Strange problem w/netscreen firewall - GURU's needed

[multiband8303]

Have a website - itiwnet.com - can't access it on one leg of my network

One leg uses a PIX
The other uses a netscreen

My leg via the pix firewall, accesses the site fine - I can telnet into it through port 80 (216.170.53.5) - however on my leg with the netscreen -I cannot - makes me think that in one of my firewalls theres a rule that disables access to this specific address, well....there isn't - basically same rules as the other leg.

Help.

 

[Pat007]

Is the website located internally or is it hosted by a 3rd party?

 

[multiband8303]

hosted (external address on the site I listed, 216.x.x.x)

 

[Pat007]

Can the other segment access (NetScreen) ANY web site?

 

[multiband8303]

yes

 

[Pat007]

So users can access ALL websites except for yours? Strange. Here are a few things you can do:

1. TEST1: From one of the workstations on the NETSCREEN side, try to PING your website and verify the IP it resolves to
2. TEST2: Trace-Route (again NETSCREEN side)-- (tracert on a Windows based machine), example, run a 'tracert www.yourdomain.com', check where it's getting stuck
3. DNS: Are you hosting your own internal DNS server? If so, check for any records which might affect your site. IE: [A] record pointing to the wrong IP
4. RULES: Triple check your firewall rules, since users can access other web site it's VERY possible you might have over-looked something... This has happened to the best of us!

Let me know.

 

[multiband8303]

1) Ping is fine - resolves ident IP, like I said though I cannot telnet into it through port 80 on the netscreen side
2) Hops on BOTH sides drop at the same place
3) I will have to examine that - I do network admin for multiple companies.....hard for me to remember who we do and who we don't - but that is something I Forgot to overlook, I imagine the DNS on both sides point to the same side - since they join at the same DC
4) Dear god I do not want to review those rules again....but I will - please keep in touch on this thread, I go in lunch now - I will try these out within the next 2 hours and post any new results.

 

[Pat007]

I'm mainly here, and at the forum listed in my signature.

Glad to help 😉

 

[Pat007]

Quick thought, are there ANY rules in the firewall for yur web server IP?

Since you can ping it's IP there is something blocking port 80 traffic, (but you knew that already 🙂 ), is there a mail server running on it? Maybe you can try to telnet to port 25 or 110..

Let me know.

 

[GrammatonJP]

If you want to post the netscreen rules - goto the config and support page, u can copy it paste here ... and you can remove all the ip or replace it with a.b.c.d.

 

[GrammatonJP]

If you still have support contract, netscreen is pretty decent.. they'll walk you through stuff also..

 

[Pat007]

Originally posted by: GrammatonJP
If you want to post the netscreen rules - goto the config and support page, u can copy it paste here ... and you can remove all the ip or replace it with a.b.c.d.

Great idea!

 

[multiband8303]

subnote when I do ping the website, it automatically translates the DNS to its external IP, then request timed out.....

 

[multiband8303]

Another sidenote Im adding you all to payroll - 5 cents for everybody if I get this solved. Thats double my daily pay

 

[multiband8303]

