am not familiar with PIX at all so I am putting my access list, ip , and NAT info here to be analyzed by the experts here. Please advise???!
I searched and found what seemed like the solution from another member here but I am just not certain as there was no response from the member to the expert saying that his solution worked.
It appears to me that there is no entry to NAT from the subnet of my DMZ 192.168.2.0 to my LAN subnet 192.168.1.0.
MatrixFW1# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Access_in; 24 elements
access-list Access_in line 1 extended permit icmp any host 67.103.180.198 (hitcnt=1560) 0x1c983445
access-list Access_in line 2 extended permit ip any host 67.103.180.198 (hitcnt=10523) 0x16c28239
access-list Access_in line 3 extended permit tcp any host 67.103.180.198 eq www (hitcnt=0) 0xcd121af
access-list Access_in line 4 extended permit tcp any host 67.103.180.198 eq https (hitcnt=0) 0x61586a17
access-list Access_in line 5 extended permit tcp any host 67.103.180.198 eq smtp (hitcnt=0) 0x5dc2e4ff
access-list Access_in line 6 extended permit tcp any host 67.103.180.197 eq www (hitcnt=350) 0x23a82c60
access-list Access_in line 7 extended permit tcp any host 67.103.180.197 eq smtp (hitcnt=9075) 0x17351e51
access-list Access_in line 8 extended permit tcp any host 67.103.180.197 eq pop3 (hitcnt=2) 0x42d2e53a
access-list Access_in line 9 extended permit tcp any host 67.103.180.197 eq https (hitcnt=2723) 0x8dcaa782
access-list Access_in line 10 extended permit tcp any host 67.103.180.197 eq imap4 (hitcnt=3) 0x9757a055
access-list Access_in line 11 extended permit tcp any host 67.103.180.198 eq ssh (hitcnt=0) 0xe141a612
access-list Access_in line 12 extended permit tcp any host 67.103.180.197 eq ssh (hitcnt=31) 0x131caa47
access-list Access_in line 13 extended permit tcp any host 67.103.180.197 eq pptp (hitcnt=14) 0x92ca501b
access-list Access_in line 14 extended permit gre any host 67.103.180.197 log informational interval 300 (hitcnt=82) 0x98c12557
access-list Access_in line 15 extended permit esp any host 67.103.180.197 log informational interval 300 (hitcnt=0) 0xe265760b
access-list Access_in line 16 extended permit udp any host 67.103.180.197 eq isakmp (hitcnt=0) 0x7f25ba14
access-list Access_in line 17 extended permit tcp any host 67.103.180.198 (hitcnt=0) 0xb7557f96
access-list Access_in line 18 extended permit udp any host 67.103.180.198 (hitcnt=0) 0xc14ee5bb
access-list Access_in line 19 extended permit udp any host 67.103.180.197 (hitcnt=2627) 0x218a7883
access-list Access_in line 20 extended permit tcp any host 67.103.180.198 eq domain (hitcnt=0) 0x12753803
access-list Access_in line 21 extended permit tcp any host 67.103.180.197 eq domain (hitcnt=0) 0x294dbec5
access-list Access_in line 22 extended permit udp any host 67.103.180.198 eq domain (hitcnt=0) 0xb17f8e59
access-list Access_in line 23 extended permit udp any host 67.103.180.197 eq domain (hitcnt=0) 0x9f49c99f
access-list Access_in line 24 extended permit icmp any host 67.103.180.197 (hitcnt=997) 0x591185cb
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 67.103.180.194 255.255.255.192 CONFIG
Ethernet1 inside 192.168.1.1 255.255.255.0 CONFIG
Ethernet2 DMZ 192.168.2.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 67.103.180.194 255.255.255.192 CONFIG
Ethernet1 inside 192.168.1.1 255.255.255.0 CONFIG
Ethernet2 DMZ 192.168.2.1 255.255.255.0 CONFIG
MatrixFW1# show nat
NAT policies on Interface inside:
match ip inside host 192.168.1.101 outside any
static translation to 67.103.180.197
translate_hits = 33494, untranslate_hits = 22697
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (67.103.180.195)
translate_hits = 234668, untranslate_hits = 14019
match ip inside 192.168.1.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.1.0 255.255.255.0 DMZ any
dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
translate_hits = 1758, untranslate_hits = 11
NAT policies on Interface DMZ:
match ip DMZ host 192.168.2.42 outside any
static translation to 67.103.180.198
translate_hits = 2096, untranslate_hits = 12108
match ip DMZ 192.168.2.0 255.255.255.0 outside any
dynamic translation to pool 2 (67.103.180.196)
translate_hits = 0, untranslate_hits = 0
match ip DMZ 192.168.2.0 255.255.255.0 DMZ any
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
I searched and found what seemed like the solution from another member here but I am just not certain as there was no response from the member to the expert saying that his solution worked.
It appears to me that there is no entry to NAT from the subnet of my DMZ 192.168.2.0 to my LAN subnet 192.168.1.0.
MatrixFW1# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Access_in; 24 elements
access-list Access_in line 1 extended permit icmp any host 67.103.180.198 (hitcnt=1560) 0x1c983445
access-list Access_in line 2 extended permit ip any host 67.103.180.198 (hitcnt=10523) 0x16c28239
access-list Access_in line 3 extended permit tcp any host 67.103.180.198 eq www (hitcnt=0) 0xcd121af
access-list Access_in line 4 extended permit tcp any host 67.103.180.198 eq https (hitcnt=0) 0x61586a17
access-list Access_in line 5 extended permit tcp any host 67.103.180.198 eq smtp (hitcnt=0) 0x5dc2e4ff
access-list Access_in line 6 extended permit tcp any host 67.103.180.197 eq www (hitcnt=350) 0x23a82c60
access-list Access_in line 7 extended permit tcp any host 67.103.180.197 eq smtp (hitcnt=9075) 0x17351e51
access-list Access_in line 8 extended permit tcp any host 67.103.180.197 eq pop3 (hitcnt=2) 0x42d2e53a
access-list Access_in line 9 extended permit tcp any host 67.103.180.197 eq https (hitcnt=2723) 0x8dcaa782
access-list Access_in line 10 extended permit tcp any host 67.103.180.197 eq imap4 (hitcnt=3) 0x9757a055
access-list Access_in line 11 extended permit tcp any host 67.103.180.198 eq ssh (hitcnt=0) 0xe141a612
access-list Access_in line 12 extended permit tcp any host 67.103.180.197 eq ssh (hitcnt=31) 0x131caa47
access-list Access_in line 13 extended permit tcp any host 67.103.180.197 eq pptp (hitcnt=14) 0x92ca501b
access-list Access_in line 14 extended permit gre any host 67.103.180.197 log informational interval 300 (hitcnt=82) 0x98c12557
access-list Access_in line 15 extended permit esp any host 67.103.180.197 log informational interval 300 (hitcnt=0) 0xe265760b
access-list Access_in line 16 extended permit udp any host 67.103.180.197 eq isakmp (hitcnt=0) 0x7f25ba14
access-list Access_in line 17 extended permit tcp any host 67.103.180.198 (hitcnt=0) 0xb7557f96
access-list Access_in line 18 extended permit udp any host 67.103.180.198 (hitcnt=0) 0xc14ee5bb
access-list Access_in line 19 extended permit udp any host 67.103.180.197 (hitcnt=2627) 0x218a7883
access-list Access_in line 20 extended permit tcp any host 67.103.180.198 eq domain (hitcnt=0) 0x12753803
access-list Access_in line 21 extended permit tcp any host 67.103.180.197 eq domain (hitcnt=0) 0x294dbec5
access-list Access_in line 22 extended permit udp any host 67.103.180.198 eq domain (hitcnt=0) 0xb17f8e59
access-list Access_in line 23 extended permit udp any host 67.103.180.197 eq domain (hitcnt=0) 0x9f49c99f
access-list Access_in line 24 extended permit icmp any host 67.103.180.197 (hitcnt=997) 0x591185cb
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 67.103.180.194 255.255.255.192 CONFIG
Ethernet1 inside 192.168.1.1 255.255.255.0 CONFIG
Ethernet2 DMZ 192.168.2.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 67.103.180.194 255.255.255.192 CONFIG
Ethernet1 inside 192.168.1.1 255.255.255.0 CONFIG
Ethernet2 DMZ 192.168.2.1 255.255.255.0 CONFIG
MatrixFW1# show nat
NAT policies on Interface inside:
match ip inside host 192.168.1.101 outside any
static translation to 67.103.180.197
translate_hits = 33494, untranslate_hits = 22697
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (67.103.180.195)
translate_hits = 234668, untranslate_hits = 14019
match ip inside 192.168.1.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.1.0 255.255.255.0 DMZ any
dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
translate_hits = 1758, untranslate_hits = 11
NAT policies on Interface DMZ:
match ip DMZ host 192.168.2.42 outside any
static translation to 67.103.180.198
translate_hits = 2096, untranslate_hits = 12108
match ip DMZ 192.168.2.0 255.255.255.0 outside any
dynamic translation to pool 2 (67.103.180.196)
translate_hits = 0, untranslate_hits = 0
match ip DMZ 192.168.2.0 255.255.255.0 DMZ any
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
ASKER
Thanks Batry,
I don't see a access group command exactly like the one you posted. I pasted what I think you need to see below.
