Screen OS

Hello,

I am in need of some port forwarding assistance.  I am trying to setup port forwarding to a web server thats on our backoffice zone.  I understand that port 80 is used as the management interface so I have setup a custom service on port 90 that is supposed to be redirected to port 80 of the internal webserver.  Unfortunately I am not successful.  I notice the packets being forwarded to the correct internal server but the page does not open on the client trying to access the server from outside the firewall.

 

I hope someone can please provide some insight where I am wrong.

 

Here are the relevant lines of configuration.

set service "HTTP-90" protocol tcp src-port 0-65535 dst-port 90-90
set interface ethernet1/0:3 vip interface-ip 90 "HTTP" 172.16.6.26
set policy id 45 from "Untrust" to "Back Office Servers"  "Any" "VIP(ethernet1/0:3)" "HTTP-90" permit

Please debug flow basic below using the following filter.

SSG-cluster1:Grenada-SSG-1(M)-> get ff
Flow filter based on:
id:0 src ip 63.245.XXX.96 dst ip 208.72.XXX.1 dst port 90
id:1 src ip 172.16.6.26 dst ip 63.245.XXX.96 src port 80

SSG-cluster1:Grenada-SSG-1(M)-> get db str | exclude NHTB
****** 7012013.0: <Untrust/ethernet1/0:3> packet received [52]******
  ipid = 27496(6b68), @2e588110
  packet passed sanity check.
  ethernet1/0:3:63.245.XXX.96/61147->208.72.XXX.1/90,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet1/0:3>, out <N/A>
  self check, not for us
  self check, not for us
  chose interface ethernet1/0:3 as incoming nat if.
  flow_first_routing: in <ethernet1/0:3>, out <N/A>
  search route to (ethernet1/0:3, 63.245.XXX.96->172.16.6.26) in vr trust-vr for vsd-3/flag-0/ifp-null
  [ Dest] 3.route 172.16.6.26->172.16.6.26, to ethernet1/3.6:3
  routed (x_dst_ip 172.16.6.26) from ethernet1/0:3 (ethernet1/0:3 in 3) to ethernet1/3.6:3
  policy search from zone 1-> zone 102
 policy_flow_search  policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 208.72.XXX.1, port 90, proto 6)
  No SW RPC rule match, search HW rule
  Permitted by policy 45
  No src xlate   choose interface ethernet1/3.6:3 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 3 for out ifp ethernet1/3.6:3
  no loop on ifp ethernet1/3.6.
  no loop on ifp ethernet1/3.6:3.
  no loop on ifp ethernet1/3.6:4.
  session application type 6, name HTTP, nas_id 0, timeout 1800sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet1/0:3>, out <ethernet1/3.6:3>
  existing vector list 133-9babdd4.
  Session (id:255984) created for first pak 133
  flow_first_install_session======>
  route to 172.16.6.26
  arp entry found for 172.16.6.26
  ifp2 ethernet1/3.6:3, out_ifp ethernet1/3.6:3, flag 00800804, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet1/3.6:3, 172.16.6.26->63.245.XXX.96) in vr untrust-vr for vsd-3/flag-3000/ifp-ethernet1/0:3
  [ Dest] 1103.route 63.245.XXX.96->208.72.XXX.4, to ethernet1/0:3
  route to 208.72.XXX.4
  arp entry found for 208.72.XXX.4
  ifp2 ethernet1/0:3, out_ifp ethernet1/0:3, flag 00800801, tunnel ffffffff, rc 1
  nsrp msg sent.
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  flow get wsf 0 2
  Got syn, 63.245.XXX.96(61147)->208.72.XXX.1(90), nspflag 0x801801, 0x800804
  post addr xlation: 63.245.XXX.96->172.16.6.26.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 7012013.0: <Back Office Servers/ethernet1/3.6:3> packet received [52]******
  ipid = 0(0000), @2e575914
  packet passed sanity check.
  ethernet1/3.6:3:172.16.6.26/80->63.245.XXX.96/61147,6<Root>
  existing session found. sess token 34
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  flow get wsf 2 5
  Got syn_ack, 172.16.6.26(80)->63.245.XXX.96(61147), nspflag 0x801804, 0x801801
  post addr xlation: 208.72.XXX.1->63.245.XXX.96.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 7012013.0: <Untrust/ethernet1/0:3> packet received [40]******
