?
Solved

Pix515E Question:  No one internally can access our corporate website that resides on the Internet (a dmz on the pix),  Clients can access the site, but the site loads very slowly.

Posted on 2004-11-30
4
Medium Priority
?
492 Views
Last Modified: 2010-04-11
We have a corporate Internet website setup, but for some reason internal users (inside the firewall on the internal network) cannot access our www.company.com website from inside out network.  If they are at home (or anyone else from the Internet) there is a 30 second (or so) delay then the site loads up.  I think the problem with the internal users is one froblem and the slow site access is another.  The PIX might be designed to prevent users on one interface from accessing another interface on the pix (or something of that nature) but I don't seem to know hoe to get around it.  I'm sure there is a way to do it, but I just don't know where to start looking for it.  The slow site issue could possibly be solved either on the pix or via dns or a combo of the two... once again I don't really know where to start on that either.  Any help is appreciated.


I have the following setup configured...

                                                                                     
                                                                                                                                                                     Internal client-192.168.20.14
                                                                                                                                                                                     /
                                                                                                                                                                                   /
      INTERNET-----<> Router- 64.111.240.65<>--------->64.111.240.66 - PIX515E --------------------> 192.168.20.109<-----------Internal network 192.168.20.x
                                                                                             \
                                                                                               \~~>Pix DMZ inside: 192.169.30.1
                                                                                                 \
                                                                                     Web Server-192.169.30.100 (wdmz)


Here is my current config... (some extra stuff might be in there, but that's for future implementation so plz ingore that.)


interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 wdmz security4
nameif ethernet3 Idmz security6
nameif ethernet4 edmz security8
nameif ethernet5 rdmz security10
enable password *********** encrypted
passwd *********** encrypted
hostname domain
domain-name company.net
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 800
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.169.30.100 Webserver
name 192.167.10.100 DNS
name 192.168.20.107 Email
access-list compiled
access-list 100 remark Xitron http access - required for remote users.
access-list 100 permit tcp any interface outside eq www
access-list 100 remark Xitron smtp access - required for remote users.
access-list 100 permit tcp any interface outside eq smtp
access-list 100 remark Xitron https access - required for remote users.
access-list 100 permit tcp any interface outside eq https
access-list company_splitTunnelAcl permit ip 192.168.20.0 255.255.255.0 any
access-list company_splitTunnelAcl permit ip 192.169.30.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.255.255.224
access-list wdmz_outbound_nat0_acl permit ip host Webserver 10.0.0.0 255.255.255.224
access-list wdmz_outbound_nat0_acl permit ip host Webserver 172.165.20.0 255.255.255.224
pager lines 24
logging on
logging timestamp
logging trap critical
logging host inside 192.168.20.2 format emblem
icmp deny any outside
icmp deny 64.111.240.64 255.255.255.240 outside
icmp permit 192.168.20.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
mtu wdmz 1500
mtu Idmz 1500
mtu edmz 1500
mtu rdmz 1500
ip address outside 64.111.240.66 255.255.255.240
ip address inside 192.168.20.109 255.255.255.0
ip address wdmz 192.169.30.1 255.255.255.0
ip address Idmz 192.170.40.1 255.255.255.0
ip address edmz 192.167.10.1 255.255.255.0
ip address rdmz 192.171.50.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface wdmz
ip verify reverse-path interface edmz
multicast interface inside
ip audit name Attack-IN attack action alarm reset
ip audit name Attack-EXT attack action alarm drop reset
ip audit name Info-IN info action alarm
ip audit name Info-EXT info action alarm reset
ip audit interface outside Info-EXT
ip audit interface outside Attack-EXT
ip audit interface inside Info-IN
ip audit interface inside Attack-IN
ip audit interface wdmz Info-EXT
ip audit interface wdmz Attack-EXT
ip audit interface edmz Info-EXT
ip audit interface edmz Attack-EXT
ip audit info action alarm
ip audit attack action alarm
ip local pool Com_Rem 10.0.0.1-10.0.0.25
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address wdmz
no failover ip address Idmz
no failover ip address edmz
no failover ip address rdmz
pdm location 192.168.20.3 255.255.255.255 inside
pdm location 192.168.20.4 255.255.255.255 inside
pdm location 192.168.20.5 255.255.255.255 inside
pdm location Email 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.20.210 255.255.255.255 inside
pdm location 192.168.20.224 255.255.255.224 outside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 192.167.10.0 255.255.255.0 inside
pdm location 192.169.30.0 255.255.255.0 inside
pdm location DNS 255.255.255.255 inside
pdm location 192.167.10.1 255.255.255.255 inside
pdm location DNS 255.255.255.255 edmz
pdm location Webserver 255.255.255.255 wdmz
pdm location 192.168.20.0 255.255.255.255 inside
pdm location 192.168.20.2 255.255.255.255 inside
pdm location 172.165.20.0 255.255.255.224 outside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (wdmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (wdmz) 0 access-list wdmz_outbound_nat0_acl
static (wdmz,outside) tcp interface www Webserver www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Email smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Email https netmask 255.255.255.255 0 0
static (wdmz,inside) tcp interface www Webserver www netmask 255.255.255.255 0 0
static (wdmz,inside) tcp interface 801 Webserver 801 netmask 255.255.255.255 0 0
static (wdmz,inside) tcp interface 802 Webserver 802 netmask 255.255.255.255 0 0
access-group 100 in interface outside
router ospf 1
  network 192.168.20.0 255.255.255.255 area 2
  area 2 nssa
  router-id 64.111.240.65
  log-adj-changes
  redistribute static subnets
route outside 0.0.0.0 0.0.0.0 64.111.240.65 1
route edmz 192.167.10.1 255.255.255.255 64.111.240.65 1
route edmz DNS 255.255.255.255 192.167.10.1 1
route inside 192.168.20.0 255.255.255.255 64.111.240.65 1
route wdmz 192.169.30.1 255.255.255.255 63.110.235.66 1
route wdmz Webserver 255.255.255.255 192.169.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp authenticate
ntp server Email source inside prefer
http server enable
http 192.168.20.3 255.255.255.255 inside
http 192.168.20.4 255.255.255.255 inside
http 192.168.20.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.20.2 /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool Com_Rem
vpngroup company dns-server 192.168.20.115 192.168.20.115
vpngroup company wins-server 192.168.20.115 192.168.20.115
vpngroup company default-domain company.net
vpngroup company split-tunnel company_splitTunnelAcl
vpngroup company idle-time 1800
vpngroup company password ********
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 5
management-access Idmz
console timeout 50
username **************** privilege 15
username **************** privilege 15
username **************** privilege 5
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80

