?
Solved

https keeps timing out on PIX506E

Posted on 2005-03-21
6
Medium Priority
?
617 Views
Last Modified: 2010-04-09
I'm trying to access OWA through the internet.  It does work from the internal IP address, but it times out from the outside world.  Can you guys check my PIX config and see if there is anything wrong?

: Saved
: Written by enable_15 at 11:44:35.537 CST Mon Jan 4 1993
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname
domain-name
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_outside_in permit tcp any interface outside eq www
access-list acl_outside_in permit tcp any interface outside eq https
access-list inside_outbound_nat0_acl permit ip host 192.168.0.122 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host 192.168.0.1 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.0.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list lanextention permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.0.150-192.168.0.160
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.122 255.255.255.255 inside
pdm location 192.168.0.254 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.119 255.255.255.255 inside
pdm location 192.168.0.128 255.255.255.192 outside
pdm location 10.10.10.0 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1701 192.168.0.1 1701 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.119 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.0.1 https netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server protocol radius
aaa-server  (inside) host 192.168.0.1 timeout 5
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.0.53 /
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt radius ignore-secret
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 match address lanextention
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.0.1
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
terminal width 80
banner login Welcome

One thing i did just notice....The IP address of the lines:

ip address outside XXX.XXX.XXX.XXX 255.255.255.248
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA

Do not match.  Should they match?
0
Comment
Question by:sbock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13597467
>static (inside,outside) tcp interface https 192.168.0.1 https netmask 255.255.255.255 0 0
>http server enable

The reason you get timeouts is because you have the http server enabled. This lets the PIX itself "listen" on port 443/https. You can't listen and forward at the same time.
You can disable the http server, then you can't use the PDM GUI
   no http server enable

>ip address outside XXX.XXX.XXX.XXX 255.255.255.248
>route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA

>Do not match.  Should they match?
Nope. The route should point to the next hop, not to your own IP
0
 

Author Comment

by:sbock
ID: 13597790
I've been running the http server and forwarding port 80 and https ever since we bought our pix.  The time out issue just started on friday, but nothing was changed in the pix.  

Are you sure i can't run the http srever and https at the same time?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13600421
If you have another public IP that you can use for https, then you would be fine. If using the "interface" as the static redirecting to another host, it only makes sense that it won't work.
I've never seen it work.
That said - If it has been working and now its not, then something happened or something changed on it or on the server.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:sbock
ID: 13603269
Other than that, does everything look correct?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 13604401
Yes. These are the only lines you need
\\-- access permissions - OK
access-list acl_outside_in permit tcp any interface outside eq www
access-list acl_outside_in permit tcp any interface outside eq https

\\-- static xlates - OK
static (inside,outside) tcp interface www 192.168.0.119 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.0.1 https netmask 255.255.255.255 0 0

\\-- default route out - OK
route outside 0.0.0.0 0.0.0.0 AAA.AAA.AAA.AAA

\\-- apply the access-list - => D'OH!!! I don't see this  please enter it as below<=
access-group acl_outside_in in interface outside


0
 

Author Comment

by:sbock
ID: 13607869
That was it!  Thanks.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question