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
access-group Access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
I don't see a access group command exactly like the one you posted. I pasted what I think you need to see below.
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
access-group Access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
As long as traffic is initiated from the inside interface going to the DMZ interface (meaning higher security level interface to lower security level interface), then your current config should allow you to talk to the DMZ network segment. Are you trying to initiate traffic from the DMZ to the inside or what exactly are you trying to do that isn't working?
ASKER
Well we want to RDP and get to a Web App running on a single server in the DMZ (Host IP 192.168.2.42).
I can't ping anything either, which I know that was disabled except for specific nodes. The "cisco guy" that was working on this LAN in his spare time for the small company I now work for stated that he thinks we have wiring and or DNS issues which I know is not the case.
I can't ping anything either, which I know that was disabled except for specific nodes. The "cisco guy" that was working on this LAN in his spare time for the small company I now work for stated that he thinks we have wiring and or DNS issues which I know is not the case.
If you want to enable pings from inside to DMZ, you'll need to allow the echo replies back to the inside from the DMZ...you can use these commands:
access-list acl_dmz_in permit icmp any any echo-reply
access-list acl_dmz_in in interface DMZ
Try that and see if you can ping the DMZ server and we'll go from there...
access-list acl_dmz_in permit icmp any any echo-reply
access-list acl_dmz_in in interface DMZ
Try that and see if you can ping the DMZ server and we'll go from there...
ASKER
Yes I added the first line and it allowed me to ping the PIX. I have SDM and am trying to find Pix Device Manager. This might make things a bit easier for me to handle, but I don't know how to enable HTTP access to the PIX. Further more, I want to enable access to a Web App running on 192.168.2.42. How can I set this up?
By the way, I can RDP to the server, via ip address. I suppose I will have to create a host file or enable DNS access to and from the DMZ and the my LAN.
By the way, I can RDP to the server, via ip address. I suppose I will have to create a host file or enable DNS access to and from the DMZ and the my LAN.
To enable HTTP access to the PIX from the inside network, enter these commands:
http 192.168.1.0 255.255.255.0 inside
http server enable
You will then be able to type https://192.168.1.x to get to the PDM where 192.168.1.x is the PIX inside interface IP.
>Further more, I want to enable access to a Web App running on 192.168.2.42. How can I set this up?
It depends on where you want to access the web app from...the inside, outside, or both?
http 192.168.1.0 255.255.255.0 inside
http server enable
You will then be able to type https://192.168.1.x to get to the PDM where 192.168.1.x is the PIX inside interface IP.
>Further more, I want to enable access to a Web App running on 192.168.2.42. How can I set this up?
It depends on where you want to access the web app from...the inside, outside, or both?
ASKER
>It depends on where you want to access the web app from...the inside, outside, or both?
We can get to it from the outside now, but not from the inside. Inside is what we need.
We can get to it from the outside now, but not from the inside. Inside is what we need.
Instead of using the nat/global pair like you have now between the inside and dmz networks, try putting this in instead:
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
This will change your existing PAT translation method into a static one-to-one NAT for hosts on the inside network going to the DMZ network. See if this fixes your web server connectivity issue, although what I see right now in your config should work...
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
This will change your existing PAT translation method into a static one-to-one NAT for hosts on the inside network going to the DMZ network. See if this fixes your web server connectivity issue, although what I see right now in your config should work...
ASKER
I tried and got the following error....
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255$
ERROR: mapped-address conflict with existing static
inside:192.168.1.0 to DMZ:192.168.1.0 netmask 255.255.255.0
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255$
ERROR: mapped-address conflict with existing static
inside:192.168.1.0 to DMZ:192.168.1.0 netmask 255.255.255.0
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static
ASKER
My DMZ subnet is 192.168.2.0. If anything....is that what could be wrong with that command?
ASKER
On your reply below.....
>To enable HTTP access to the PIX from the inside network, enter these commands:
>http 192.168.1.0 255.255.255.0 inside
>http server enable
>You will then be able to type https://192.168.1.x to get to the PDM where 192.168.1.x is the PIX inside >interface IP.
I need HTTP access to a box in the DMZ with is in subnet 192.168.2.0
Wouldn't the appropriate command be "http 192.168.2.0 255.255.255.0 insode
http server enable
???
>To enable HTTP access to the PIX from the inside network, enter these commands:
>http 192.168.1.0 255.255.255.0 inside
>http server enable
>You will then be able to type https://192.168.1.x to get to the PDM where 192.168.1.x is the PIX inside >interface IP.
I need HTTP access to a box in the DMZ with is in subnet 192.168.2.0
Wouldn't the appropriate command be "http 192.168.2.0 255.255.255.0 insode
http server enable
???
ASKER
ignore that last post.....its 6:30 EST and my brain is fried....
I do need http access to the 192.168.2.1 subnet in the DMZ though....
I do need http access to the 192.168.2.1 subnet in the DMZ though....
No, you misunderstand. The command:
http 192.168.1.0 255.255.255.0 inside
allows https access to the PIX itself for management using the PIX Device Manager. If you want http traffic flow to the the DMZ segment from the inside, this is just a matter of implementing the proper translation through the PIX and access control using access lists if applicable.
To troubleshoot why your static command gave you an error, please post the entire sanitized config and we can take a look.
http 192.168.1.0 255.255.255.0 inside
allows https access to the PIX itself for management using the PIX Device Manager. If you want http traffic flow to the the DMZ segment from the inside, this is just a matter of implementing the proper translation through the PIX and access control using access lists if applicable.
To troubleshoot why your static command gave you an error, please post the entire sanitized config and we can take a look.
ASKER
OK....I am not sure what you meant by "sanitized", so I assumed you meant to clean up what might be secure info not meant for eyes other than myself. That being said it is pasted below minus password commands, domain name, and the name we gave the device.
To refresh this, my goals were to get to a Web App running on a server in the DMZ as well as RDP (which seems to be working now by using the IP address of the server, and logging in to the local Admin acct.) DNS would be nice as well, but if in your oppinion this isn't a good idea that is fine, I am not certain that it is needed or not to satisfy the first objective(access to the Web App).
PIX Version 7.2(2)
!
hostname
domain-name
enable
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 67.103.180.194 255.255.255.192
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
retries 3
timeout 3
name-server 64.105.199.74
name-server 64.105.159.250
domain-name dms.local
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
access-group Access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.2.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 inside
http 67.103.180.192 255.255.255.192 outside
http 67.103.180.192 255.255.255.192 DMZ
http 67.103.180.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 67.103.180.192 255.255.255.192 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 64.105.199.74 interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 216.200.93.8 source outside prefer
prompt hostname context
Cryptochecksum:472a7348a9f
Try removing the global (DMZ) command and enter the "net static" command again and then try to access your web app from the inside...just a test:
no global (DMZ) 1 interface
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
You may also have to perform a "clear xlat" command, but be careful doing this on a production firewall since any translations will be cleared out, meaning if someone is in the middle of downloading a file from the Internet or has some other active connection through the firewall it will be disconnected and they will have to reestablish their connection.
no global (DMZ) 1 interface
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
You may also have to perform a "clear xlat" command, but be careful doing this on a production firewall since any translations will be cleared out, meaning if someone is in the middle of downloading a file from the Internet or has some other active connection through the firewall it will be disconnected and they will have to reestablish their connection.