  ipid = 27497(6b69), @2e7a0910
  packet passed sanity check.
  ethernet1/0:3:63.245.XXX.96/61147->208.72.XXX.1/90,6<Root>
  existing session found. sess token 30
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  Got ack, 63.245.XXX.96(61147)->208.72.XXX.1(90), natpflag 0xc000000, nspflag 0x801801, 0x801804, timeout=900
  post addr xlation: 63.245.XXX.96->172.16.6.26.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 7012013.0: <Untrust/ethernet1/0:3> packet received [432]******
  ipid = 27498(6b6a), @2e51f110
  packet passed sanity check.
  ethernet1/0:3:63.245.XXX.96/61147->208.72.XXX.1/90,6<Root>
  existing session found. sess token 30
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  post addr xlation: 63.245.XXX.96->172.16.6.26.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 7012013.0: <Back Office Servers/ethernet1/3.6:3> packet received [40]******
  ipid = 1458(05b2), @2e660114
  packet passed sanity check.
  ethernet1/3.6:3:172.16.6.26/80->63.245.XXX.96/61147,6<Root>
  existing session found. sess token 34
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  post addr xlation: 208.72.XXX.1->63.245.XXX.96.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 7012015.0: <Back Office Servers/ethernet1/3.6:3> packet received [465]******
  ipid = 1459(05b3), @2e6a8914
  packet passed sanity check.
  ethernet1/3.6:3:172.16.6.26/80->63.245.XXX.96/61147,6<Root>
  existing session found. sess token 34
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  post addr xlation: 208.72.XXX.1->63.245.XXX.96.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 7012015.0: <Untrust/ethernet1/0:3> packet received [40]******
  ipid = 27500(6b6c), @2e65b110
  packet passed sanity check.
  ethernet1/0:3:63.245.XXX.96/61147->208.72.XXX.1/90,6<Root>
  existing session found. sess token 30
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  post addr xlation: 63.245.XXX.96->172.16.6.26.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 7012031.0: <Untrust/ethernet1/0:3> packet received [40]******
  ipid = 27504(6b70), @2e6b5110
  packet passed sanity check.
  ethernet1/0:3:63.245.XXX.96/61147->208.72.XXX.1/90,6, 5011(fin)<Root>
  existing session found. sess token 30
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  flow_tcp_fin_vector()
  existing vector list 133-9babdd4.
  post addr xlation: 63.245.XXX.96->172.16.6.26.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 7012031.0: <Back Office Servers/ethernet1/3.6:3> packet received [40]******
  ipid = 1460(05b4), @2e734114
  packet passed sanity check.
  ethernet1/3.6:3:172.16.6.26/80->63.245.XXX.96/61147,6, 5011(fin)<Root>
  existing session found. sess token 34
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  flow_tcp_fin_vector()
  existing vector list 133-9babdd4.
  post addr xlation: 208.72.XXX.1->63.245.XXX.96.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 7012031.0: <Untrust/ethernet1/0:3> packet received [40]******
  ipid = 27505(6b71), @2e730110
  packet passed sanity check.
  ethernet1/0:3:63.245.XXX.96/61147->208.72.XXX.1/90,6<Root>
  existing session found. sess token 30
  flow got session.
  flow session id 255984
  vsd 3 is active
  tcp seq check.
  flow_tcp_fin_vector()
  existing vector list 133-9babdd4.
  post addr xlation: 63.245.XXX.96->172.16.6.26.
 flow_send_vector_, vid = 0, is_layer2_if=0

Hi

 

Looks like there was something wrong with the connection and your client sent a FIN to the FW to terminate the connection.

 

Not sure if you have tried this but:

- run a sniffer on your PC

- Run snoop and debug flow together

snoop info (to check on the filters for snoop)

snoop filter delete (to remove ALL filters)

snoop filter ip src-ip X.X.X.X dst-ip Y.Y.Y.Y dst-port 80

etc..

