ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Why can't I forward to my DMZ Web Server?

[ Edited ]
‎03-21-2013 05:01 PM

I have a simple network on SSG20 running 6.3.0r13.0

 

4 zones

Trust (2 interfaces: 10.1.1.0 and 10.66.0.0)

1 Untrust (1 Public interface - public ISP)

DMZ (1 interface 10.1.2.0)

 

Untrust is connected to static IP from ISP.

 

Untrust has VIP pointing to web server in DMZ (port 81) and a server in Trust (port 80)

 

The VIP to Trust works fine.

From DMZ I can access Trust and Untrust services (have Any-Any policies for now)

I have src-NATed DMZ-to-Untrust Policy

 

I have Internet access from Trust (and DMZ also) via route configuration. See attached cfg.

 

For the life of me, I cannot figure out why traffic is not getting forwarded from Internet to DMZ server! when I do a debug trace, I see traffic being forwarded to DMZ server (10.1.2.4), but nothing comes back. How can that be when the server 10.1.2.4 has all access to the outside?

 

Much appreciated.

 

 

 

Attachments

2 REPLIES 2
Highlighted
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author acclaim
‎08-26-2015 01:27 AM

Re: Why can't I forward to my DMZ Web Server?

‎03-21-2013 07:18 PM

Hi,

 

1. do a 'get vip' and check status of VIP on dmz.
2. do src-nat on policy id 15.
3. get log traffic policy 15

If after above 3 steps you dont see a response from Server, then I suggest to do a packet capture on server.

Hope this helps.

 

Regards.
Hardeep

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Why can't I forward to my DMZ Web Server?

[ Edited ]
‎03-22-2013 07:28 AM

You are correct!

 

The issue was on the server. After doing a tcpdump trace, I realized Linux firewall was blocking port 80.

 

thanks

 

Feedback