ASKER
OK....the first command executed with no error. The second one gave the error below. I looked for the conflict and found that there was a similar statement with (DMZ,outside), so I switched what you sent me to (DMZ, inside), and it executed with no problem. I did an clear xlate, and tried to get to the site, but it did now work. I even tried "http://192.168.2.42:80" but got nothing, so it isn't DNS. Still no access to it. I am concerned that I won't be able to place a front in exchange server in the DMZ either for all the problems I am having with this.
What is your thoughts on multi-honed servers in the DMZ pointing back to the LAN's subnet. NAT and or static routes should keep us from having to us multiple nics in servers but what else can I do at this point?
MatrixFW1(config)# static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255$
ERROR: mapped-address conflict with existing static
inside:192.168.1.0 to DMZ:192.168.1.0 netmask 255.255.255.0
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static
What is your thoughts on multi-honed servers in the DMZ pointing back to the LAN's subnet. NAT and or static routes should keep us from having to us multiple nics in servers but what else can I do at this point?
MatrixFW1(config)# static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255$
ERROR: mapped-address conflict with existing static
inside:192.168.1.0 to DMZ:192.168.1.0 netmask 255.255.255.0
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static
I just duplicated your NAT setup on an ASA I have here and was able to to put in the net static command with no problem, so I'm not sure what the conflict could be based on your posted config.
How about we try running a capture to make sure that the traffic is getting to the ASA and coming back from the DMZ...try setting up two captures, one to apply to the inside interface and the other to the dmz interface:
access-list acl_inside_cap permit ip any host 192.168.2.42
access-list acl_dmz_cap permit ip host 192.168.2.42 any
capture insidecap access-list acl_inside_cap interface inside
capture dmzcap access-list acl_dmz_cap interface DMZ
Then try your accessing your web server from inside and then look at both captures to see if the PIX shows any traffic.
show capture insidecap
show capture dmzcap
This will tell us two things: whether or not the inside traffic is making it to the PIX, and whether or not the DMZ web server traffic is trying to respond back to the inside.
How about we try running a capture to make sure that the traffic is getting to the ASA and coming back from the DMZ...try setting up two captures, one to apply to the inside interface and the other to the dmz interface:
access-list acl_inside_cap permit ip any host 192.168.2.42
access-list acl_dmz_cap permit ip host 192.168.2.42 any
capture insidecap access-list acl_inside_cap interface inside
capture dmzcap access-list acl_dmz_cap interface DMZ
Then try your accessing your web server from inside and then look at both captures to see if the PIX shows any traffic.
show capture insidecap
show capture dmzcap
This will tell us two things: whether or not the inside traffic is making it to the PIX, and whether or not the DMZ web server traffic is trying to respond back to the inside.
ASKER
OK....I pasted what I did and the results of the capture below.
MatrixFW1(config)# access-list acl_inside_cap permit ip any host 192.168.2.42
MatrixFW1(config)# access-list acl_dmz_cap permit ip host 192.168.2.42 any
MatrixFW1(config)# capture insidecap access-list acl_inside_cap interface insi$
MatrixFW1(config)# capture dmzcap access-list acl_dmz_cap interface DMZ
MatrixFW1(config)# clear xlate
MatrixFW1(config)# show capture insidecap
0 packet captured
0 packet shown
MatrixFW1(config)# show capture dmzcap
1 packet captured
1: 14:16:27.919675 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
1 packet shown
MatrixFW1(config)#
Then I did the show capture commands again after pinging the 192.168.2.42 host and got what you see below.
MatrixFW1(config)# show capture insidecap
4 packets captured
1: 14:17:23.397104 192.168.1.221 > 192.168.2.42: icmp: echo request
2: 14:17:28.678324 192.168.1.221 > 192.168.2.42: icmp: echo request
3: 14:17:34.178472 192.168.1.221 > 192.168.2.42: icmp: echo request
4: 14:17:39.678553 192.168.1.221 > 192.168.2.42: icmp: echo request
4 packets shown
MatrixFW1(config)# show capture dmzcap
455 packets captured
1: 14:16:27.919675 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
2: 14:16:30.897887 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
3: 14:16:36.932919 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
4: 14:16:49.003707 192.168.2.42.1026 > 64.105.199.74.53: udp 35
5: 14:16:49.027616 192.168.2.42.137 > 192.168.2.255.137: udp 50
6: 14:16:49.777440 192.168.2.42.137 > 192.168.2.255.137: udp 50
7: 14:16:50.527453 192.168.2.42.137 > 192.168.2.255.137: udp 50
8: 14:16:51.278107 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
9: 14:16:54.233401 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
10: 14:17:00.167868 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
11: 14:17:12.241412 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
12: 14:17:15.240847 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
13: 14:17:18.240771 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
14: 14:17:23.397516 192.168.2.42 > 192.168.1.221: icmp: echo reply
15: 14:17:25.893020 192.168.2.42.138 > 192.168.2.255.138: udp 201
16: 14:17:28.678752 192.168.2.42 > 192.168.1.221: icmp: echo reply
17: 14:17:34.178869 192.168.2.42 > 192.168.1.221: icmp: echo reply
18: 14:17:34.344388 192.168.2.42.138 > 192.168.2.255.138: udp 209
19: 14:17:39.678981 192.168.2.42 > 192.168.1.221: icmp: echo reply
20: 14:20:10.939740 192.168.2.42.80 > 64.135.56.101.37637: S 3309904106:3309904106(0) ack 3221270711 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
21: 14:20:11.377025 192.168.2.42.80 > 64.135.56.101.37637: . ack 3221270961 win 65285 <nop,nop,timestamp 28693992 334429472>
22: 14:20:12.577133 192.168.2.42.80 > 64.135.56.101.37637: P 3309904107:3309904268(161)
23: 14:20:12.577225 192.168.2.42.80 > 64.135.56.101.37637: P 3309904268:3309904293(25) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
24: 14:20:12.577530 192.168.2.42.80 > 64.135.56.101.37637: F 3309904293:3309904293(0) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
25: 14:20:12.826815 192.168.2.42.80 > 64.135.56.101.37790: S 404173844:404173844(0) ack 1614232141 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
26: 14:20:13.111520 192.168.2.42.80 > 64.135.56.101.37790: P 404173845:404174006(161) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
27: 14:20:13.111551 192.168.2.42.80 > 64.135.56.101.37790: P 404174006:404174031(25) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
28: 14:20:13.111734 192.168.2.42.80 > 64.135.56.101.37790: F 404174031:404174031(0) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
29: 14:20:13.300841 192.168.2.42.80 > 64.135.56.101.37827: S 4257023276:4257023276(0) ack 2155109319 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
30: 14:20:13.487279 192.168.2.42.80 > 64.135.56.101.37827: P 4257023277:4257023438(161)
31: 14:20:13.487325 192.168.2.42.80 > 64.135.56.101.37827: P 4257023438:4257023463(25) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
32: 14:20:13.487493 192.168.2.42.80 > 64.135.56.101.37827: F 4257023463:4257023463(0) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
33: 14:20:13.688608 192.168.2.42.80 > 64.135.56.101.37857: S 3709013395:3709013395(0) ack 4263653822 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
34: 14:20:13.884964 192.168.2.42.80 > 64.135.56.101.37857: P 3709013396:3709013557(161)