- check access to the web server on the internal lan (just for the heck of it to make sure it works)

 

We should be able to tell from the sniffer at least why the page is not loading. But otherwise, from the debugs alone, it looks like your client is sending FIN to the server to terminate connection.

 

Checked the server internally and it works, so I can rule that problem out.  From the sniffer, it looks like the firewall (208.72.XXX.1) is sending the FIN, ACK first and the client is responding.

 

I removed changed the virtual port on the VIP config to port 80 and moved the web ui port to another.  When I did this, I was able to access the internal web server from outside using port 80.  I changed back the virtual port to 90 and ran the snoop commands.

 

Still no success accessing the webserver using port 90.  Below is the results of a snoop session.

 

SSG-cluster1:Grenada-SSG-1(M)-> get db str
7017884.0: ethernet1/0(i) len=66:001db5a7c3f0->0010dbff2083/0800
              63.245.XXX.96 -> 208.72.XXX.1/6
              vhl=45, tos=00, id=8744, frag=4000, ttl=125 tlen=52
              tcp:ports 61892->90, seq=2073735551, ack=0, flag=8002/SYN

7017884.0: ethernet1/3(i) len=70:00105a1461fc->0010dbff20b3/8100/0800, tag 6
              172.16.6.26 -> 63.245.XXX.96/6
              vhl=45, tos=00, id=0, frag=4000, ttl=64 tlen=52
              tcp:ports 80->61892, seq=2186208781, ack=2073735552, flag=8012/SYN/ACK

7017884.0: ethernet1/0(i) len=60:001db5a7c3f0->0010dbff2083/0800
              63.245.XXX.96 -> 208.72.XXX.1/6
              vhl=45, tos=00, id=8745, frag=4000, ttl=125 tlen=40
              tcp:ports 61892->90, seq=2073735552, ack=2186208782, flag=5010/ACK

7017884.0: ethernet1/0(i) len=446:001db5a7c3f0->0010dbff2083/0800
              63.245.XXX.96 -> 208.72.XXX.1/6
              vhl=45, tos=00, id=8746, frag=4000, ttl=125 tlen=432
              tcp:ports 61892->90, seq=2073735552, ack=2186208782, flag=5018/ACK

7017884.0: ethernet1/3(i) len=64:00105a1461fc->0010dbff20b3/8100/0800, tag 6
              172.16.6.26 -> 63.245.XXX.96/6
              vhl=45, tos=00, id=44393, frag=4000, ttl=64 tlen=40
              tcp:ports 80->61892, seq=2186208782, ack=2073735944, flag=5010/ACK

7017885.0: ethernet1/3(i) len=483:00105a1461fc->0010dbff20b3/8100/0800, tag 6
              172.16.6.26 -> 63.245.XXX.96/6
              vhl=45, tos=00, id=44394, frag=4000, ttl=64 tlen=465
              tcp:ports 80->61892, seq=2186208782, ack=2073735944, flag=5018/ACK

7017885.0: ethernet1/0(i) len=66:001db5a7c3f0->0010dbff2083/0800
              63.245.XXX.96 -> 208.72.XXX.1/6
              vhl=45, tos=00, id=8747, frag=4000, ttl=125 tlen=52
              tcp:ports 61893->80, seq=2602272337, ack=0, flag=8002/SYN

7017886.0: ethernet1/0(i) len=60:001db5a7c3f0->0010dbff2083/0800
              63.245.XXX.96 -> 208.72.XXX.1/6
              vhl=45, tos=00, id=8748, frag=4000, ttl=125 tlen=40
              tcp:ports 61892->90, seq=2073735944, ack=2186209207, flag=5010/ACK

7017888.0: ethernet1/0(i) len=66:001db5a7c3f0->0010dbff2083/0800
              63.245.XXX.96 -> 208.72.XXX.1/6
              vhl=45, tos=00, id=8749, frag=4000, ttl=125 tlen=52
              tcp:ports 61893->80, seq=2602272337, ack=0, flag=8002/SYN

