Solved

Can't access webserver through PIX 506E

Posted on 2004-08-13
11
804 Views
Last Modified: 2010-04-11
I'm not sure what i did, but now i can't access my webserver.  Below is my config of my firewall.  Can you see what i did wrong?

X.X.X.X = PUBLIC IP
192.168.0.1 = IP address of webserver i'm trying to get to.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside_in permit tcp any host 192.168.0.1 eq www
access-list inside_outbound_nat0_acl permit ip host 192.168.0.122 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host 192.168.0.1 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list lanextention permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_access_in permit tcp any interface outside eq www
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.0.150-192.168.0.160
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.122 255.255.255.255 inside
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.119 255.255.255.255 inside
pdm location 192.168.0.128 255.255.255.192 outside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1701 192.168.0.1 1701 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.1 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.1 c:/TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt radius ignore-secret
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 match address lanextention
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
terminal width 80
0
Comment
Question by:sbock
  • 6
  • 5
11 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11796006
Hi sbock,
> access-list acl_outside_in permit tcp any host 192.168.0.1 eq www
You have the internal IP address listed in your access list. Enter the following to fix the problem :-

no access-list outside_in
access-list acl_outside_in permit tcp any any eq www
access-group outside_access_in in interface outside
0
 

Author Comment

by:sbock
ID: 11796146
The following gave me an error....

"no access-list outside_in
access-group outside_access_in in interface outside"

Said that it does not exist.

0
 
LVL 36

Expert Comment

by:grblades
ID: 11796180
Sorry those commands should have been :-

no access-list acl_outside_in
access-list acl_outside_in permit tcp any any eq www
access-group acl_outside_in in interface outside
0
 

Author Comment

by:sbock
ID: 11796293
nope, it still doesn't work.  anything else i can try?
0
 

Author Comment

by:sbock
ID: 11796334
here is my latest and greatest config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside_in permit tcp any any eq www
access-list inside_outbound_nat0_acl permit ip host 192.168.0.122 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host 192.168.0.1 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list lanextention permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.0.150-192.168.0.160
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.122 255.255.255.255 inside
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.119 255.255.255.255 inside
pdm location 192.168.0.128 255.255.255.192 outside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1701 192.168.0.1 1701 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.1 www netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.1 c:/TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt radius ignore-secret
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 match address lanextention
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 36

Expert Comment

by:grblades
ID: 11796359
I can't see anything wrong.
Are you testing the connection to the webserver from somewhere else on the internet?
Are you trying to use just a normal http: connection?
0
 

Author Comment

by:sbock
ID: 11796389
i can test the webserver through the intranet and it works fine.  I was trying to set it up so that when somebody goes to my public IP address it allows  the connection through port 80 and brings up my website.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11796458
How are you testing to see if it can be reached via the internet?
You cannot access the public IP address of your PIX from another machine on the inside of the same PIX. In order to test your configuration you have to use a different machine with its own internet connection or configure your browser to use a proxy server.

If you want to post your current IP address I can test it for you. I am only going to be round for another 15 minutes or so though.
0
 

Author Comment

by:sbock
ID: 11796590
i have a friend testing it from his house.  
0
 
LVL 36

Accepted Solution

by:
grblades earned 200 total points
ID: 11796664
What about if you configure the webserver to also listen on port 81 and add the following configuration:-
access-list acl_outside_in permit tcp any any eq www
static (inside,outside) tcp interface 81 192.168.0.1 81 netmask 255.255.255.255 0 0
Can you now access it via http://your.ip.address:81 ?

If you can then maybe it is the http server in the PIX causing problems. You have a 255.255.255.248 netmask so you have additional IP addresses assigned to you?

Some ISP's may block access to port 80 on your machine because of the worm/virus problems. Do you know that your ISP does not do this?
0
 

Author Comment

by:sbock
ID: 11796948
i hooked up my linux server and setup the static entry in the pix and it worked.  So, its my other IIS webserver.  Thanks for the help.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Let’s list some of the technologies that enable smooth teleworking. 
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now