35: 14:20:13.884994 192.168.2.42.80 > 64.135.56.101.37857: P 3709013557:3709013582(25) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
36: 14:20:13.885162 192.168.2.42.80 > 64.135.56.101.37857: F 3709013582:3709013582(0) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
37: 14:20:14.066219 192.168.2.42.80 > 64.135.56.101.37891: S 2712132017:2712132017(0) ack 2042100800 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
38: 14:20:14.183919 192.168.2.42.80 > 64.135.56.101.37891: P 2712132018:2712132179(161)
39: 14:20:14.183950 192.168.2.42.80 > 64.135.56.101.37891: P 2712132179:2712132204(25) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
40: 14:20:14.184133 192.168.2.42.80 > 64.135.56.101.37891: F 2712132204:2712132204(0) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
41: 14:20:14.373805 192.168.2.42.80 > 64.135.56.101.37923: S 2150807489:2150807489(0) ack 2716383992 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
42: 14:20:14.562821 192.168.2.42.80 > 64.135.56.101.37923: P 2150807490:2150807651(161)
43: 14:20:14.562882 192.168.2.42.80 > 64.135.56.101.37923: P 2150807651:2150807676(25) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
44: 14:20:14.563035 192.168.2.42.80 > 64.135.56.101.37923: F 2150807676:2150807676(0) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
45: 14:20:14.712197 192.168.2.42.80 > 64.135.56.101.37955: S 1445811166:1445811166(0) ack 2994243033 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
46: 14:20:14.836199 192.168.2.42.80 > 64.135.56.101.37955: P 1445811167:1445811328(161)
47: 14:20:14.836245 192.168.2.42.80 > 64.135.56.101.37955: P 1445811328:1445811353(25) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
48: 14:20:14.836413 192.168.2.42.80 > 64.135.56.101.37955: F 1445811353:1445811353(0) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
49: 14:20:15.009459 192.168.2.42.80 > 64.135.56.101.37986: S 1979492240:1979492240(0) ack 2097525844 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
50: 14:20:15.171835 192.168.2.42.80 > 64.135.56.101.37986: . ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
51: 14:20:15.176687 192.168.2.42.80 > 64.135.56.101.37986: P 1979492241:1979492402(161)
52: 14:20:15.176748 192.168.2.42.80 > 64.135.56.101.37986: P 1979492402:1979492427(25) ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
53: 14:20:15.176916 192.168.2.42.80 > 64.135.56.101.37986: F 1979492427:1979492427(0) ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
54: 14:20:15.361553 192.168.2.42.80 > 64.135.56.101.38026: S 694877552:694877552(0) ack 2693937960 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
55: 14:20:15.605925 192.168.2.42.80 > 64.135.56.101.38026: P 694877553:694877714(161) ack 2693938229 win 65266 <nop,nop,timestamp 28694034 334429914>
56: 14:20:15.606001 192.168.2.42.80 > 64.135.56.101.38026: P 694877714:694877739(25) ack 2693938229 win 65266 <nop,nop,timestamp 28694034 334429914>
57: 14:20:15.606139 192.168.2.42.80 > 64.135.56.101.38026: F 694877739:694877739(0) ack 2693938229 win 65266 <nop,nop,timestamp 28694034 334429914>
58: 14:20:15.839800 192.168.2.42.80 > 64.135.56.101.38065: S 3836959143:3836959143(0) ack 3836680779 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
59: 14:20:16.132790 192.168.2.42.80 > 64.135.56.101.38065: P 3836959144:3836959305(161)
60: 14:20:16.132836 192.168.2.42.80 > 64.135.56.101.38065: P 3836959305:3836959330(25) ack 3836681031 win 65283 <nop,nop,timestamp 28694039 334429961>
61: 14:20:16.133019 192.168.2.42.80 > 64.135.56.101.38065: F 3836959330:3836959330(0) ack 3836681031 win 65283 <nop,nop,timestamp 28694039 334429961>
62: 14:20:16.338163 192.168.2.42.80 > 64.135.56.101.38102: S 1015241587:1015241587(0) ack 2332362723 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
63: 14:20:16.539217 192.168.2.42.80 > 64.135.56.101.38102: P 1015241588:1015241749(161)
64: 14:20:16.539263 192.168.2.42.80 > 64.135.56.101.38102: P 1015241749:1015241774(25) ack 2332362986 win 65272 <nop,nop,timestamp 28694043 334430012>
65: 14:20:16.539431 192.168.2.42.80 > 64.135.56.101.38102: F 1015241774:1015241774(0) ack 2332362986 win 65272 <nop,nop,timestamp 28694043 334430012>
66: 14:20:16.725441 192.168.2.42.80 > 64.135.56.101.38135: S 4197620638:4197620638(0) ack 187312697 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
67: 14:20:16.983225 192.168.2.42.80 > 64.135.56.101.38135: P 4197620639:4197620800(161)
68: 14:20:16.983256 192.168.2.42.80 > 64.135.56.101.38135: P 4197620800:4197620825(25) ack 187312989 win 65243 <nop,nop,timestamp 28694047 334430032>
69: 14:20:16.983439 192.168.2.42.80 > 64.135.56.101.38135: F 4197620825:4197620825(0) ack 187312989 win 65243 <nop,nop,timestamp 28694047 334430032>
70: 14:20:17.229617 192.168.2.42.80 > 64.135.56.101.38169: S 2827474678:2827474678(0) ack 3328118603 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
71: 14:20:17.468969 192.168.2.42.80 > 64.135.56.101.38169: P 2827474679:2827474840(161)
72: 14:20:17.469030 192.168.2.42.80 > 64.135.56.101.38169: P 2827474840:2827474865(25) ack 3328118874 win 65264 <nop,nop,timestamp 28694052 334430101>
there is about 200+ lines of the same.....your thoughts?
MatrixFW1(config)# access-list acl_inside_cap permit ip any host 192.168.2.42
MatrixFW1(config)# access-list acl_dmz_cap permit ip host 192.168.2.42 any
MatrixFW1(config)# capture insidecap access-list acl_inside_cap interface insi$
MatrixFW1(config)# capture dmzcap access-list acl_dmz_cap interface DMZ
MatrixFW1(config)# clear xlate
MatrixFW1(config)# show capture insidecap
0 packet captured
0 packet shown
MatrixFW1(config)# show capture dmzcap
1 packet captured
1: 14:16:27.919675 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
1 packet shown
MatrixFW1(config)#
Then I did the show capture commands again after pinging the 192.168.2.42 host and got what you see below.
MatrixFW1(config)# show capture insidecap
4 packets captured
1: 14:17:23.397104 192.168.1.221 > 192.168.2.42: icmp: echo request
2: 14:17:28.678324 192.168.1.221 > 192.168.2.42: icmp: echo request
3: 14:17:34.178472 192.168.1.221 > 192.168.2.42: icmp: echo request
4: 14:17:39.678553 192.168.1.221 > 192.168.2.42: icmp: echo request
4 packets shown
MatrixFW1(config)# show capture dmzcap
455 packets captured
1: 14:16:27.919675 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
2: 14:16:30.897887 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
3: 14:16:36.932919 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
4: 14:16:49.003707 192.168.2.42.1026 > 64.105.199.74.53: udp 35
5: 14:16:49.027616 192.168.2.42.137 > 192.168.2.255.137: udp 50
6: 14:16:49.777440 192.168.2.42.137 > 192.168.2.255.137: udp 50
7: 14:16:50.527453 192.168.2.42.137 > 192.168.2.255.137: udp 50
8: 14:16:51.278107 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
9: 14:16:54.233401 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
10: 14:17:00.167868 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
11: 14:17:12.241412 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
12: 14:17:15.240847 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
13: 14:17:18.240771 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
14: 14:17:23.397516 192.168.2.42 > 192.168.1.221: icmp: echo reply
15: 14:17:25.893020 192.168.2.42.138 > 192.168.2.255.138: udp 201
16: 14:17:28.678752 192.168.2.42 > 192.168.1.221: icmp: echo reply
17: 14:17:34.178869 192.168.2.42 > 192.168.1.221: icmp: echo reply
18: 14:17:34.344388 192.168.2.42.138 > 192.168.2.255.138: udp 209
19: 14:17:39.678981 192.168.2.42 > 192.168.1.221: icmp: echo reply
20: 14:20:10.939740 192.168.2.42.80 > 64.135.56.101.37637: S 3309904106:3309904106(0) ack 3221270711 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