set address Trust "192.168.123.0_3" 192.168.123.0 255.255.255.0 "Created by vpn wizard"
set address Trust "Walker All Subnets" 192.168.0.0 255.255.0.0
set address Trust "Walker Lan" 192.168.0.0 255.255.255.0
set address Trust "Walker Lan (123)" 192.168.123.0 255.255.255.0
set address Untrust "10.0.0.0" 10.0.0.0 255.255.255.0 "Created by vpn wizard"
set address Untrust "10.0.0.0_0" 10.0.0.0 255.255.255.0 "Created by vpn wizard"
set address Untrust "10.0.0.0_1" 10.0.0.0 255.255.255.0 "Created by vpn wizard"
set address Untrust "192.168.1.0" 192.168.1.0 255.255.255.0 "Created by vpn wizard"
set address Untrust "Network Center Firewall" 6xxxxxxx 255.255.255.192
set snmp name "ns5xp"
set user "vpnuser@insfnbwalker.com" uid 1
set user "vpnuser@insfnbwalker.com" ike-id u-fqdn "vpnuser@insfnbwalker.com" share-limit 1
set user "vpnuser@insfnbwalker.com" type ike
set user "vpnuser@insfnbwalker.com" "enable"
set user "fnbins" uid 2
set user "fnbins" ike-id u-fqdn "fnbins" share-limit 1
set user "fnbins" type ike
set user "fnbins" "enable"
set ike gateway "Gateway for fnbins" dialup "fnbins" Aggr outgoing-interface "untrust" preshare "!fnbins!" sec-level compatible
set ike gateway "Gateway for fnbins" nat-traversal udp-checksum
set ike gateway "Gateway for fnbins" nat-traversal keepalive-frequency 5
set ike gateway "255.255.255.255" ip 255.255.255.255 Main outgoing-interface "untrust" preshare "frog" sec-level standard
set ike gateway "Gateway for 192.168.1.0" ip 209.81.118.137 Main outgoing-interface "untrust" preshare "!walker!" sec-level standard
set ike gateway "Gateway for 192.168.1.0" nat-traversal
set ike gateway "Gateway for 192.168.1.0" nat-traversal udp-checksum
set ike gateway "Gateway for 192.168.1.0" nat-traversal keepalive-frequency 5
set ike policy-checking
set ike respond-bad-spi 1
set vpn "Tunnel for fnbins" id 9 gateway "Gateway for fnbins" no-replay tunnel idletime 0 sec-level compatible
set vpn "Tunnel for 192.168.1.0" id 11 gateway "Gateway for 192.168.1.0" no-replay tunnel idletime 0 sec-level standard
set vpn "Tunnel for 192.168.1.0" monitor
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set policy id 11 from "Trust" to "Untrust" "192.168.123.0_3" "192.168.1.0" "ANY" Tunnel vpn "Tunnel for 192.168.1.0" id 12 pair-policy 10
set policy id 10 from "Untrust" to "Trust" "192.168.1.0" "192.168.123.0_3" "ANY" Tunnel vpn "Tunnel for 192.168.1.0" id 12 pair-policy 11
set policy id 9 from "Untrust" to "Trust" "Dial-Up VPN" "Walker Lan (123)" "ANY" Tunnel vpn "Tunnel for fnbins" id 10
set policy id 5 name "Created by policy wizard" from "Untrust" to "Global" "Any" "VIP::1" "POP3" Permit
set policy id 4 name "Created by policy wizard" from "Untrust" to "Global" "Any" "VIP::1" "MAIL" Permit
set policy id 3 name "Created by policy wizard" from "Untrust" to "Global" "Any" "VIP::1" "HTTPS" Permit
set policy id 2 name "Created by policy wizard" from "Untrust" to "Global" "Any" "VIP::1" "HTTP" Permit
set policy id 0 from "Trust" to "Untrust" "Any" "Any" "ANY" Permit log
set policy id 6 from "Untrust" to "Global" "Any" "VIP::1" "PC-Anywhere" Permit
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set dns host dns1 209.81.96.49
set dns host dns2 209.81.96.130
set vrouter "untrust-vr"
set route 0.0.0.0/0 interface untrust gateway 209.81.118.129
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.0.0/24 interface trust gateway 192.168.123.50

 

[multiband8303]

Please dont abuse this config, I did my best to block any specific information, if I overlook something please tell me and be kind.

 

[Pat007]

What's your website address? I like to run a test...

 

[Pat007]

Can you post the 'Firewall rules'? The above looks like an IPSEC tunnel.

 

[multiband8303]

http://www.itiwnet.com

 

[multiband8303]

Its a netscreen 5xp - cant find where I would find the ruleset - any suggestions?

 

[Pat007]

Can you try https://www.itiwnet.com for me, does it work? (please note the 's' in https)

 

[multiband8303]

negative - I've tried adding it as a secured site and all that jazz.

 

[Pat007]

So both port 443 (HTTPS) and 80 (HTTP) don't work. You mentioned 'as a secured site', are you testing on a Windows 2003 Server box?
Also, on the machine your testing with, set it's DNS to an external source and check the hosts. file.

It REALLY sounds like a firewall issue... Check your rules in the netscreen and in it's GATEWAY (where users are sent after they pass-through the Netscreen).

Also, post ANY additional info you might have access to.