cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

Inbound traffic to DMZ issue

L1 Bithead

We have reports of certain users not being able to access our public website but majority of users are able to. The traffic log shows that the application is incomplete. Packet capture reveals the 3-way handshake does not complete and the session times out. The same person who is NOT able to access the public website is able to access another website of ours that is hosted on another IP address but on the same firewall. The difference between the two sites are as follows:

Different external IPs but same subnet

Different internal Zones (1 server is on DMZ; not working and 1 server is on the Trust zone; working)

Different gateways, different switches

The DMZ's gateway is the firewall while the server on the trust side's gateway is a core switch

Has anyone seen something like this before? Again, it works for 99% of the users but there are a number of users that are not able to get to the website for some reason. We initially thought it could be a routing issue with the ISP that we use since majority of the users who reported the issue belongs to the same ISP that we use. HOWEVER, we did find a user who uses the same ISP and IS ABLE to browse.

NAT is a regular destination NAT

Untrust to Untrust

Src IP: Any

Dst IP: Public IP of server

Destination translation IP: DMZ IP of the server

Policy is a regular allow inbound policy

allow access to website

Zone: Untrust to DMZ

Src IP: Any

Dst IP: External IP of DMZ server

Some other info that might help.

There are two ISPs but only one is used and the other is a backup in case the other one is down. I'm using PBF to achieve this as per the PBF doc/KB.

There is a zone protection profile and enabled all of them. I removed it temporarily but it didn't help.

I tried to do a static bi-directional NAT as a test but it didn't seem to help

Any help would be appreciated!

Who Me Too'd this topic