Solved

PIX - port 8080

Posted on 2004-03-22
4
5,954 Views
Last Modified: 2011-10-03
Hi :),

I tried my level best to solve this problem, but could not. So I am here to ask help from the experts.


                                   -----Webserver(IIS+Apache Tomcat)
Internet----PIX515E---|
                                   -----Inside

This is my network. Everything is working fine. The webserver is serving two website and has two IPs. I am able to access the websites both from outside and inside.

Now there is a website which runs using port 8080 using Tomcat is support JSP. This is using port 8080. I want to access this webpage both from outside and inside. Internally I have no problems doing so. Externally I am unable to connect to this website.

Since I am using the same server I should be able to access this website by adding the port 8080 at the end of the URL. Internally I can access the website by using the URLs:
www.website1.my:8080
www.website2.my:8080

When I am trying to access it from outside I cannot get through.

I have the port 8080 enabled both on the outside and the dmz.
The commands that I am using to permit access to this port are:
Interface Outside : access-list acl_out permit tcp any host 161.x.x.x eq 8080
Interface Inside: access-list acl_dmz permit tcp any any eq 8080

I have read an article which says that Tomcat has to be integrated with the IIS. Since I can already access the website from inside I assume that this configuration is not needed. I have also checked the firewall and it shows that there are hits for port 8080. I am not sure why this is not working.

Please let me know what has to be done. In the meantime I will try to integrated Tomcat with IIS and see whether anything changes.

Regards,
Prem Kumar.
0
Comment
Question by:mgpremkumar
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:hawgpig
ID: 10653812
So you have a static in place for the web server???
Are you using the same address as the port 80.....web site???
have you tried to connect using telnet to port 8080...does that work...
have you run a syslog at debugging mode while trying to connect from the outside to see what it sayes???
a config would help alot here...

0
 
LVL 4

Author Comment

by:mgpremkumar
ID: 10656254
Yes I have a static in place for the webserver. I am also using the same ip address for port 80 and 8080. Is that a problem?

I asked one of my friends to connect to the website using port 8080. Insted of getting the site on port 8080 he got the one on port 80.So I belive that I have to change the port to something other than 8080.

I tried to telnet to port 8080, was unable to connect. Connection timed out.

I am a beginner to PIX and have done all the configuration gathering information from the internet. So I am not much confident with the configuration. Anyways this is the configuration. If I am doing soemthing wrong, please correct me.

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name a.a.a.a home
name b.b.b.b tes
access-list acl_out permit tcp any host 161.x.x.a eq www
access-list acl_out permit tcp any host 161.x.x.a eq ftp
access-list acl_out permit tcp any host 161.x.x.b eq www
access-list acl_out permit tcp any host 161.x.x.b eq ftp
access-list acl_out permit tcp any host 161.x.x.b eq 8080
access-list acl_out permit tcp any host 161.x.x.a eq 8080
access-list acl_in permit udp any any eq domain
access-list acl_in permit tcp any any eq 443
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq 8080
access-list acl_in permit tcp any any eq 554
access-list acl_in permit tcp any any eq 8090
access-list acl_in permit tcp any any eq 3306
access-list acl_in permit tcp any any eq 5100
access-list acl_dmz permit tcp any any eq www
access-list acl_dmz permit tcp any any eq ftp
access-list acl_dmz permit tcp any any eq 443
access-list acl_dmz permit tcp any any eq smtp
access-list acl_dmz permit tcp any any eq pop3
access-list acl_dmz permit udp any any eq domain
access-list acl_dmz permit tcp any any eq 8080
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 161.x.x.x 255.255.255.192
ip address inside 192.x.a.1 255.255.255.0
ip address dmz 192.x.b.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 161.x.x.x
global (dmz) 1 192.x.x.10-192.x.x.20
global (dmz) 1 192.x.x.9
nat (inside) 1 192.x.x.0 255.255.255.0 0 0
nat (dmz) 1 192.x.x.0 255.255.255.0 0 0
static (dmz,outside) 161.x.x.a home netmask 255.255.255.255 0 0
static (dmz,outside) 161.x.x.b tes netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 161.139.184.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.x.x.100 255.255.255.255 inside
telnet 192.x.x.1.100 255.255.255.255 dmz
telnet timeout 15
ssh timeout 5
terminal width 80

I belive that this will help you to find the root of the problem
Regards,
Prem Kumar.
0
 
LVL 4

Accepted Solution

by:
hawgpig earned 50 total points
ID: 10657743
Your config looks fine.....
I have a suspicion that your ISP is blocking port 8080...
This is very common since 8080 is a managment port for a lot of routers/firewalls
The only real way to see what is happening is to runn a syslog at debugging mode
and look at the interesting traffic....
Here is the set up for the syslog
These links might help.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/syslog/pixemint.htm

This is a freeware syslog server software....It is the second link down (3dv2r10.exe) at the first link;
http://www.ncat.co.uk/Download/
http://www.kiwisyslog.com

Syslog Error messages.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm


Here is the setup in a nut shell
Install the syslog serversoftware on an internal host.
Type the following at the console
logging host inside 192.168.1.5 <(internal static IP address where you installed the Syslog server software)
logging trap 7
logging on
write mem

Make sure you do a
no logging on (turns off logging)
after testing
or do a
logging trap warnings (lowers the logging level to 4)
or
logging trap notifications (lowers the logging level to 5)
OR
Turn off loggin all together
no logging on
Don't forget a
write mem

start the syslog by typing
logging on
Then have a friend from the ouside try to connect via browser and via telnet on port 8080
stop the syslog by typing
no loggin on
go to tthe syslog file and open it...
do a search for your friends address....
when you find the build up in the syslog from your friends source IP address then look to make sure it was trying to connect on port 8080 on your destination address.....
find the connection number in that line and do another find for that connection number
you should find a teardown with the same connection number....
at the end of this line it will give the reason for the teardown.....
RESET-I, RESET-O, SYN TIMEOUT, Etc....

If you can get me that I can tell you why it is not connecting...
Also look for any DENY statements with your friends IP address.....
This can also tell you there is a problem in your access-lists....

If your syslog shows no information from your friends address....it is being blocked or re routed....
You may also have a miss configuration on your server......
i.e. it is not listening for traffic on the right port...

Do the syslog it will tell you all you need to know...

0
 
LVL 4

Author Comment

by:mgpremkumar
ID: 10720864
Hi,

thank you for very much for the help. I have fixed the problem. I configured tomcat to use a different port and it solved the problem. I think that by default Tomcat uses port 8080 and I have a website running on port 80 as well. I belive that IIS was unable to resolve the query and that resulted in the error. No that I have configured Tomcat to use a different port it works fine.

Thank you for ur help once again.

Regards,
Prem Kumar.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now