21: 14:20:11.377025 192.168.2.42.80 > 64.135.56.101.37637: . ack 3221270961 win 65285 <nop,nop,timestamp 28693992 334429472>
22: 14:20:12.577133 192.168.2.42.80 > 64.135.56.101.37637: P 3309904107:3309904268(161)
23: 14:20:12.577225 192.168.2.42.80 > 64.135.56.101.37637: P 3309904268:3309904293(25) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
24: 14:20:12.577530 192.168.2.42.80 > 64.135.56.101.37637: F 3309904293:3309904293(0) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
25: 14:20:12.826815 192.168.2.42.80 > 64.135.56.101.37790: S 404173844:404173844(0) ack 1614232141 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
26: 14:20:13.111520 192.168.2.42.80 > 64.135.56.101.37790: P 404173845:404174006(161) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
27: 14:20:13.111551 192.168.2.42.80 > 64.135.56.101.37790: P 404174006:404174031(25) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
28: 14:20:13.111734 192.168.2.42.80 > 64.135.56.101.37790: F 404174031:404174031(0) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
29: 14:20:13.300841 192.168.2.42.80 > 64.135.56.101.37827: S 4257023276:4257023276(0) ack 2155109319 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
30: 14:20:13.487279 192.168.2.42.80 > 64.135.56.101.37827: P 4257023277:4257023438(161)
31: 14:20:13.487325 192.168.2.42.80 > 64.135.56.101.37827: P 4257023438:4257023463(25) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
32: 14:20:13.487493 192.168.2.42.80 > 64.135.56.101.37827: F 4257023463:4257023463(0) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
33: 14:20:13.688608 192.168.2.42.80 > 64.135.56.101.37857: S 3709013395:3709013395(0) ack 4263653822 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
34: 14:20:13.884964 192.168.2.42.80 > 64.135.56.101.37857: P 3709013396:3709013557(161)
35: 14:20:13.884994 192.168.2.42.80 > 64.135.56.101.37857: P 3709013557:3709013582(25) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
36: 14:20:13.885162 192.168.2.42.80 > 64.135.56.101.37857: F 3709013582:3709013582(0) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
37: 14:20:14.066219 192.168.2.42.80 > 64.135.56.101.37891: S 2712132017:2712132017(0) ack 2042100800 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
38: 14:20:14.183919 192.168.2.42.80 > 64.135.56.101.37891: P 2712132018:2712132179(161)
39: 14:20:14.183950 192.168.2.42.80 > 64.135.56.101.37891: P 2712132179:2712132204(25) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
40: 14:20:14.184133 192.168.2.42.80 > 64.135.56.101.37891: F 2712132204:2712132204(0) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
41: 14:20:14.373805 192.168.2.42.80 > 64.135.56.101.37923: S 2150807489:2150807489(0) ack 2716383992 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
42: 14:20:14.562821 192.168.2.42.80 > 64.135.56.101.37923: P 2150807490:2150807651(161)
43: 14:20:14.562882 192.168.2.42.80 > 64.135.56.101.37923: P 2150807651:2150807676(25) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
44: 14:20:14.563035 192.168.2.42.80 > 64.135.56.101.37923: F 2150807676:2150807676(0) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
45: 14:20:14.712197 192.168.2.42.80 > 64.135.56.101.37955: S 1445811166:1445811166(0) ack 2994243033 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
46: 14:20:14.836199 192.168.2.42.80 > 64.135.56.101.37955: P 1445811167:1445811328(161)
47: 14:20:14.836245 192.168.2.42.80 > 64.135.56.101.37955: P 1445811328:1445811353(25) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
48: 14:20:14.836413 192.168.2.42.80 > 64.135.56.101.37955: F 1445811353:1445811353(0) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
49: 14:20:15.009459 192.168.2.42.80 > 64.135.56.101.37986: S 1979492240:1979492240(0) ack 2097525844 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
50: 14:20:15.171835 192.168.2.42.80 > 64.135.56.101.37986: . ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
51: 14:20:15.176687 192.168.2.42.80 > 64.135.56.101.37986: P 1979492241:1979492402(161)
52: 14:20:15.176748 192.168.2.42.80 > 64.135.56.101.37986: P 1979492402:1979492427(25) ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
53: 14:20:15.176916 192.168.2.42.80 > 64.135.56.101.37986: F 1979492427:1979492427(0) ack 2097526120 win 65259 <nop,nop,timestamp 28694029 334429861>
54: 14:20:15.361553 192.168.2.42.80 > 64.135.56.101.38026: S 694877552:694877552(0) ack 2693937960 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
55: 14:20:15.605925 192.168.2.42.80 > 64.135.56.101.38026: P 694877553:694877714(161) ack 2693938229 win 65266 <nop,nop,timestamp 28694034 334429914>
56: 14:20:15.606001 192.168.2.42.80 > 64.135.56.101.38026: P 694877714:694877739(25) ack 2693938229 win 65266 <nop,nop,timestamp 28694034 334429914>
57: 14:20:15.606139 192.168.2.42.80 > 64.135.56.101.38026: F 694877739:694877739(0) ack 2693938229 win 65266 <nop,nop,timestamp 28694034 334429914>
58: 14:20:15.839800 192.168.2.42.80 > 64.135.56.101.38065: S 3836959143:3836959143(0) ack 3836680779 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
59: 14:20:16.132790 192.168.2.42.80 > 64.135.56.101.38065: P 3836959144:3836959305(161)
60: 14:20:16.132836 192.168.2.42.80 > 64.135.56.101.38065: P 3836959305:3836959330(25) ack 3836681031 win 65283 <nop,nop,timestamp 28694039 334429961>
61: 14:20:16.133019 192.168.2.42.80 > 64.135.56.101.38065: F 3836959330:3836959330(0) ack 3836681031 win 65283 <nop,nop,timestamp 28694039 334429961>
62: 14:20:16.338163 192.168.2.42.80 > 64.135.56.101.38102: S 1015241587:1015241587(0) ack 2332362723 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
63: 14:20:16.539217 192.168.2.42.80 > 64.135.56.101.38102: P 1015241588:1015241749(161)
64: 14:20:16.539263 192.168.2.42.80 > 64.135.56.101.38102: P 1015241749:1015241774(25) ack 2332362986 win 65272 <nop,nop,timestamp 28694043 334430012>
65: 14:20:16.539431 192.168.2.42.80 > 64.135.56.101.38102: F 1015241774:1015241774(0) ack 2332362986 win 65272 <nop,nop,timestamp 28694043 334430012>
66: 14:20:16.725441 192.168.2.42.80 > 64.135.56.101.38135: S 4197620638:4197620638(0) ack 187312697 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
67: 14:20:16.983225 192.168.2.42.80 > 64.135.56.101.38135: P 4197620639:4197620800(161)
68: 14:20:16.983256 192.168.2.42.80 > 64.135.56.101.38135: P 4197620800:4197620825(25) ack 187312989 win 65243 <nop,nop,timestamp 28694047 334430032>
69: 14:20:16.983439 192.168.2.42.80 > 64.135.56.101.38135: F 4197620825:4197620825(0) ack 187312989 win 65243 <nop,nop,timestamp 28694047 334430032>
70: 14:20:17.229617 192.168.2.42.80 > 64.135.56.101.38169: S 2827474678:2827474678(0) ack 3328118603 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
71: 14:20:17.468969 192.168.2.42.80 > 64.135.56.101.38169: P 2827474679:2827474840(161)
72: 14:20:17.469030 192.168.2.42.80 > 64.135.56.101.38169: P 2827474840:2827474865(25) ack 3328118874 win 65264 <nop,nop,timestamp 28694052 334430101>
there is about 200+ lines of the same.....your thoughts?
I see where the dmz web server sent echo replies back to the 192.168.1.221 host your were pinging it from, but I don't see any traffic where you tried to access the web server by surfing to it....try to access the web server by going to http://192.168.2.42 from 192.168.1.221 and then post the capture results...
Do a clear capture <capture_name> on both captures first, so we can see fresh results...
Do a clear capture <capture_name> on both captures first, so we can see fresh results...
ASKER
OK I did so here by trying to reach http://192.168.2.42:80, but it failed. I did the capture commands again and got what you see below.
