Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 844
  • Last Modified:

Can't access webserver through PIX 506E

I'm not sure what i did, but now i can't access my webserver.  Below is my config of my firewall.  Can you see what i did wrong?

X.X.X.X = PUBLIC IP
192.168.0.1 = IP address of webserver i'm trying to get to.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside_in permit tcp any host 192.168.0.1 eq www
access-list inside_outbound_nat0_acl permit ip host 192.168.0.122 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host 192.168.0.1 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list lanextention permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_access_in permit tcp any interface outside eq www
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.0.150-192.168.0.160
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.122 255.255.255.255 inside
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.119 255.255.255.255 inside
pdm location 192.168.0.128 255.255.255.192 outside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1701 192.168.0.1 1701 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.1 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.1 c:/TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt radius ignore-secret
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 match address lanextention
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
terminal width 80
0
sbock
Asked:
sbock
  • 6
  • 5
1 Solution
 
grbladesCommented:
Hi sbock,
> access-list acl_outside_in permit tcp any host 192.168.0.1 eq www
You have the internal IP address listed in your access list. Enter the following to fix the problem :-

no access-list outside_in
access-list acl_outside_in permit tcp any any eq www
access-group outside_access_in in interface outside
0
 
sbockAuthor Commented:
The following gave me an error....

"no access-list outside_in
access-group outside_access_in in interface outside"

Said that it does not exist.

0
 
grbladesCommented:
Sorry those commands should have been :-

no access-list acl_outside_in
access-list acl_outside_in permit tcp any any eq www
access-group acl_outside_in in interface outside
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
sbockAuthor Commented:
nope, it still doesn't work.  anything else i can try?
0
 
sbockAuthor Commented:
here is my latest and greatest config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside_in permit tcp any any eq www
access-list inside_outbound_nat0_acl permit ip host 192.168.0.122 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host 192.168.0.1 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list lanextention permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.0.150-192.168.0.160
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.122 255.255.255.255 inside
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.119 255.255.255.255 inside
pdm location 192.168.0.128 255.255.255.192 outside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1701 192.168.0.1 1701 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.1 www netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.1 c:/TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt radius ignore-secret
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 match address lanextention
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
 
grbladesCommented:
I can't see anything wrong.
Are you testing the connection to the webserver from somewhere else on the internet?
Are you trying to use just a normal http: connection?
0
 
sbockAuthor Commented:
i can test the webserver through the intranet and it works fine.  I was trying to set it up so that when somebody goes to my public IP address it allows  the connection through port 80 and brings up my website.
0
 
grbladesCommented:
How are you testing to see if it can be reached via the internet?
You cannot access the public IP address of your PIX from another machine on the inside of the same PIX. In order to test your configuration you have to use a different machine with its own internet connection or configure your browser to use a proxy server.

If you want to post your current IP address I can test it for you. I am only going to be round for another 15 minutes or so though.
0
 
sbockAuthor Commented:
i have a friend testing it from his house.  
0
 
grbladesCommented:
What about if you configure the webserver to also listen on port 81 and add the following configuration:-
access-list acl_outside_in permit tcp any any eq www
static (inside,outside) tcp interface 81 192.168.0.1 81 netmask 255.255.255.255 0 0
Can you now access it via http://your.ip.address:81 ?

If you can then maybe it is the http server in the PIX causing problems. You have a 255.255.255.248 netmask so you have additional IP addresses assigned to you?

Some ISP's may block access to port 80 on your machine because of the worm/virus problems. Do you know that your ISP does not do this?
0
 
sbockAuthor Commented:
i hooked up my linux server and setup the static entry in the pix and it worked.  So, its my other IIS webserver.  Thanks for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now