7017894.0: ethernet1/0(i) len=62:001db5a7c3f0->0010dbff2083/0800
              63.245.XXX.96 -> 208.72.XXX.1/6
              vhl=45, tos=00, id=8750, frag=4000, ttl=125 tlen=48
              tcp:ports 61893->80, seq=2602272337, ack=0, flag=7002/SYN

7017900.0: ethernet1/3(i) len=64:00105a1461fc->0010dbff20b3/8100/0800, tag 6
              172.16.6.26 -> 63.245.XXX.96/6
              vhl=45, tos=00, id=44395, frag=4000, ttl=64 tlen=40
              tcp:ports 80->61892, seq=2186209207, ack=2073735944, flag=5011/FIN/ACK

7017900.0: ethernet1/0(i) len=60:001db5a7c3f0->0010dbff2083/0800
              63.245.XXX.96 -> 208.72.XXX.1/6
              vhl=45, tos=00, id=8751, frag=4000, ttl=125 tlen=40
              tcp:ports 61892->90, seq=2073735944, ack=2186209208, flag=5010/ACK

7017902.0: ethernet1/0(i) len=60:001db5a7c3f0->0010dbff2083/0800
              63.245.XXX.96 -> 208.72.XXX.1/6
              vhl=45, tos=00, id=8752, frag=4000, ttl=125 tlen=40
              tcp:ports 61892->90, seq=2073735944, ack=2186209208, flag=5011/FIN/ACK

7017902.0: ethernet1/3(i) len=64:00105a1461fc->0010dbff20b3/8100/0800, tag 6
              172.16.6.26 -> 63.245.XXX.96/6
              vhl=45, tos=00, id=44396, frag=4000, ttl=64 tlen=40
              tcp:ports 80->61892, seq=2186209208, ack=2073735945, flag=5010/ACK
 

Hmm.. FW can not generate the FIN/ACK by itself. It should be from the Server if you are seeing the FW IP. The only time FW sends a packet to signal that session is not available is by RST.

 

From the snoop below, it looks like packet id 44393,44394 were not responded to from the client side.

 

Can you attach the sniffer, its easier to look from there. 

FROM 208.72.XXX.1 FW

 

No.     Time        Source                Destination           Protocol Info
      6 3.304039    208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=5

Frame 6 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 0, Ack: 1, Len: 0
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x12 (SYN, ACK)
    Window size: 5840
    Checksum: 0x6a67 [correct]
    Options: (12 bytes)
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
      9 3.321702    208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [ACK] Seq=1 Ack=393 Win=6912 Len=0

Frame 9 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 1, Ack: 393, Len: 0
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 393    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
    Window size: 6912 (scaled)
    Checksum: 0xbfa7 [correct]
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
     10 5.232718    208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [PSH, ACK] Seq=1 Ack=393 Win=6912 Len=425

Frame 10 (479 bytes on wire, 479 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 1, Ack: 393, Len: 425
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 426    (relative sequence number)]
    Acknowledgement number: 393    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
    Window size: 6912 (scaled)
    Checksum: 0x7054 [correct]
Data (425 bytes)

