Internal Server not working to the outside world

[cmal00]

I have a PIX 525 and we have an internal web server that external users can not get to. From the inside everything works fine. If we do a clear xlate, it starts to work again from the outside but it doesn't last for much. We have to do another clear xlate. Is there a problem with the PIX or maybe the server? I have done a test using debug icmp trace, i can see an external IP coming in but I don't see a reply from the server. It stops at the inside interface of the PIX.

 

[NetworkGhost]

Post a scrubbed config. Also post the output of a show log when this happens. If you dont have logging to the buffer enabled, enable by the following

loggin on
logging buffered 6

http://www.wr-mem.com

 

[cmal00]

Here is the config

: Saved
: Written by enable_15 at 09:05:10.437 UTC Thu Oct 2 2008
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 Vlan5 security50
nameif ethernet3 intf3 security20
nameif ethernet4 VPN security60
nameif ethernet5 state security80
enable password /Quw/r3ABLab.7h7 encrypted
passwd 1qe3EmIswfJyCWQr encrypted
hostname pix
domain-name oru.edu
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
no name
access-list acl_outside permit tcp any host 205.143.139.34 eq domain
access-list acl_outside permit udp any host 205.143.139.34 eq domain
access-list acl_outside permit tcp any host 205.143.139.34 eq https
access-list acl_outside permit tcp any host 205.143.139.33 eq domain
access-list acl_outside permit udp any host 205.143.139.33 eq domain
access-list acl_outside permit udp any host 205.143.139.34 eq ntp
access-list acl_outside permit udp any host 205.143.139.33 eq ntp

pager lines 24
logging on
logging timestamp
logging console critical
logging monitor errors
logging buffered critical
logging trap critical
logging history critical
mtu outside 1500
mtu inside 1500
mtu Vlan5 1500
mtu intf3 1500
mtu VPN 1500
mtu state 1500
ip address outside 205.143.139.193 255.255.255.192
ip address inside 205.143.139.133 255.255.255.248
ip address Vlan5 205.143.139.62 255.255.255.192
no ip address intf3
ip address VPN 127.0.0.4 255.255.255.255
ip address state 172.16.1.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 205.143.139.194
failover ip address inside 205.143.139.132
failover ip address Vlan5 205.143.139.59
no failover ip address intf3
no failover ip address VPN
failover ip address state 172.16.1.2
failover link state
pdm history enable
arp timeout 7200


access-group acl_outside in interface outside
access-group Inside in interface inside
access-group Vlan5_acl in interface Vlan5
route outside 0.0.0.0 0.0.0.0 205.143.139.195 1
route inside 10.0.0.0 255.0.0.0 205.143.139.134 1
route Vlan5 10.80.0.0 255.255.0.0 205.143.139.8 1
route inside 205.143.136.0 255.255.248.0 205.143.139.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 10.100.1.23
snmp-server host inside 10.200.1.54
snmp-server location CNC

snmp-server community Up2NoGood
snmp-server enable traps

floodguard enable
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1800


: end


Here is the log:

