Solved

RE: Unable to access the website thru Cisco PIX 515

Posted on 2004-10-11
11
311 Views
Last Modified: 2013-11-16
Hi recently I have configured the Cisco firewall (PIX ver 4.4.1). I was able to surf the Internet thru the PIX firewall but the outside users unable to access the web server that I have setup. This is part of my config.

nameif ethernet0 Internet security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
interface ethernet0 auto
interface ethernet1 auto
mtu Internet 1500
mtu inside 1500
ip address Internet 203.125.141.205 255.255.255.240
ip address inside 172.16.1.1 255.255.255.0
arp timeout 14400
global (Internet) 1 203.125.141.204 netmask 255.255.255.240
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
static (inside,Internet) 203.125.141.203 172.16.1.52 netmask 255.255.255.255 0 0
conduit permit tcp host 203.125.141.203 eq www any
route Internet 0.0.0.0 0.0.0.0 203.125.141.193 1
0
Comment
Question by:StevenSou
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12276381
Have you checked the subnet mask/ default gateway setting on the server? Is it set for 172.16.1.1?
Are you trying to access the web server public ip from outside the firewall, NOT from a client PC inside?
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12276669
As lrmoore says you cannot connect to your public hosts from inside your firewall.
0
 

Author Comment

by:StevenSou
ID: 12294696
Yes I trying to access the web server outside the firewall
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 79

Expert Comment

by:lrmoore
ID: 12297446
Your syntax is correct:
  >static (inside,Internet) 203.125.141.203 172.16.1.52 netmask 255.255.255.255 0 0
  >conduit permit tcp host 203.125.141.203 eq www any

These should allow anyone to access the web page of 203.125.141.203

Can you post result of "show conduit"

What are your chances of upgrading the PIX OS? 4.x has been out of date for years...


0
 

Author Comment

by:StevenSou
ID: 12304518
The result: conduit permit tcp host 203.125.141.203 eq www any
Financially not able to upgrade @ this moment.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12304912
You are not getting any hits on your conduit...
Can you post the complete config? There must be something else blocking it, or else your ISP is blocking inbound traffic on port 80, or perhaps a router in front of the PIX?
0
 
LVL 1

Expert Comment

by:JEEGO
ID: 12309585
Based on the configuration statements , you should be able to publish the webserver on 172.16.1.52 successfullly.
Leads me to bellieve that prolem lies elsewhere.

Check these things.

What are your useable IP addresses assigned by the ISP?

Make sure that you are ale to pull up the website internally, using the 172.16.1.52 address.

Are you running the website on a non-standard port (ex 8081, etc).
If so edit the conduit statement or change the port to 80

Almost forgot, double check your PIX configuration to make sure that no DENY ALL statement exist before the CONDUIT statement.

It would really help if you post your entire conifguration. Your can change the IP-addresses

Thanks
0
 

Author Comment

by:StevenSou
ID: 12315582
For lrmoore: there is no blocking from the ISP or the router.

ForJEEGO: I have no problem access the web internally with 172.16.1.52 & http port is 80. The useable IP add is from 200-207

This is my PIX config:
nameif ethernet0 Internet security0
nameif ethernet1 inside security100
hostname X
fixup protocol http 80
fixup protocol smtp 25
names
pager lines 20
no logging timestamp
no logging console
no logging monitor
no logging buffered debugging
no logging trap
logging facility 20
interface ethernet0 auto
interface ethernet1 auto
mtu Internet 1500
mtu inside 1500
ip address Internet 203.125.141.205 255.255.255.240
ip address inside 172.16.1.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address Internet 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (Internet) 1 203.125.141.204 netmask 255.255.255.240
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
static (inside,Internet) 203.125.141.203 172.16.1.52 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 203.125.141.203 eq www any
rip Internet passive
no rip Internet default
no rip inside passive
rip inside default
route Internet 0.0.0.0 0.0.0.0 203.125.141.193 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
no snmp-server community public
no snmp-server enable traps
terminal width 80
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 12315887
Have you verified that the server has the correct default gateway pointing to the PIX 172.16.1.1, with the correct subnet mask 255.255.255.0 ?
0
 
LVL 1

Expert Comment

by:JEEGO
ID: 12328918
StevenSou
Have you verified that the default gateway on the 172.16.1.52 machine is 172.16.1.1. Check the NIC propeties to make sure that other Default Gateways have not been assigned. Your PIX configuration is OK to me eyes, thus the notion that problems exist somewhere else.

To double-check...publish another website on another machine,
                       ...create the appropriate ACL and CONDUITS
If you are able to successfully do this, then the problem is DEFINTITELY on your web server.

Finally. On the 172.16.1.52 machine, make sure that no STATIC Default Gateway Routes exist on the machine. What OS are you using on the web server? Do you have any software-based firewall running on the web server?
0
 

Author Comment

by:StevenSou
ID: 12335535
I will check n come back to you as I not in the office. thanks
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
capture pcap with filtered traffic 1 61
Cisco Prime and Maps 3 44
Cisco 5508 controller parsing error 4 61
Punctured RAID5 Array on Cisco UCS server. 6 57
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question