0000  48 54 54 50 2f 31 2e 31 20 33 30 31 20 4d 6f 76   HTTP/1.1 301 Mov
0010  65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a   ed Permanently..
0020  44 61 74 65 3a 20 53 75 6e 2c 20 30 38 20 46 65   Date: Sun, 08 Fe
0030  62 20 32 30 30 39 20 32 31 3a 35 38 3a 32 39 20   b 2009 21:58:29
0040  47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61   GMT..Server: Apa
0050  63 68 65 2f 32 2e 32 2e 38 20 28 55 62 75 6e 74   che/2.2.8 (Ubunt
0060  75 29 20 50 48 50 2f 35 2e 32 2e 34 2d 32 75 62   u) PHP/5.2.4-2ub
0070  75 6e 74 75 35 2e 33 20 77 69 74 68 20 53 75 68   untu5.3 with Suh
0080  6f 73 69 6e 2d 50 61 74 63 68 20 6d 6f 64 5f 73   osin-Patch mod_s
0090  73 6c 2f 32 2e 32 2e 38 20 4f 70 65 6e 53 53 4c   sl/2.2.8 OpenSSL
00a0  2f 30 2e 39 2e 38 67 20 6d 6f 64 5f 70 65 72 6c   /0.9.8g mod_perl
00b0  2f 32 2e 30 2e 33 20 50 65 72 6c 2f 76 35 2e 38   /2.0.3 Perl/v5.8
00c0  2e 38 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 42 79   .8..X-Powered-By
00d0  3a 20 50 48 50 2f 35 2e 32 2e 34 2d 32 75 62 75   : PHP/5.2.4-2ubu
00e0  6e 74 75 35 2e 33 0d 0a 58 2d 50 69 6e 67 62 61   ntu5.3..X-Pingba
00f0  63 6b 3a 20 68 74 74 70 3a 2f 2f 31 37 32 2e 31   ck: http://172.1
0100  36 2e 36 2e 32 36 2f 78 6d 6c 72 70 63 2e 70 68   6.6.26/xmlrpc.ph
0110  70 0d 0a 4c 6f 63 61 74 69 6f 6e 3a 20 68 74 74   p..Location: htt
0120  70 3a 2f 2f 32 30 38 2e 37 32 2e 32 33 31 2e 31   p://208.72.XXX.1
0130  2f 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74   /..Content-Lengt
0140  68 3a 20 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65   h: 0..Keep-Alive
0150  3a 20 74 69 6d 65 6f 75 74 3d 31 35 2c 20 6d 61   : timeout=15, ma
0160  78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f   x=100..Connectio
0170  6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43   n: Keep-Alive..C
0180  6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78   ontent-Type: tex
0190  74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d   t/html; charset=
01a0  55 54 46 2d 38 0d 0a 0d 0a                        UTF-8....

No.     Time        Source                Destination           Protocol Info
     28 20.183271   208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [FIN, ACK] Seq=426 Ack=393 Win=6912 Len=0

Frame 28 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 426, Ack: 393, Len: 0
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 426    (relative sequence number)
    Acknowledgement number: 393    (relative ack number)
    Header length: 20 bytes
    Flags: 0x11 (FIN, ACK)
    Window size: 6912 (scaled)
    Checksum: 0xbdfd [correct]
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
     43 30.417083   208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [ACK] Seq=427 Ack=394 Win=6912 Len=0

Frame 43 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 427, Ack: 394, Len: 0
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 427    (relative sequence number)
    Acknowledgement number: 394    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
    Window size: 6912 (scaled)
    Checksum: 0xbdfc [correct]
    [SEQ/ACK analysis]

To 208.72.XXX.1 FW.

 
No.     Time        Source                Destination           Protocol Info
      6 3.304039    208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 WS=5

Frame 6 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 0, Ack: 1, Len: 0
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x12 (SYN, ACK)
    Window size: 5840
    Checksum: 0x6a67 [correct]
    Options: (12 bytes)
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
      9 3.321702    208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [ACK] Seq=1 Ack=393 Win=6912 Len=0

Frame 9 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 1, Ack: 393, Len: 0
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 393    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
    Window size: 6912 (scaled)
    Checksum: 0xbfa7 [correct]
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
     10 5.232718    208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [PSH, ACK] Seq=1 Ack=393 Win=6912 Len=425

Frame 10 (479 bytes on wire, 479 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 1, Ack: 393, Len: 425
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 426    (relative sequence number)]
    Acknowledgement number: 393    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
    Window size: 6912 (scaled)
    Checksum: 0x7054 [correct]
Data (425 bytes)