pix# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Console logging: level critical, 55965 messages logged
Monitor logging: disabled
Buffer logging: level informational, 36108269 messages logged
Trap logging: level critical, 55965 messages logged
History logging: level critical, 55965 messages logged
Device ID: disabled
69.105.58.152/18551 (69.105.58.152/18551) to inside:10.24.3.166/62903 (205.143.139.215/40308)
106023: Deny tcp src outside:81.183.12.82/53133 dst Vlan5:205.143.139.32/25 by access-group "acl_outside"
302014: Teardown TCP connection -1805990420 for outside:204.9.177.17/80 to Vlan5:205.143.139.37/56459 duration 0:00:36 bytes 2224 TCP FINs
302014: Teardown TCP connection -1805990121 for outside:204.9.177.17/80 to Vlan5:205.143.139.37/59723 duration 0:00:34 bytes 1112 TCP FINs
302014: Teardown TCP connection -1805990115 for outside:204.9.177.17/80 to Vlan5:205.143.139.37/43430 duration 0:00:34 bytes 1112 TCP FINs
302013: Built outbound TCP connection -1805982793 for outside:205.128.93.123/80 (205.128.93.123/80) to Vlan5:205.143.139.37/47956 (205.143.139.37/47956)
302013: Built outbound TCP connection -1805982792 for outside:65.54.171.24/80 (65.54.171.24/80) to Vlan5:205.143.139.37/34777 (205.143.139.37/34777)
302013: Built outbound TCP connection -1805982791 for outside:87.106.132.222/80 (87.106.132.222/80) to Vlan5:205.143.139.37/48243 (205.143.139.37/48243)
302015: Built outbound UDP connection -1805982790 for outside:76.93.53.140/32360 (76.93.53.140/32360) to inside:10.23.2.171/63020 (205.143.139.211/63853)
302013: Built outbound TCP connection -1805982789 for outside:199.93.62.124/80 (199.93.62.124/80) to Vlan5:205.143.139.37/37676 (205.143.139.37/37676)
302016: Teardown UDP connection -1805982818 for outside:12.183.125.5/53 to Vlan5:205.143.139.5/31321 duration 0:00:01 bytes 140
302014: Teardown TCP connection -1805993973 for outside:69.63.176.161/80 to Vlan5:205.143.139.37/46494 duration 0:00:55 bytes 2079 TCP FINs
302015: Built outbound UDP connection -1805982788 for outside:71.103.181.69/57002 (71.103.181.69/57002) to inside:10.23.3.37/18950 (205.143.139.211/9535)
302015: Built outbound UDP connection -1805982787 for outside:64.230.105.239/28546 (64.230.105.239/28546) to inside:10.23.2.171/63020 (205.143.139.211/63853)
3176.206/80 by access-group "Inside"
110.26.0.174/1760 dst outside:216.143.70.105/80 by access-group "Inside"
3 inside:10.23.3.253/1457 to outside:205.143.139.211/43078
3o outside:205.143.139.211/43084
3outside:68.142.255.16/53 to Vlan5:205.143.139.5/8520 duration 0:00:01 bytes 360
3 to Vlan5:205.143.139.37/50286 (205.143.139.37/50286)
32257 for outside:199.93.62.126/80 to Vlan5:205.143.139.37/48638 duration 0:00:03 bytes 344226 TCP Reset-I
3-1805981742 for outside:88.112.243.132/64849 (88.112.243.132/64849) to inside:10.28.2.99/63468 (205.143.139.219/59134)
3ide:80.203.137.80/40455 (80.203.137.80/40455) to inside:10.25.2.40/52099 (205.143.139.215/40375)
3tbound UDP connection -1805981411 for Vlan5:205.143.139.34/53 (205.143.139.34/53) to inside:10.20.3.24/56834 (205.143.139.60/25337)
3143 to inside:10.23.1.154/32837 duration 0:00:38 bytes 68 TCP Reset-O
3 to outside:205.143.139.211/43125
3.216/1029 to outside:205.143.139.211/43149
302013: Built outbound TCP connection -1805981087 for outside:195.136.143.68/21679 (195.136.143.68/21679) to inside:10.23.3.216/1029 (205.143.139.211/43149)
106023: Deny tcp src outside:68.188.251.162/56082 dst Vlan5:205.143.139.37/39277 by access-group "acl_outside"
305011: Built dynamic TCP translation from inside:10.30.2.29/1391 to outside:205.143.139.221/3675
302013: Built outbound TCP connection -1805981086 for outside:208.111.128.7/80 (208.111.128.7/80) to inside:10.30.2.29/1391 (205.143.139.221/3675)
302014: Teardown TCP connection -1805981121 for outside:190.21.135.193/26172 to inside:10.25.2.142/3372 duration 0:00:00 bytes 0 TCP Reset-O
302014: Teardown TCP connection -1805981722 for outside:63.135.80.55/80 to Vlan5:205.143.139.37/49344 duration 0:00:03 bytes 1458 TCP FINs
302016: Teardown UDP connection -1805981088 for outside:204.2.208.53/53 to Vlan5:205.143.139.5/65142 duration 0:00:01 bytes 118
106023: Deny udp src outside:72.59.226.7/45683 dst Vlan5:205.143.139.37/39277 by access-group "acl_outside"
302013: Built outbound TCP connection -1805981085 for outside:164.58.176.199/80 (164.58.176.199/80) to Vlan5:205.143.139.37/48663 (205.143.139.37/48663)

 

[NetworkGhost]

Few problems here. Let me know if I over looked.

These are the hosts you want the outside world to access right?

access-list acl_outside permit tcp any host 205.143.139.34 eq domain
access-list acl_outside permit udp any host 205.143.139.34 eq domain
access-list acl_outside permit tcp any host 205.143.139.34 eq https
access-list acl_outside permit tcp any host 205.143.139.33 eq domain
access-list acl_outside permit udp any host 205.143.139.33 eq domain
access-list acl_outside permit udp any host 205.143.139.34 eq ntp
access-list acl_outside permit udp any host 205.143.139.33 eq ntp

I dont see any static statements for these IPs. You will need them if you want traffic to flow from a lower security level to a higher security level.

static (inside,outside) 205.143.139.33 205.143.139.33
static (inside,outside) 205.143.139.34 205.143.139.34

This is assuming that those IPs are the ones that get resolved when a outside user performs dns resolution on the URL.

http://www.wr-mem.com

 

[cmal00]

I'm sorry, I must of not copy over the static rules. I have the following static

static (Vlan5,outside) 205.143.139.0 205.143.139.0 netmask 255.255.255.192 0 0

Vlan5 is our DMZ. These servers are in the DMZ. Also 205.143.139.34 is also our secondary DNS as also being use as an student Web site.

 

[NetworkGhost]

Did you leave out the nat rules also? Please post whatever you left out. you also said that the ICMP traffic stops at the inside interface of the PIX

"It stops at the inside interface of the PIX. "

If this traffic is destined for Vlan5 than you shouldnt see traffic hitting the DMZ right?

http://www.wr-mem.com

 

[cmal00]

The reason why I say that is that inside the pix, i can ping 205.143.139.34. From the outside(from my home for example), i can't ping it. I did a debug icmp trace and I see the icmp request from my house coming in through the pix. I don't see any reply from the server. If I clear xlate, everything starts to work again. What I'm trying to see is if the server has a issue or the pix. I can't see something missing in the pix because every other server would have issues too. Something gets clear and things start to work again to that particular IP.

205.143.139.34 is a public IP address, There is no nating on it.

nat (Vlan5) 0 205.143.139.0 255.255.255.192 0 0

For segurity reasons, Im not allow to post everthing, hope you understand