Any Helo is appreciated.
0
Comment
Question by:Rastal
4 Comments
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12712949
ok there seems to be some things wrong with your ACLs and a statics look below

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet2 vlan1 physical
interface ethernet2 vlan2 logical
interface ethernet2 vlan3 logical
interface ethernet2 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif vlan2 edi security40
nameif vlan3 cvpn security60
nameif vlan4 dmz_vlan security55

hostname xxxPIX
domain-name wrt
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.xx.xx wffexch

access-list outside_access_in permit esp any host xxx.xxx.30.1
access-list outside_access_in permit tcp any host xxx.xxx.30.1 eq 10000
access-list outside_access_in permit udp any host xxx.xxx.30.1 eq isakmp        
access-list outside_access_in permit udp any host xxx.xxx.30.1 eq 4500
access-list outside_access_in permit tcp any host xxx.xxx.30.1 eq pptp
access-list outside_access_in permit gre any host xxx.xxx.30.1
access-list outside_access_in permit tcp any host xxx.xxx.30.15 eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq https
access-list dmz_vlan_access_out permit tcp host wffexch any eq domain
access-list dmz_vlan_access_out permit udp host wffexch any eq domain
pager lines 24
logging on
logging timestamp
logging standby
logging trap warnings
logging host inside 172.16.xx.xx
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.30.xxx 255.255.255.0
ip address inside 172.16.xx.xx 255.255.254.0
ip address dmz_vlan 172.16.xx.xx 255.255.254.0
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz_vlan) 10 0.0.0.0 0.0.0.0 0 0

static (inside,dmz_vlan) 172.16.44.0 172.16.44.0 netmask 255.255.254.0 0 0
static (dmz_vlan,outside) xxx.xxx.30.xx wffexch netmask 255.255.255.255 0 0


access-group outside_access_in in interface outside
access-group dmz_vlan_access_out in interface dmz_vlan



route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1


the static inside,DMZ_vlan stops the natting for internal network because it is not needed

and on your acl you really want to state you destination host else you will allow all those ACLs to all your statics  

access-list outside_access_in permit gre any host xxx.xxx.30.1  some thing like that you could replace the IP with a name

try replaceing your dmz static with this, it stops the natting

static (inside,wdmz) 192.168.20.0 192.168.20.0 netmask 255.255.254.0


you also have a route for the inside you can remove that

Also not sure what is going on with your natting

global (outside) 10 interface
global (wdmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (wdmz) 0 access-list wdmz_outbound_nat0_acl


I beleive it is wrong or that much is not required any how perhaps someone else can confirm this

I would suggest make those changes and take a look at my Global natting, can you tell ne how many phyiscal interfaces you have plz

0
 

Author Comment

by:Rastal
ID: 12719184
I have 6 total interfaces 2 built in and an add in card with for ports.  I will try those setting that you suggested.
0
 
LVL 1

Expert Comment

by:bluedragon99
ID: 12739828
dns record problem possibly? if your internal domain name is yourcompany.com you will need to add a host record on your dns server:

host = www
ip = Public_IP_To_Website


maybe not the problem just thought I'd throw it out there as I've run into this in the past.
0
 
LVL 5

Accepted Solution

by:
pazmanpro earned 1000 total points
ID: 12949481
I agree with bluedragon99, the problem is most likely your DNS setting. If your internal users try to browse to the website using the IP address, does it work?

Now your PAT rules for the webserver are

static (wdmz,outside) tcp interface www Webserver www netmask 255.255.255.255 0 0
static (wdmz,inside) tcp interface www Webserver www netmask 255.255.255.255 0 0
static (wdmz,inside) tcp interface 801 Webserver 801 netmask 255.255.255.255 0 0
static (wdmz,inside) tcp interface 802 Webserver 802 netmask 255.255.255.255 0 0

So what the second line tells me is that you have translated your webserver to the inside interface address, so if you browse to the inside IP address of your PIX (192.168.20.109) the website would come up. The translations are uneccessary going from the WDMZ to the Inside, since the PIX will not translate these addresses by default in that direction; so you should also be able to browse the website at the proper address from inside at 192.169.30.100.

So you should have a forward lookup zone configured in your DNS as company.com and a host in that zone called www pointing to either 192.169.30.100 or 192.168.20.109.

That should do the trick. That is assuming that you have internal DNS servers.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
There's never been a better time to become a computer scientist. Employment growth in the field is expected to reach 22% overall by 2020, and if you want to get in on the action, it’s a good idea to think about at least minoring in computer science …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question