MatrixFW1(config)# show capture insidecap
442 packets captured
1: 14:17:23.397104 192.168.1.221 > 192.168.2.42: icmp: echo request
2: 14:17:28.678324 192.168.1.221 > 192.168.2.42: icmp: echo request
3: 14:17:34.178472 192.168.1.221 > 192.168.2.42: icmp: echo request
4: 14:17:39.678553 192.168.1.221 > 192.168.2.42: icmp: echo request
5: 14:55:59.007644 192.168.1.221.2751 > 192.168.2.42.3389: S 2224449108:2224449108(0) win 65535 <mss 1460,nop,nop,sackOK>
6: 14:55:59.008269 192.168.1.221.2751 > 192.168.2.42.3389: . ack 1690145402 win 65535
7: 14:55:59.008788 192.168.1.221.2751 > 192.168.2.42.3389: P 2224449109:2224449156(47) ack 1690145402 win 65535
8: 14:55:59.010619 192.168.1.221.2751 > 192.168.2.42.3389: F 2224449156:2224449156(0) ack 1690145421 win 65516
9: 14:56:01.295013 192.168.1.221.2752 > 192.168.2.42.3389: S 588115189:588115189(0) win 65535 <mss 1460,nop,nop,sackOK>
10: 14:56:01.295669 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209866004 win 65535
11: 14:56:01.296081 192.168.1.221.2752 > 192.168.2.42.3389: P 588115190:588115237(47) ack 209866004 win 65535
12: 14:56:01.297912 192.168.1.221.2752 > 192.168.2.42.3389: P 588115237:588115665(428) ack 209866023 win 65516
13: 14:56:01.298858 192.168.1.221.2752 > 192.168.2.42.3389: P 588115665:588115677(12) ack 209866360 win 65179
14: 14:56:01.298888 192.168.1.221.2752 > 192.168.2.42.3389: P 588115677:588115685(8) ack 209866360 win 65179
15: 14:56:01.299484 192.168.1.221.2752 > 192.168.2.42.3389: P 588115685:588115697(12) ack 209866371 win 65168
16: 14:56:01.299880 192.168.1.221.2752 > 192.168.2.42.3389: P 588115697:588115709(12) ack 209866386 win 65153
17: 14:56:01.300323 192.168.1.221.2752 > 192.168.2.42.3389: P 588115709:588115721(12) ack 209866401 win 65138
18: 14:56:01.300750 192.168.1.221.2752 > 192.168.2.42.3389: P 588115721:588115733(12) ack 209866416 win 65123
19: 14:56:01.301131 192.168.1.221.2752 > 192.168.2.42.3389: P 588115733:588115745(12) ack 209866431 win 65108
20: 14:56:01.301543 192.168.1.221.2752 > 192.168.2.42.3389: P 588115745:588115757(12) ack 209866446 win 65093
21: 14:56:01.402506 192.168.1.221.2752 > 192.168.2.42.3389: P 588115757:588115851(94) ack 209866461 win 65078
22: 14:56:01.412210 192.168.1.221.2752 > 192.168.2.42.3389: P 588115851:588116236(385) ack 209866461 win 65078
23: 14:56:01.511844 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209866889 win 64650
24: 14:56:01.585190 192.168.1.221.2752 > 192.168.2.42.3389: P 588116236:588116774(538) ack 209866889 win 64650
25: 14:56:01.585281 192.168.1.221.2752 > 192.168.2.42.3389: P 588116774:588116822(48) ack 209866889 win 64650
26: 14:56:01.585403 192.168.1.221.2752 > 192.168.2.42.3389: P 588116822:588116874(52) ack 209866889 win 64650
27: 14:56:01.585449 192.168.1.221.2752 > 192.168.2.42.3389: P 588116874:588116926(52) ack 209866889 win 64650
28: 14:56:01.586288 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209867041 win 64498
29: 14:56:01.654705 192.168.1.221.2752 > 192.168.2.42.3389: P 588116926:588116974(48) ack 209867041 win 64498
30: 14:56:02.985758 192.168.1.221.2752 > 192.168.2.42.3389: . 588116974:588118354(1380) ack 209867041 win 64498
31: 14:56:02.985819 192.168.1.221.2752 > 192.168.2.42.3389: P 588118354:588118395(41) ack 209867041 win 64498
32: 14:56:02.985895 192.168.1.221.2752 > 192.168.2.42.3389: . 588118395:588119775(1380) ack 209867041 win 64498
33: 14:56:02.985941 192.168.1.221.2752 > 192.168.2.42.3389: P 588119775:588119816(41) ack 209867041 win 64498
34: 14:56:02.985987 192.168.1.221.2752 > 192.168.2.42.3389: . 588119816:588121196(1380) ack 209867041 win 64498
35: 14:56:02.986032 192.168.1.221.2752 > 192.168.2.42.3389: P 588121196:588121237(41) ack 209867041 win 64498
36: 14:56:02.986109 192.168.1.221.2752 > 192.168.2.42.3389: . 588121237:588122617(1380) ack 209867041 win 64498
37: 14:56:02.986170 192.168.1.221.2752 > 192.168.2.42.3389: P 588122617:588122658(41) ack 209867041 win 64498
38: 14:56:02.986231 192.168.1.221.2752 > 192.168.2.42.3389: . 588122658:588124038(1380) ack 209867041 win 64498
39: 14:56:02.986307 192.168.1.221.2752 > 192.168.2.42.3389: P 588124038:588124079(41) ack 209867041 win 64498
40: 14:56:02.986490 192.168.1.221.2752 > 192.168.2.42.3389: . 588124079:588125459(1380) ack 209867041 win 64498
41: 14:56:02.986536 192.168.1.221.2752 > 192.168.2.42.3389: P 588125459:588125500(41) ack 209867041 win 64498
42: 14:56:02.986628 192.168.1.221.2752 > 192.168.2.42.3389: . 588125500:588126880(1380) ack 209867041 win 64498
43: 14:56:02.986673 192.168.1.221.2752 > 192.168.2.42.3389: P 588126880:588126921(41) ack 209867041 win 64498
44: 14:56:02.986780 192.168.1.221.2752 > 192.168.2.42.3389: . 588126921:588128301(1380) ack 209867041 win 64498
45: 14:56:02.986826 192.168.1.221.2752 > 192.168.2.42.3389: P 588128301:588128342(41) ack 209867041 win 64498
46: 14:56:02.986856 192.168.1.221.2752 > 192.168.2.42.3389: . 588128342:588129722(1380) ack 209867041 win 64498
47: 14:56:02.986963 192.168.1.221.2752 > 192.168.2.42.3389: P 588129722:588129763(41) ack 209867041 win 64498
48: 14:56:02.986994 192.168.1.221.2752 > 192.168.2.42.3389: P 588129763:588130392(629) ack 209867041 win 64498
MatrixFW1(config)# show capture dmzcap
1257 packets captured
1: 14:16:27.919675 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
2: 14:16:30.897887 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
3: 14:16:36.932919 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
4: 14:16:49.003707 192.168.2.42.1026 > 64.105.199.74.53: udp 35
5: 14:16:49.027616 192.168.2.42.137 > 192.168.2.255.137: udp 50
6: 14:16:49.777440 192.168.2.42.137 > 192.168.2.255.137: udp 50
7: 14:16:50.527453 192.168.2.42.137 > 192.168.2.255.137: udp 50
8: 14:16:51.278107 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
9: 14:16:54.233401 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
10: 14:17:00.167868 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
11: 14:17:12.241412 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
12: 14:17:15.240847 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
13: 14:17:18.240771 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
14: 14:17:23.397516 192.168.2.42 > 192.168.1.221: icmp: echo reply
15: 14:17:25.893020 192.168.2.42.138 > 192.168.2.255.138: udp 201
16: 14:17:28.678752 192.168.2.42 > 192.168.1.221: icmp: echo reply
17: 14:17:34.178869 192.168.2.42 > 192.168.1.221: icmp: echo reply
18: 14:17:34.344388 192.168.2.42.138 > 192.168.2.255.138: udp 209
19: 14:17:39.678981 192.168.2.42 > 192.168.1.221: icmp: echo reply
20: 14:20:10.939740 192.168.2.42.80 > 64.135.56.101.37637: S 3309904106:3309904106(0) ack 3221270711 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
21: 14:20:11.377025 192.168.2.42.80 > 64.135.56.101.37637: . ack 3221270961 win 65285 <nop,nop,timestamp 28693992 334429472>
22: 14:20:12.577133 192.168.2.42.80 > 64.135.56.101.37637: P 3309904107:3309904268(161)
23: 14:20:12.577225 192.168.2.42.80 > 64.135.56.101.37637: P 3309904268:3309904293(25) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
24: 14:20:12.577530 192.168.2.42.80 > 64.135.56.101.37637: F 3309904293:3309904293(0) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
25: 14:20:12.826815 192.168.2.42.80 > 64.135.56.101.37790: S 404173844:404173844(0) ack 1614232141 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
26: 14:20:13.111520 192.168.2.42.80 > 64.135.56.101.37790: P 404173845:404174006(161) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
27: 14:20:13.111551 192.168.2.42.80 > 64.135.56.101.37790: P 404174006:404174031(25) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
28: 14:20:13.111734 192.168.2.42.80 > 64.135.56.101.37790: F 404174031:404174031(0) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
29: 14:20:13.300841 192.168.2.42.80 > 64.135.56.101.37827: S 4257023276:4257023276(0) ack 2155109319 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
30: 14:20:13.487279 192.168.2.42.80 > 64.135.56.101.37827: P 4257023277:4257023438(161)
31: 14:20:13.487325 192.168.2.42.80 > 64.135.56.101.37827: P 4257023438:4257023463(25) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
32: 14:20:13.487493 192.168.2.42.80 > 64.135.56.101.37827: F 4257023463:4257023463(0) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
33: 14:20:13.688608 192.168.2.42.80 > 64.135.56.101.37857: S 3709013395:3709013395(0) ack 4263653822 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
34: 14:20:13.884964 192.168.2.42.80 > 64.135.56.101.37857: P 3709013396:3709013557(161)
35: 14:20:13.884994 192.168.2.42.80 > 64.135.56.101.37857: P 3709013557:3709013582(25) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
36: 14:20:13.885162 192.168.2.42.80 > 64.135.56.101.37857: F 3709013582:3709013582(0) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
37: 14:20:14.066219 192.168.2.42.80 > 64.135.56.101.37891: S 2712132017:2712132017(0) ack 2042100800 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
38: 14:20:14.183919 192.168.2.42.80 > 64.135.56.101.37891: P 2712132018:2712132179(161)
39: 14:20:14.183950 192.168.2.42.80 > 64.135.56.101.37891: P 2712132179:2712132204(25) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
40: 14:20:14.184133 192.168.2.42.80 > 64.135.56.101.37891: F 2712132204:2712132204(0) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
41: 14:20:14.373805 192.168.2.42.80 > 64.135.56.101.37923: S 2150807489:2150807489(0) ack 2716383992 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
42: 14:20:14.562821 192.168.2.42.80 > 64.135.56.101.37923: P 2150807490:2150807651(161)
43: 14:20:14.562882 192.168.2.42.80 > 64.135.56.101.37923: P 2150807651:2150807676(25) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
44: 14:20:14.563035 192.168.2.42.80 > 64.135.56.101.37923: F 2150807676:2150807676(0) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
45: 14:20:14.712197 192.168.2.42.80 > 64.135.56.101.37955: S 1445811166:1445811166(0) ack 2994243033 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
46: 14:20:14.836199 192.168.2.42.80 > 64.135.56.101.37955: P 1445811167:1445811328(161)
47: 14:20:14.836245 192.168.2.42.80 > 64.135.56.101.37955: P 1445811328:1445811353(25) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
48: 14:20:14.836413 192.168.2.42.80 > 64.135.56.101.37955: F 1445811353:1445811353(0) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
What do you think?
