PIX - port 8080
Hi :),
I tried my level best to solve this problem, but could not. So I am here to ask help from the experts.
-----Webserver(IIS+Apache Tomcat)
Internet----PIX515E---|
-----Inside
This is my network. Everything is working fine. The webserver is serving two website and has two IPs. I am able to access the websites both from outside and inside.
Now there is a website which runs using port 8080 using Tomcat is support JSP. This is using port 8080. I want to access this webpage both from outside and inside. Internally I have no problems doing so. Externally I am unable to connect to this website.
Since I am using the same server I should be able to access this website by adding the port 8080 at the end of the URL. Internally I can access the website by using the URLs:
www.website1.my:8080
www.website2.my:8080
When I am trying to access it from outside I cannot get through.
I have the port 8080 enabled both on the outside and the dmz.
The commands that I am using to permit access to this port are:
Interface Outside : access-list acl_out permit tcp any host 161.x.x.x eq 8080
Interface Inside: access-list acl_dmz permit tcp any any eq 8080
I have read an article which says that Tomcat has to be integrated with the IIS. Since I can already access the website from inside I assume that this configuration is not needed. I have also checked the firewall and it shows that there are hits for port 8080. I am not sure why this is not working.
Please let me know what has to be done. In the meantime I will try to integrated Tomcat with IIS and see whether anything changes.
Regards,
Prem Kumar.
I tried my level best to solve this problem, but could not. So I am here to ask help from the experts.
-----Webserver(IIS+Apache Tomcat)
Internet----PIX515E---|
-----Inside
This is my network. Everything is working fine. The webserver is serving two website and has two IPs. I am able to access the websites both from outside and inside.
Now there is a website which runs using port 8080 using Tomcat is support JSP. This is using port 8080. I want to access this webpage both from outside and inside. Internally I have no problems doing so. Externally I am unable to connect to this website.
Since I am using the same server I should be able to access this website by adding the port 8080 at the end of the URL. Internally I can access the website by using the URLs:
www.website1.my:8080
www.website2.my:8080
When I am trying to access it from outside I cannot get through.
I have the port 8080 enabled both on the outside and the dmz.
The commands that I am using to permit access to this port are:
Interface Outside : access-list acl_out permit tcp any host 161.x.x.x eq 8080
Interface Inside: access-list acl_dmz permit tcp any any eq 8080
I have read an article which says that Tomcat has to be integrated with the IIS. Since I can already access the website from inside I assume that this configuration is not needed. I have also checked the firewall and it shows that there are hits for port 8080. I am not sure why this is not working.
Please let me know what has to be done. In the meantime I will try to integrated Tomcat with IIS and see whether anything changes.
Regards,
Prem Kumar.
Last Comment
ASKER
Yes I have a static in place for the webserver. I am also using the same ip address for port 80 and 8080. Is that a problem?
I asked one of my friends to connect to the website using port 8080. Insted of getting the site on port 8080 he got the one on port 80.So I belive that I have to change the port to something other than 8080.
I tried to telnet to port 8080, was unable to connect. Connection timed out.
I am a beginner to PIX and have done all the configuration gathering information from the internet. So I am not much confident with the configuration. Anyways this is the configuration. If I am doing soemthing wrong, please correct me.
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name a.a.a.a home
name b.b.b.b tes
access-list acl_out permit tcp any host 161.x.x.a eq www
access-list acl_out permit tcp any host 161.x.x.a eq ftp
access-list acl_out permit tcp any host 161.x.x.b eq www
access-list acl_out permit tcp any host 161.x.x.b eq ftp
access-list acl_out permit tcp any host 161.x.x.b eq 8080
access-list acl_out permit tcp any host 161.x.x.a eq 8080
access-list acl_in permit udp any any eq domain
access-list acl_in permit tcp any any eq 443
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq 8080
access-list acl_in permit tcp any any eq 554
access-list acl_in permit tcp any any eq 8090
access-list acl_in permit tcp any any eq 3306
access-list acl_in permit tcp any any eq 5100
access-list acl_dmz permit tcp any any eq www
access-list acl_dmz permit tcp any any eq ftp
access-list acl_dmz permit tcp any any eq 443
access-list acl_dmz permit tcp any any eq smtp
access-list acl_dmz permit tcp any any eq pop3
access-list acl_dmz permit udp any any eq domain
access-list acl_dmz permit tcp any any eq 8080
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 161.x.x.x 255.255.255.192
ip address inside 192.x.a.1 255.255.255.0
ip address dmz 192.x.b.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 161.x.x.x
global (dmz) 1 192.x.x.10-192.x.x.20
global (dmz) 1 192.x.x.9
nat (inside) 1 192.x.x.0 255.255.255.0 0 0
nat (dmz) 1 192.x.x.0 255.255.255.0 0 0
static (dmz,outside) 161.x.x.a home netmask 255.255.255.255 0 0
static (dmz,outside) 161.x.x.b tes netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 161.139.184.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.x.x.100 255.255.255.255 inside
telnet 192.x.x.1.100 255.255.255.255 dmz
telnet timeout 15
ssh timeout 5
terminal width 80
I belive that this will help you to find the root of the problem
Regards,
Prem Kumar.
