Solved

Opening port 80 on pix501

Posted on 2004-09-18
7
337 Views
Last Modified: 2013-11-29
Hello everyone,

I have been trying to open www, ftp port on this new pix.  Aftrer SEVERAL attempts (roughly 2 months) of failures I'm ready to give up.

Here is my config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname Pixie
domain-name XXXXXXXXXX.COM
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside_access_in permit tcp any eq www host 192.168.1.107 eq www
pager lines 24
logging timestamp
logging trap warnings
logging host inside 192.168.1.100
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.110 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.1.100 255.255.255.255 outside
pdm location 204.60.138.6 255.255.255.255 outside
pdm location 64.251.48.200 255.255.255.255 outside
pdm location 192.168.2.111 255.255.255.255 inside
pdm location 192.168.1.107 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.1.107 192.168.1.107 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 64.251.48.200 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 64.251.48.200 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
vpdn group pppoe_group ppp authentication pap
vpdn username XXXXXXXXXXXXXXXXXXXXXXXXXX password *********
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end


Thank you all
0
Comment
Question by:Victor_A
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12093502
Don't give up so easy. Am I to assume that your www client is outside the PIX, but inside the private network, trying to access the private IP?

Try this. Remove the access-list that you have:
  no access-list outside_access_in permit tcp any eq www host 192.168.1.107 eq www

Replace it with this one:
   access-list outside_access_in permit tcp any host 192.168.1.107 eq www
and re-apply it to the interface
   access-group outside_access_in in interface outside

You see, the source port will not be www, only the destination.

If you need to use the public IP of the interface for your web server, remove this static:
PIX(config)# no static (inside,outside) 192.168.1.107 192.168.1.107 netmask 255.255.255.255 0 0
PIX(config)# clear xlate

Replace it with this:
   static (inside,outside) tcp interface 80 192.168.1.107 80 netmask 255.255.255.255

Change the access_list to:
    access-list outside_access_in permit tcp any interface outside eq www

To add FTP server, add these lines:
     static (inside,outside) tcp interface ftp 192.168.1.107 ftp netmask 255.255.255.255
     static (inside,outside) tcp interface ftp-data 192.168.1.107 ftp-data netmask 255.255.255.255
     access-list outside_access_in permit tcp any interface outside eq ftp
     access-list outside_access_in permit tcp any interface outside eq ftp-data

and, of course, re-apply the access-list to the outside interface after any changes:
    access-group outside_access_in in interface outside



0
 

Author Comment

by:Victor_A
ID: 12095497
Thanks for your quick response.  I entered the commands that you gave me but no go.  I entered one at a time and both at once and it would not work.  I deleted the Access-list that I had and the new config is below:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
hostname Pixie
domain-name ITBLUEPRINT.COM
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging timestamp
logging trap warnings
logging host inside 192.168.1.100
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.110 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.1.100 255.255.255.255 outside
pdm location 204.60.138.6 255.255.255.255 outside
pdm location 64.251.48.200 255.255.255.255 outside
pdm location 192.168.2.111 255.255.255.255 inside
pdm location 192.168.1.107 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 64.251.48.200 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 64.251.48.200 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname XXXXXXXXXXXXXXXXXXXX
vpdn group pppoe_group ppp authentication pap
vpdn username XXXXXXXXXXXXXXXXXXXXXXX password *********
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end

I have tried many similar configs that I have seen here posted but none seem to work.  Once I enter all command I have no net access and I have to delete all entries (which is what happened to the commands that you gave me Irmoore)  


Thanks Irmorre

0
 

Author Comment

by:Victor_A
ID: 12353830
Irmoore,

My network setting is as follows

Internet
|
Server (192.168.1.107)

I would like anyone from the internet to be able to access this server.  I'm on a dsl line with a dynamic IP.  I'm pretty sure that I need the port forwarding method.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 79

Expert Comment

by:lrmoore
ID: 12353916
Let's try one line at a time...

pix(config)#access-list outside_in permit tcp any interface outside eq http
pix(config)#static (inside,outside) tcp interface 80 192.168.1.107 80 netmask 255.255.255.255
pix(config)#access-group outside_in in interface outside
pix(config)#exit
pix#

That should be all you need to do to access this web server from outside the network. You can't use the public ip from inside on the lan...you must test from an external client.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12353943
That was for a web server on 192.168.1.107

Do you ftp server that you also need to acccess?

0
 

Author Comment

by:Victor_A
ID: 12363349
THANKS!!!!


IT WORKED!


I don't have to open FTP but I do have to open port 6588. Going by your instructions all I should have to put in is:

access-list outside_in permit tcp any interface outside eq 6588
static (inside,outside) tcp interface 6588 192.168.1.107 6588 netmask 255.255.255.255
access-group outside_in in interface outside


Right?

Thanks!
-A very happy camper-

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12363436
You got it.... that's exactly how you do it..
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Migrating DHCP network settings from vlans 2 53
Cisco switch SVI 17 42
HP Laser Jet Errors 10 56
EIGRP Full Mesh 2 37
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now