MatrixFW1(config)# show capture insidecap
442 packets captured
1: 14:17:23.397104 192.168.1.221 > 192.168.2.42: icmp: echo request
2: 14:17:28.678324 192.168.1.221 > 192.168.2.42: icmp: echo request
3: 14:17:34.178472 192.168.1.221 > 192.168.2.42: icmp: echo request
4: 14:17:39.678553 192.168.1.221 > 192.168.2.42: icmp: echo request
5: 14:55:59.007644 192.168.1.221.2751 > 192.168.2.42.3389: S 2224449108:2224449108(0) win 65535 <mss 1460,nop,nop,sackOK>
6: 14:55:59.008269 192.168.1.221.2751 > 192.168.2.42.3389: . ack 1690145402 win 65535
7: 14:55:59.008788 192.168.1.221.2751 > 192.168.2.42.3389: P 2224449109:2224449156(47) ack 1690145402 win 65535
8: 14:55:59.010619 192.168.1.221.2751 > 192.168.2.42.3389: F 2224449156:2224449156(0) ack 1690145421 win 65516
9: 14:56:01.295013 192.168.1.221.2752 > 192.168.2.42.3389: S 588115189:588115189(0) win 65535 <mss 1460,nop,nop,sackOK>
10: 14:56:01.295669 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209866004 win 65535
11: 14:56:01.296081 192.168.1.221.2752 > 192.168.2.42.3389: P 588115190:588115237(47) ack 209866004 win 65535
12: 14:56:01.297912 192.168.1.221.2752 > 192.168.2.42.3389: P 588115237:588115665(428) ack 209866023 win 65516
13: 14:56:01.298858 192.168.1.221.2752 > 192.168.2.42.3389: P 588115665:588115677(12) ack 209866360 win 65179
14: 14:56:01.298888 192.168.1.221.2752 > 192.168.2.42.3389: P 588115677:588115685(8) ack 209866360 win 65179
15: 14:56:01.299484 192.168.1.221.2752 > 192.168.2.42.3389: P 588115685:588115697(12) ack 209866371 win 65168
16: 14:56:01.299880 192.168.1.221.2752 > 192.168.2.42.3389: P 588115697:588115709(12) ack 209866386 win 65153
17: 14:56:01.300323 192.168.1.221.2752 > 192.168.2.42.3389: P 588115709:588115721(12) ack 209866401 win 65138
18: 14:56:01.300750 192.168.1.221.2752 > 192.168.2.42.3389: P 588115721:588115733(12) ack 209866416 win 65123
19: 14:56:01.301131 192.168.1.221.2752 > 192.168.2.42.3389: P 588115733:588115745(12) ack 209866431 win 65108
20: 14:56:01.301543 192.168.1.221.2752 > 192.168.2.42.3389: P 588115745:588115757(12) ack 209866446 win 65093
21: 14:56:01.402506 192.168.1.221.2752 > 192.168.2.42.3389: P 588115757:588115851(94) ack 209866461 win 65078
22: 14:56:01.412210 192.168.1.221.2752 > 192.168.2.42.3389: P 588115851:588116236(385) ack 209866461 win 65078
23: 14:56:01.511844 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209866889 win 64650
24: 14:56:01.585190 192.168.1.221.2752 > 192.168.2.42.3389: P 588116236:588116774(538) ack 209866889 win 64650
25: 14:56:01.585281 192.168.1.221.2752 > 192.168.2.42.3389: P 588116774:588116822(48) ack 209866889 win 64650
26: 14:56:01.585403 192.168.1.221.2752 > 192.168.2.42.3389: P 588116822:588116874(52) ack 209866889 win 64650
27: 14:56:01.585449 192.168.1.221.2752 > 192.168.2.42.3389: P 588116874:588116926(52) ack 209866889 win 64650
28: 14:56:01.586288 192.168.1.221.2752 > 192.168.2.42.3389: . ack 209867041 win 64498
29: 14:56:01.654705 192.168.1.221.2752 > 192.168.2.42.3389: P 588116926:588116974(48) ack 209867041 win 64498
30: 14:56:02.985758 192.168.1.221.2752 > 192.168.2.42.3389: . 588116974:588118354(1380) ack 209867041 win 64498
31: 14:56:02.985819 192.168.1.221.2752 > 192.168.2.42.3389: P 588118354:588118395(41) ack 209867041 win 64498
32: 14:56:02.985895 192.168.1.221.2752 > 192.168.2.42.3389: . 588118395:588119775(1380) ack 209867041 win 64498
33: 14:56:02.985941 192.168.1.221.2752 > 192.168.2.42.3389: P 588119775:588119816(41) ack 209867041 win 64498
34: 14:56:02.985987 192.168.1.221.2752 > 192.168.2.42.3389: . 588119816:588121196(1380) ack 209867041 win 64498
35: 14:56:02.986032 192.168.1.221.2752 > 192.168.2.42.3389: P 588121196:588121237(41) ack 209867041 win 64498
36: 14:56:02.986109 192.168.1.221.2752 > 192.168.2.42.3389: . 588121237:588122617(1380) ack 209867041 win 64498
37: 14:56:02.986170 192.168.1.221.2752 > 192.168.2.42.3389: P 588122617:588122658(41) ack 209867041 win 64498
38: 14:56:02.986231 192.168.1.221.2752 > 192.168.2.42.3389: . 588122658:588124038(1380) ack 209867041 win 64498
39: 14:56:02.986307 192.168.1.221.2752 > 192.168.2.42.3389: P 588124038:588124079(41) ack 209867041 win 64498
40: 14:56:02.986490 192.168.1.221.2752 > 192.168.2.42.3389: . 588124079:588125459(1380) ack 209867041 win 64498
41: 14:56:02.986536 192.168.1.221.2752 > 192.168.2.42.3389: P 588125459:588125500(41) ack 209867041 win 64498
42: 14:56:02.986628 192.168.1.221.2752 > 192.168.2.42.3389: . 588125500:588126880(1380) ack 209867041 win 64498
43: 14:56:02.986673 192.168.1.221.2752 > 192.168.2.42.3389: P 588126880:588126921(41) ack 209867041 win 64498
44: 14:56:02.986780 192.168.1.221.2752 > 192.168.2.42.3389: . 588126921:588128301(1380) ack 209867041 win 64498
45: 14:56:02.986826 192.168.1.221.2752 > 192.168.2.42.3389: P 588128301:588128342(41) ack 209867041 win 64498
46: 14:56:02.986856 192.168.1.221.2752 > 192.168.2.42.3389: . 588128342:588129722(1380) ack 209867041 win 64498
47: 14:56:02.986963 192.168.1.221.2752 > 192.168.2.42.3389: P 588129722:588129763(41) ack 209867041 win 64498
48: 14:56:02.986994 192.168.1.221.2752 > 192.168.2.42.3389: P 588129763:588130392(629) ack 209867041 win 64498
MatrixFW1(config)# show capture dmzcap
1257 packets captured
1: 14:16:27.919675 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
2: 14:16:30.897887 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
3: 14:16:36.932919 192.168.2.42.2601 > 192.168.1.101.16111: S 4000464289:4000464289(0) win 65535 <mss 1460,nop,nop,sackOK>
4: 14:16:49.003707 192.168.2.42.1026 > 64.105.199.74.53: udp 35
5: 14:16:49.027616 192.168.2.42.137 > 192.168.2.255.137: udp 50
6: 14:16:49.777440 192.168.2.42.137 > 192.168.2.255.137: udp 50
7: 14:16:50.527453 192.168.2.42.137 > 192.168.2.255.137: udp 50
8: 14:16:51.278107 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
9: 14:16:54.233401 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
10: 14:17:00.167868 192.168.2.42.2601 > 192.168.1.101.16111: S 4006896385:4006896385(0) win 65535 <mss 1460,nop,nop,sackOK>
11: 14:17:12.241412 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
12: 14:17:15.240847 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