0000  48 54 54 50 2f 31 2e 31 20 33 30 31 20 4d 6f 76   HTTP/1.1 301 Mov
0010  65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a   ed Permanently..
0020  44 61 74 65 3a 20 53 75 6e 2c 20 30 38 20 46 65   Date: Sun, 08 Fe
0030  62 20 32 30 30 39 20 32 31 3a 35 38 3a 32 39 20   b 2009 21:58:29
0040  47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61   GMT..Server: Apa
0050  63 68 65 2f 32 2e 32 2e 38 20 28 55 62 75 6e 74   che/2.2.8 (Ubunt
0060  75 29 20 50 48 50 2f 35 2e 32 2e 34 2d 32 75 62   u) PHP/5.2.4-2ub
0070  75 6e 74 75 35 2e 33 20 77 69 74 68 20 53 75 68   untu5.3 with Suh
0080  6f 73 69 6e 2d 50 61 74 63 68 20 6d 6f 64 5f 73   osin-Patch mod_s
0090  73 6c 2f 32 2e 32 2e 38 20 4f 70 65 6e 53 53 4c   sl/2.2.8 OpenSSL
00a0  2f 30 2e 39 2e 38 67 20 6d 6f 64 5f 70 65 72 6c   /0.9.8g mod_perl
00b0  2f 32 2e 30 2e 33 20 50 65 72 6c 2f 76 35 2e 38   /2.0.3 Perl/v5.8
00c0  2e 38 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 42 79   .8..X-Powered-By
00d0  3a 20 50 48 50 2f 35 2e 32 2e 34 2d 32 75 62 75   : PHP/5.2.4-2ubu
00e0  6e 74 75 35 2e 33 0d 0a 58 2d 50 69 6e 67 62 61   ntu5.3..X-Pingba
00f0  63 6b 3a 20 68 74 74 70 3a 2f 2f 31 37 32 2e 31   ck: http://172.1
0100  36 2e 36 2e 32 36 2f 78 6d 6c 72 70 63 2e 70 68   6.6.26/xmlrpc.ph
0110  70 0d 0a 4c 6f 63 61 74 69 6f 6e 3a 20 68 74 74   p..Location: htt
0120  70 3a 2f 2f 32 30 38 2e 37 32 2e 32 33 31 2e 31   p://208.72.XXX.1
0130  2f 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74   /..Content-Lengt
0140  68 3a 20 30 0d 0a 4b 65 65 70 2d 41 6c 69 76 65   h: 0..Keep-Alive
0150  3a 20 74 69 6d 65 6f 75 74 3d 31 35 2c 20 6d 61   : timeout=15, ma
0160  78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f   x=100..Connectio
0170  6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43   n: Keep-Alive..C
0180  6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78   ontent-Type: tex
0190  74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d   t/html; charset=
01a0  55 54 46 2d 38 0d 0a 0d 0a                        UTF-8....

No.     Time        Source                Destination           Protocol Info
     28 20.183271   208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [FIN, ACK] Seq=426 Ack=393 Win=6912 Len=0

Frame 28 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 426, Ack: 393, Len: 0
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 426    (relative sequence number)
    Acknowledgement number: 393    (relative ack number)
    Header length: 20 bytes
    Flags: 0x11 (FIN, ACK)
    Window size: 6912 (scaled)
    Checksum: 0xbdfd [correct]
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
     43 30.417083   208.72.XXX.1          192.168.1.127         TCP      dnsix > 62179 [ACK] Seq=427 Ack=394 Win=6912 Len=0

Frame 43 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: Cisco-Li_96:97:09 (00:13:10:96:97:09), Dst: IntelCor_7d:ce:21 (00:21:5c:7d:ce:21)
Internet Protocol, Src: 208.72.XXX.1 (208.72.XXX.1), Dst: 192.168.1.127 (192.168.1.127)
Transmission Control Protocol, Src Port: dnsix (90), Dst Port: 62179 (62179), Seq: 427, Ack: 394, Len: 0
    Source port: dnsix (90)
    Destination port: 62179 (62179)
    Sequence number: 427    (relative sequence number)
    Acknowledgement number: 394    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
    Window size: 6912 (scaled)
    Checksum: 0xbdfc [correct]
    [SEQ/ACK analysis]

Correct me if I am wrong.  From the trace it looks like the server is responding to the client but with a "HTTP/1.1 Permanently moved" message with a FIN tag.  So its most likely not a firewall issue but an issue with the configuration of the server.  Guess apache doesn't like to be called from a different port, because it works when I change use port 80 as the forwarded port.

Yup thats right. From the snoop (unless you turned on snoop detail and set the length) we couldn't really tell.