Link to home
Start Free TrialLog in
Avatar of sbock
sbock

asked on

Can't access webserver through PIX 506E

I'm not sure what i did, but now i can't access my webserver.  Below is my config of my firewall.  Can you see what i did wrong?

X.X.X.X = PUBLIC IP
192.168.0.1 = IP address of webserver i'm trying to get to.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside_in permit tcp any host 192.168.0.1 eq www
access-list inside_outbound_nat0_acl permit ip host 192.168.0.122 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host 192.168.0.1 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list lanextention permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_access_in permit tcp any interface outside eq www
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.0.150-192.168.0.160
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.122 255.255.255.255 inside
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.119 255.255.255.255 inside
pdm location 192.168.0.128 255.255.255.192 outside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1701 192.168.0.1 1701 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.1 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.1 c:/TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt radius ignore-secret
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 match address lanextention
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
terminal width 80
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi sbock,
> access-list acl_outside_in permit tcp any host 192.168.0.1 eq www
You have the internal IP address listed in your access list. Enter the following to fix the problem :-

no access-list outside_in
access-list acl_outside_in permit tcp any any eq www
access-group outside_access_in in interface outside
Avatar of sbock
sbock

ASKER

The following gave me an error....

"no access-list outside_in
access-group outside_access_in in interface outside"

Said that it does not exist.

Sorry those commands should have been :-

no access-list acl_outside_in
access-list acl_outside_in permit tcp any any eq www
access-group acl_outside_in in interface outside
Avatar of sbock

ASKER

nope, it still doesn't work.  anything else i can try?
Avatar of sbock

ASKER

here is my latest and greatest config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside_in permit tcp any any eq www
access-list inside_outbound_nat0_acl permit ip host 192.168.0.122 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host 192.168.0.1 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list lanextention permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.0.150-192.168.0.160
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.122 255.255.255.255 inside
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.119 255.255.255.255 inside
pdm location 192.168.0.128 255.255.255.192 outside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1701 192.168.0.1 1701 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.1 www netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.1 c:/TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt radius ignore-secret
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 match address lanextention
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
I can't see anything wrong.
Are you testing the connection to the webserver from somewhere else on the internet?
Are you trying to use just a normal http: connection?
Avatar of sbock

ASKER

i can test the webserver through the intranet and it works fine.  I was trying to set it up so that when somebody goes to my public IP address it allows  the connection through port 80 and brings up my website.
How are you testing to see if it can be reached via the internet?
You cannot access the public IP address of your PIX from another machine on the inside of the same PIX. In order to test your configuration you have to use a different machine with its own internet connection or configure your browser to use a proxy server.

If you want to post your current IP address I can test it for you. I am only going to be round for another 15 minutes or so though.
Avatar of sbock

ASKER

i have a friend testing it from his house.  
ASKER CERTIFIED SOLUTION
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sbock

ASKER

i hooked up my linux server and setup the static entry in the pix and it worked.  So, its my other IIS webserver.  Thanks for the help.