Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Address Transforms not working properly

Status
Not open for further replies.
slider5

slider5

MIS
Feb 5, 2001
31
US
Hi,
We have a Win 2000 IIS 5.0 box running SSL on the entire site. We had service redirection for http and https through Raptor 6.5 to the 2000 box. I configured address transforms and NAT per the Raptor documentation.

Users were complaining about receiving "Page cannot be displayed" errors (intermitently) when trying to reach the home page. The firewall logs would show "cannot connect to server" errors in the logfiles for the dropped connections. I moved the 2000 box in front of the firewall (hanging it off the internet router - only temporary) and all of the user problems were eliminated.

While the server was in the service zone: on the firewall I had a NAT pool for the 2000 box. I created an address transform using this NAT pool for outgoing connections. I also had a address transform for incoming connections to "use the client's original address" I think the firewall is not handling these address transforms properly.
I appreciate any opinions or advice.

Thanks,
Steve
 
Sort by date Sort by votes
You may have a conflict between outgoing and incoming add transforms. What do you need the outgoing for. As far as users connecting to your from internet the maintain client original is enough. It also allows tracking if neccesary for post-mortum analysis. What is this nat pool for outgoing for? May want to remove unless you have a specific reason to use this. Intermittent problems is kind of strange. What does the logfile on the FW say.
 
Upvote 0 Downvote
Thanks for the reply billhome,

The logfile would display an informational log, showing a normal SSL connection message. However at the very end of the log message would be "(unknown error)" for each failed connection attempt to the SSL server behind the firewall.

I set up another SSL NT server in the service zone and did not add the address transforms and it had no connection issues, so I believe you are correct.

I added the "maintain client original" transform, and still didn't have problems. However I received this error in the log: "343 - NAT warning: NAT Rule MACHINE NAME was chosen, but client transparancy is not possible as both the source (192.168.x.A -> if=192.168.x.B) and destination interfaces (if=192.168.x.B -> 192.168.x.A) are the same. Please update your address mapping entry" Where address A is the NIC card of the SSL server and address B is the address of the service zone NIC on the firewall. Not sure what the error means, but it doesn't seem to have an affect on the SSL session. Thanks,

Steve
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
289
Sameer258
Sameer258
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
83
disturbedone
disturbedone
texwiz
  • Locked
  • Question
need some help to properly set up, segregate and secure a network with an ASA 5505
Replies
2
Views
100
texwiz
texwiz
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top