13: 14:17:18.240771 192.168.2.42.6001 > 255.255.255.255.6000: udp 60
14: 14:17:23.397516 192.168.2.42 > 192.168.1.221: icmp: echo reply
15: 14:17:25.893020 192.168.2.42.138 > 192.168.2.255.138: udp 201
16: 14:17:28.678752 192.168.2.42 > 192.168.1.221: icmp: echo reply
17: 14:17:34.178869 192.168.2.42 > 192.168.1.221: icmp: echo reply
18: 14:17:34.344388 192.168.2.42.138 > 192.168.2.255.138: udp 209
19: 14:17:39.678981 192.168.2.42 > 192.168.1.221: icmp: echo reply
20: 14:20:10.939740 192.168.2.42.80 > 64.135.56.101.37637: S 3309904106:3309904106(0) ack 3221270711 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
21: 14:20:11.377025 192.168.2.42.80 > 64.135.56.101.37637: . ack 3221270961 win 65285 <nop,nop,timestamp 28693992 334429472>
22: 14:20:12.577133 192.168.2.42.80 > 64.135.56.101.37637: P 3309904107:3309904268(161)
23: 14:20:12.577225 192.168.2.42.80 > 64.135.56.101.37637: P 3309904268:3309904293(25) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
24: 14:20:12.577530 192.168.2.42.80 > 64.135.56.101.37637: F 3309904293:3309904293(0) ack 3221270961 win 65285 <nop,nop,timestamp 28694003 334429472>
25: 14:20:12.826815 192.168.2.42.80 > 64.135.56.101.37790: S 404173844:404173844(0) ack 1614232141 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
26: 14:20:13.111520 192.168.2.42.80 > 64.135.56.101.37790: P 404173845:404174006(161) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
27: 14:20:13.111551 192.168.2.42.80 > 64.135.56.101.37790: P 404174006:404174031(25) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
28: 14:20:13.111734 192.168.2.42.80 > 64.135.56.101.37790: F 404174031:404174031(0) ack 1614232402 win 65274 <nop,nop,timestamp 28694009 334429636>
29: 14:20:13.300841 192.168.2.42.80 > 64.135.56.101.37827: S 4257023276:4257023276(0) ack 2155109319 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
30: 14:20:13.487279 192.168.2.42.80 > 64.135.56.101.37827: P 4257023277:4257023438(161)
31: 14:20:13.487325 192.168.2.42.80 > 64.135.56.101.37827: P 4257023438:4257023463(25) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
32: 14:20:13.487493 192.168.2.42.80 > 64.135.56.101.37827: F 4257023463:4257023463(0) ack 2155109583 win 65271 <nop,nop,timestamp 28694012 334429708>
33: 14:20:13.688608 192.168.2.42.80 > 64.135.56.101.37857: S 3709013395:3709013395(0) ack 4263653822 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
34: 14:20:13.884964 192.168.2.42.80 > 64.135.56.101.37857: P 3709013396:3709013557(161)
35: 14:20:13.884994 192.168.2.42.80 > 64.135.56.101.37857: P 3709013557:3709013582(25) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
36: 14:20:13.885162 192.168.2.42.80 > 64.135.56.101.37857: F 3709013582:3709013582(0) ack 4263654090 win 65267 <nop,nop,timestamp 28694016 334429747>
37: 14:20:14.066219 192.168.2.42.80 > 64.135.56.101.37891: S 2712132017:2712132017(0) ack 2042100800 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
38: 14:20:14.183919 192.168.2.42.80 > 64.135.56.101.37891: P 2712132018:2712132179(161)
39: 14:20:14.183950 192.168.2.42.80 > 64.135.56.101.37891: P 2712132179:2712132204(25) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
40: 14:20:14.184133 192.168.2.42.80 > 64.135.56.101.37891: F 2712132204:2712132204(0) ack 2042101067 win 65268 <nop,nop,timestamp 28694019 334429767>
41: 14:20:14.373805 192.168.2.42.80 > 64.135.56.101.37923: S 2150807489:2150807489(0) ack 2716383992 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
42: 14:20:14.562821 192.168.2.42.80 > 64.135.56.101.37923: P 2150807490:2150807651(161)
43: 14:20:14.562882 192.168.2.42.80 > 64.135.56.101.37923: P 2150807651:2150807676(25) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
44: 14:20:14.563035 192.168.2.42.80 > 64.135.56.101.37923: F 2150807676:2150807676(0) ack 2716384257 win 65270 <nop,nop,timestamp 28694023 334429815>
45: 14:20:14.712197 192.168.2.42.80 > 64.135.56.101.37955: S 1445811166:1445811166(0) ack 2994243033 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>
46: 14:20:14.836199 192.168.2.42.80 > 64.135.56.101.37955: P 1445811167:1445811328(161)
47: 14:20:14.836245 192.168.2.42.80 > 64.135.56.101.37955: P 1445811328:1445811353(25) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
48: 14:20:14.836413 192.168.2.42.80 > 64.135.56.101.37955: F 1445811353:1445811353(0) ack 2994243314 win 65254 <nop,nop,timestamp 28694026 334429849>
What do you think?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did http://192.168.2.42 but no luck. I RDP'ed to the server and tried to access the site there and it didn't work which is strange as well. Sorry to say I am on a wild goose chase and I have you right along with me. If you can't get to the site on the host, I suppose getting to it from another host would not work either.
Try going to http://demo.dmsva.com and let me know if you can get to it. I think the issue is not with the DMZ but with DNS. You can't get to it locally without using localhost. That works when on the server. That is all we need in my opinion.
Thanks for all you help man.
Try going to http://demo.dmsva.com and let me know if you can get to it. I think the issue is not with the DMZ but with DNS. You can't get to it locally without using localhost. That works when on the server. That is all we need in my opinion.
Thanks for all you help man.
NAT policies on Interface inside:
match ip inside 192.168.1.0 255.255.255.0 DMZ any
dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
translate_hits = 1758, untranslate_hits = 11
You probably have a line in your PIX config that looks similar to the following:
global (DMZ) 1 interface
and either
nat (inside) 1 0.0.0.0 0.0.0.0
or
nat (inside) 1 192.168.1.0 255.255.255.0
What access list, if any, do you have applied to your DMZ interface? There will be an "access-group" command that specifies the DMZ interface, similar to the following:
access-group <acl_name> in interface DMZ
If you have one applied, look at the ACL and see if it is explicitly blocking any traffic back to the inside. If you're unsure, post the ACL and any access-group statements and we can take a look...you may wind up having to post the complete sanitized PIX config...