cnetwiz
asked on
Changes Caused Necessity to Restart Firewall
Hello Experts,
Have a WHY question... ASA Firewall with IDS. Connections to External Internet, Internal DMZ Zone, Internal Router.
The DMZ Zone has 3 servers. 2 dns and 1 web. Over the weekend, Virtualized these 3 servers to one new server and disabled the switch ports of the 3 servers.
Accessing a Test computer in the DMZ Zone, tested accessibility to the new VS, DNS VS and Web VS Everything worked Perfectly. Access all websites from DMZ Web Server, and Outside Internet sites.
HOWEVER, No Accessibility to Webserver from Outside World. DNS Traffic Gets Thru. Can Remote Desktop to all DMZ Servers from Management Network. Everything execpt http traffic is not working. "Server Not Available" is the Internet Explorer Error.
After Hours of Troubleshooting finally shook my head and restarted ASA. Now Everything works Perfectly and Everythign is Accessible. MY Question . What would cause the ASA to deny http traffic when I switch the 3 Servers to VS and upon restart allow traffic ????
Hope I explained my case well. Any Thoughts would be appreciated.
Have a WHY question... ASA Firewall with IDS. Connections to External Internet, Internal DMZ Zone, Internal Router.
The DMZ Zone has 3 servers. 2 dns and 1 web. Over the weekend, Virtualized these 3 servers to one new server and disabled the switch ports of the 3 servers.
Accessing a Test computer in the DMZ Zone, tested accessibility to the new VS, DNS VS and Web VS Everything worked Perfectly. Access all websites from DMZ Web Server, and Outside Internet sites.
HOWEVER, No Accessibility to Webserver from Outside World. DNS Traffic Gets Thru. Can Remote Desktop to all DMZ Servers from Management Network. Everything execpt http traffic is not working. "Server Not Available" is the Internet Explorer Error.
After Hours of Troubleshooting finally shook my head and restarted ASA. Now Everything works Perfectly and Everythign is Accessible. MY Question . What would cause the ASA to deny http traffic when I switch the 3 Servers to VS and upon restart allow traffic ????
Hope I explained my case well. Any Thoughts would be appreciated.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thinking the process thru, there could really be no reason why packets would be denied unless the ASA is receiving an ARP packet and the MAC address is different than the ARP Cache entry.
The packet is legitimate, however, the Firewall could interpret it as an ARP attack.
Thank you for allowing me to bounce the idea off you guys. It makes sense..