Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

https keeps timing out on PIX506E

Posted on 2005-03-21
6
Medium Priority
?
623 Views
Last Modified: 2010-04-09
I'm trying to access OWA through the internet.  It does work from the internal IP address, but it times out from the outside world.  Can you guys check my PIX config and see if there is anything wrong?

: Saved
: Written by enable_15 at 11:44:35.537 CST Mon Jan 4 1993
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname
domain-name
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside_in permit tcp any interface outside eq www
access-list acl_outside_in permit tcp any interface outside eq https
access-list inside_outbound_nat0_acl permit ip host 192.168.0.122 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host 192.168.0.1 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list lanextention permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.0.150-192.168.0.160
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.122 255.255.255.255 inside
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.119 255.255.255.255 inside
pdm location 192.168.0.128 255.255.255.192 outside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1701 192.168.0.1 1701 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.119 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.0.1 https netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server protocol radius
aaa-server  (inside) host 192.168.0.1 timeout 5
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.53 /
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt radius ignore-secret
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 match address lanextention
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.0.1
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
terminal width 80
banner login Welcome

One thing i did just notice....The IP address of the lines:

ip address outside XXX.XXX.XXX.XXX 255.255.255.248
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA

Do not match.  Should they match?
0
Comment
Question by:sbock
  • 3
  • 3
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13597467
>static (inside,outside) tcp interface https 192.168.0.1 https netmask 255.255.255.255 0 0
>http server enable

The reason you get timeouts is because you have the http server enabled. This lets the PIX itself "listen" on port 443/https. You can't listen and forward at the same time.
You can disable the http server, then you can't use the PDM GUI
   no http server enable

>ip address outside XXX.XXX.XXX.XXX 255.255.255.248
>route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA

>Do not match.  Should they match?
Nope. The route should point to the next hop, not to your own IP
0
 

Author Comment

by:sbock
ID: 13597790
I've been running the http server and forwarding port 80 and https ever since we bought our pix.  The time out issue just started on friday, but nothing was changed in the pix.  

Are you sure i can't run the http srever and https at the same time?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13600421
If you have another public IP that you can use for https, then you would be fine. If using the "interface" as the static redirecting to another host, it only makes sense that it won't work.
I've never seen it work.
That said - If it has been working and now its not, then something happened or something changed on it or on the server.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:sbock
ID: 13603269
Other than that, does everything look correct?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 13604401
Yes. These are the only lines you need
\\-- access permissions - OK
access-list acl_outside_in permit tcp any interface outside eq www
access-list acl_outside_in permit tcp any interface outside eq https

\\-- static xlates - OK
static (inside,outside) tcp interface www 192.168.0.119 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.0.1 https netmask 255.255.255.255 0 0

\\-- default route out - OK
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA

\\-- apply the access-list - => D'OH!!! I don't see this  please enter it as below<=
access-group acl_outside_in in interface outside


0
 

Author Comment

by:sbock
ID: 13607869
That was it!  Thanks.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question