I asked one of my friends to connect to the website using port 8080. Insted of getting the site on port 8080 he got the one on port 80.So I belive that I have to change the port to something other than 8080.
I tried to telnet to port 8080, was unable to connect. Connection timed out.
I am a beginner to PIX and have done all the configuration gathering information from the internet. So I am not much confident with the configuration. Anyways this is the configuration. If I am doing soemthing wrong, please correct me.
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name a.a.a.a home
name b.b.b.b tes
access-list acl_out permit tcp any host 161.x.x.a eq www
access-list acl_out permit tcp any host 161.x.x.a eq ftp
access-list acl_out permit tcp any host 161.x.x.b eq www
access-list acl_out permit tcp any host 161.x.x.b eq ftp
access-list acl_out permit tcp any host 161.x.x.b eq 8080
access-list acl_out permit tcp any host 161.x.x.a eq 8080
access-list acl_in permit udp any any eq domain
access-list acl_in permit tcp any any eq 443
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq 8080
access-list acl_in permit tcp any any eq 554
access-list acl_in permit tcp any any eq 8090
access-list acl_in permit tcp any any eq 3306
access-list acl_in permit tcp any any eq 5100
access-list acl_dmz permit tcp any any eq www
access-list acl_dmz permit tcp any any eq ftp
access-list acl_dmz permit tcp any any eq 443
access-list acl_dmz permit tcp any any eq smtp
access-list acl_dmz permit tcp any any eq pop3
access-list acl_dmz permit udp any any eq domain
access-list acl_dmz permit tcp any any eq 8080
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 161.x.x.x 255.255.255.192
ip address inside 192.x.a.1 255.255.255.0
ip address dmz 192.x.b.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 161.x.x.x
global (dmz) 1 192.x.x.10-192.x.x.20
global (dmz) 1 192.x.x.9
nat (inside) 1 192.x.x.0 255.255.255.0 0 0
nat (dmz) 1 192.x.x.0 255.255.255.0 0 0
static (dmz,outside) 161.x.x.a home netmask 255.255.255.255 0 0
static (dmz,outside) 161.x.x.b tes netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 161.139.184.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.x.x.100 255.255.255.255 inside
telnet 192.x.x.1.100 255.255.255.255 dmz
telnet timeout 15
ssh timeout 5
terminal width 80
I belive that this will help you to find the root of the problem
Regards,
Prem Kumar.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi,
thank you for very much for the help. I have fixed the problem. I configured tomcat to use a different port and it solved the problem. I think that by default Tomcat uses port 8080 and I have a website running on port 80 as well. I belive that IIS was unable to resolve the query and that resulted in the error. No that I have configured Tomcat to use a different port it works fine.
Thank you for ur help once again.
Regards,
Prem Kumar.
thank you for very much for the help. I have fixed the problem. I configured tomcat to use a different port and it solved the problem. I think that by default Tomcat uses port 8080 and I have a website running on port 80 as well. I belive that IIS was unable to resolve the query and that resulted in the error. No that I have configured Tomcat to use a different port it works fine.
Thank you for ur help once again.
Regards,
Prem Kumar.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Are you using the same address as the port 80.....web site???
have you tried to connect using telnet to port 8080...does that work...
have you run a syslog at debugging mode while trying to connect from the outside to see what it sayes???
a config would help alot here...