Hi all a PIX 515E here at work. It has recently been upgraded from 6.3 to 7.21.
Seems to me that it's since this upgrade that i encounter some strange problems.
PIX has three interfaces : 1 for the Web (level 100), one for our intranet (level 0) IPs 192.168.0.0 and one for a DMZ (level 4) IPs 10.10.10.0.
in the DMZ is a Web server (it's the only server in the DMZ).
Last night, at home i recieved a newsletter from this web server (our web site) and just to test, i clicked the "unregister to the newsletter" link. I was under firefox ... the page never showed ... Instead there was a blank page : no message .... I tested the same link under IE6 and it did the same. I tested the site's index page but nothing showed. Nslookup found the site's IP without problem. I could surf every web site i could think of, but not this one ...
After rebooting my PC, i could surf the site's index and other pages without a prob. So i thought it was a local problem. Nevermind, i noted my IP so that i could watch the PIX's log the next day.
I found many lines about rejecting my connection and here we are, i don't understand what's happening. The fact is that, searching to the log, there are many people encoutering the same problems, but also many people surfing the site without probs at the same time.
So here's some of the log lines i found
Nov 27 10:56:44 192.168.1.254 %PIX-4-106023: Deny tcp src dmz:10.10.10.220/80 dst outside:81.51.10.184/1910 by access-group "dmz_access_in" [0x3e19d1ab, 0x0]
Nov 27 11:55:42 192.168.1.254 %PIX-4-106023: Deny tcp src dmz:10.10.10.220/80 dst outside:86.204.128.134/3549 by access-group "dmz_access_in" [0x3e19d1ab, 0x0]
Nov 27 11:56:55 192.168.1.254 %PIX-4-106023: Deny tcp src dmz:10.10.10.220/80 dst outside:86.204.128.134/3568 by access-group "dmz_access_in" [0x3e19d1ab, 0x0]
Nov 27 11:56:58 192.168.1.254 %PIX-4-106023: Deny tcp src dmz:10.10.10.220/80 dst outside:86.204.128.134/3569 by access-group "dmz_access_in" [0x3e19d1ab, 0x0]
Nov 27 11:57:53 192.168.1.254 %PIX-4-106023: Deny tcp src dmz:10.10.10.220/80 dst outside:86.204.128.134/3593 by access-group "dmz_access_in" [0x3e19d1ab, 0x0]
Nov 27 11:58:05 192.168.1.254 %PIX-4-106023: Deny tcp src dmz:10.10.10.220/80 dst outside:86.204.128.134/3594 by access-group "dmz_access_in" [0x3e19d1ab, 0x0]
Nov 27 11:58:12 192.168.1.254 %PIX-4-106023: Deny tcp src dmz:10.10.10.220/80 dst outside:86.204.128.134/3595 by access-group "dmz_access_in" [0x3e19d1ab, 0x0]
Nov 27 11:58:29 192.168.1.254 %PIX-4-106023: Deny tcp src dmz:10.10.10.220/80 dst outside:86.204.128.134/3596 by access-group "dmz_access_in" [0x3e19d1ab, 0x0]
Nov 27 11:59:28 192.168.1.254 %PIX-4-106023: Deny tcp src dmz:10.10.10.220/80 dst outside:86.204.128.134/3620 by access-group "dmz_access_in" [0x3e19d1ab, 0x0]
What i don't understand is the outside port number (3620 for the last line here), cause there is a translation rule that should translate every DMZ-Outside 10.10.10.220/80 to my_public_ip/80 Here's the rule : static (dmz,outside) tcp my_public_ip www 10.10.10.220 www netmask
255.255.255.255As i understand it, it's like the rejection happend before the port translation, but i'm certanly wrong ;-)
Any help/comment is greatly appreciated.
Thanks for reading.
Bye. Fred