Solved

RE: Unable to access the website thru Cisco PIX 515

Posted on 2004-10-11
11
308 Views
Last Modified: 2013-11-16
Hi recently I have configured the Cisco firewall (PIX ver 4.4.1). I was able to surf the Internet thru the PIX firewall but the outside users unable to access the web server that I have setup. This is part of my config.

nameif ethernet0 Internet security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
interface ethernet0 auto
interface ethernet1 auto
mtu Internet 1500
mtu inside 1500
ip address Internet 203.125.141.205 255.255.255.240
ip address inside 172.16.1.1 255.255.255.0
arp timeout 14400
global (Internet) 1 203.125.141.204 netmask 255.255.255.240
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
static (inside,Internet) 203.125.141.203 172.16.1.52 netmask 255.255.255.255 0 0
conduit permit tcp host 203.125.141.203 eq www any
route Internet 0.0.0.0 0.0.0.0 203.125.141.193 1
0
Comment
Question by:StevenSou
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12276381
Have you checked the subnet mask/ default gateway setting on the server? Is it set for 172.16.1.1?
Are you trying to access the web server public ip from outside the firewall, NOT from a client PC inside?
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12276669
As lrmoore says you cannot connect to your public hosts from inside your firewall.
0
 

Author Comment

by:StevenSou
ID: 12294696
Yes I trying to access the web server outside the firewall
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12297446
Your syntax is correct:
  >static (inside,Internet) 203.125.141.203 172.16.1.52 netmask 255.255.255.255 0 0
  >conduit permit tcp host 203.125.141.203 eq www any

These should allow anyone to access the web page of 203.125.141.203

Can you post result of "show conduit"

What are your chances of upgrading the PIX OS? 4.x has been out of date for years...


0
 

Author Comment

by:StevenSou
ID: 12304518
The result: conduit permit tcp host 203.125.141.203 eq www any
Financially not able to upgrade @ this moment.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 79

Expert Comment

by:lrmoore
ID: 12304912
You are not getting any hits on your conduit...
Can you post the complete config? There must be something else blocking it, or else your ISP is blocking inbound traffic on port 80, or perhaps a router in front of the PIX?
0
 
LVL 1

Expert Comment

by:JEEGO
ID: 12309585
Based on the configuration statements , you should be able to publish the webserver on 172.16.1.52 successfullly.
Leads me to bellieve that prolem lies elsewhere.

Check these things.

What are your useable IP addresses assigned by the ISP?

Make sure that you are ale to pull up the website internally, using the 172.16.1.52 address.

Are you running the website on a non-standard port (ex 8081, etc).
If so edit the conduit statement or change the port to 80

Almost forgot, double check your PIX configuration to make sure that no DENY ALL statement exist before the CONDUIT statement.

It would really help if you post your entire conifguration. Your can change the IP-addresses

Thanks
0
 

Author Comment

by:StevenSou
ID: 12315582
For lrmoore: there is no blocking from the ISP or the router.

ForJEEGO: I have no problem access the web internally with 172.16.1.52 & http port is 80. The useable IP add is from 200-207

This is my PIX config:
nameif ethernet0 Internet security0
nameif ethernet1 inside security100
hostname X
fixup protocol http 80
fixup protocol smtp 25
names
pager lines 20
no logging timestamp
no logging console
no logging monitor
no logging buffered debugging
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
mtu Internet 1500
mtu inside 1500
ip address Internet 203.125.141.205 255.255.255.240
ip address inside 172.16.1.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address Internet 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (Internet) 1 203.125.141.204 netmask 255.255.255.240
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
static (inside,Internet) 203.125.141.203 172.16.1.52 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 203.125.141.203 eq www any
rip Internet passive
no rip Internet default
no rip inside passive
rip inside default
route Internet 0.0.0.0 0.0.0.0 203.125.141.193 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
no snmp-server community public
no snmp-server enable traps
terminal width 80
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 12315887
Have you verified that the server has the correct default gateway pointing to the PIX 172.16.1.1, with the correct subnet mask 255.255.255.0 ?
0
 
LVL 1

Expert Comment

by:JEEGO
ID: 12328918
StevenSou
Have you verified that the default gateway on the 172.16.1.52 machine is 172.16.1.1. Check the NIC propeties to make sure that other Default Gateways have not been assigned. Your PIX configuration is OK to me eyes, thus the notion that problems exist somewhere else.

To double-check...publish another website on another machine,
                       ...create the appropriate ACL and CONDUITS
If you are able to successfully do this, then the problem is DEFINTITELY on your web server.

Finally. On the 172.16.1.52 machine, make sure that no STATIC Default Gateway Routes exist on the machine. What OS are you using on the web server? Do you have any software-based firewall running on the web server?
0
 

Author Comment

by:StevenSou
ID: 12335535
I will check n come back to you as I not in the office. thanks
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now