Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 319
  • Last Modified:

RE: Unable to access the website thru Cisco PIX 515

Hi recently I have configured the Cisco firewall (PIX ver 4.4.1). I was able to surf the Internet thru the PIX firewall but the outside users unable to access the web server that I have setup. This is part of my config.

nameif ethernet0 Internet security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
interface ethernet0 auto
interface ethernet1 auto
mtu Internet 1500
mtu inside 1500
ip address Internet 203.125.141.205 255.255.255.240
ip address inside 172.16.1.1 255.255.255.0
arp timeout 14400
global (Internet) 1 203.125.141.204 netmask 255.255.255.240
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
static (inside,Internet) 203.125.141.203 172.16.1.52 netmask 255.255.255.255 0 0
conduit permit tcp host 203.125.141.203 eq www any
route Internet 0.0.0.0 0.0.0.0 203.125.141.193 1
0
StevenSou
Asked:
StevenSou
  • 4
  • 4
  • 2
  • +1
1 Solution
 
lrmooreCommented:
Have you checked the subnet mask/ default gateway setting on the server? Is it set for 172.16.1.1?
Are you trying to access the web server public ip from outside the firewall, NOT from a client PC inside?
0
 
netspec01Commented:
As lrmoore says you cannot connect to your public hosts from inside your firewall.
0
 
StevenSouAuthor Commented:
Yes I trying to access the web server outside the firewall
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
lrmooreCommented:
Your syntax is correct:
  >static (inside,Internet) 203.125.141.203 172.16.1.52 netmask 255.255.255.255 0 0
  >conduit permit tcp host 203.125.141.203 eq www any

These should allow anyone to access the web page of 203.125.141.203

Can you post result of "show conduit"

What are your chances of upgrading the PIX OS? 4.x has been out of date for years...


0
 
StevenSouAuthor Commented:
The result: conduit permit tcp host 203.125.141.203 eq www any
Financially not able to upgrade @ this moment.
0
 
lrmooreCommented:
You are not getting any hits on your conduit...
Can you post the complete config? There must be something else blocking it, or else your ISP is blocking inbound traffic on port 80, or perhaps a router in front of the PIX?
0
 
JEEGOCommented:
Based on the configuration statements , you should be able to publish the webserver on 172.16.1.52 successfullly.
Leads me to bellieve that prolem lies elsewhere.

Check these things.

What are your useable IP addresses assigned by the ISP?

Make sure that you are ale to pull up the website internally, using the 172.16.1.52 address.

Are you running the website on a non-standard port (ex 8081, etc).
If so edit the conduit statement or change the port to 80

Almost forgot, double check your PIX configuration to make sure that no DENY ALL statement exist before the CONDUIT statement.

It would really help if you post your entire conifguration. Your can change the IP-addresses

Thanks
0
 
StevenSouAuthor Commented:
For lrmoore: there is no blocking from the ISP or the router.

ForJEEGO: I have no problem access the web internally with 172.16.1.52 & http port is 80. The useable IP add is from 200-207

This is my PIX config:
nameif ethernet0 Internet security0
nameif ethernet1 inside security100
hostname X
fixup protocol http 80
fixup protocol smtp 25
names
pager lines 20
no logging timestamp
no logging console
no logging monitor
no logging buffered debugging
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
mtu Internet 1500
mtu inside 1500
ip address Internet 203.125.141.205 255.255.255.240
ip address inside 172.16.1.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address Internet 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (Internet) 1 203.125.141.204 netmask 255.255.255.240
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
static (inside,Internet) 203.125.141.203 172.16.1.52 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 203.125.141.203 eq www any
rip Internet passive
no rip Internet default
no rip inside passive
rip inside default
route Internet 0.0.0.0 0.0.0.0 203.125.141.193 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
no snmp-server community public
no snmp-server enable traps
terminal width 80
0
 
lrmooreCommented:
Have you verified that the server has the correct default gateway pointing to the PIX 172.16.1.1, with the correct subnet mask 255.255.255.0 ?
0
 
JEEGOCommented:
StevenSou
Have you verified that the default gateway on the 172.16.1.52 machine is 172.16.1.1. Check the NIC propeties to make sure that other Default Gateways have not been assigned. Your PIX configuration is OK to me eyes, thus the notion that problems exist somewhere else.

To double-check...publish another website on another machine,
                       ...create the appropriate ACL and CONDUITS
If you are able to successfully do this, then the problem is DEFINTITELY on your web server.

Finally. On the 172.16.1.52 machine, make sure that no STATIC Default Gateway Routes exist on the machine. What OS are you using on the web server? Do you have any software-based firewall running on the web server?
0
 
StevenSouAuthor Commented:
I will check n come back to you as I not in the office. thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now