[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 289
  • Last Modified:

PIX 515e - Configuring NAT to allow access to internal OWA server

Here is my config, we can get to the website which is hosted in the DMZ but I cannot get OWA to load up externally, nor can I telnet to xxx.xxx.xxx.80 on port 80 or 443.

Once I get this working I am going to disable port 80 for this IP.

Please help.

Note: the items I have added are:
access-list 101 permit tcp any host xxx.xxx.xxx.80 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.80 eq https

and

static (inside,outside) xxx.xxx.xxx.80 xxx.xxx.1.50 netmask 255.255.255.255 0 0

Once i added these items I executed the command below and wrote it to memory:

access-group 101 in interface outside


PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password w4IeTMwbm73LWP8B encrypted
passwd w4IeTMwbm73LWP8B encrypted
hostname fire
domain-name dtg-usa.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 444
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit tcp any any eq 6881
access-list 101 permit tcp any any eq 6882
access-list 101 permit tcp any any eq 6883
access-list 101 permit tcp any any eq 6884
access-list 101 permit tcp any any eq 6885
access-list 101 permit tcp any any eq 6886
access-list 101 permit tcp any any eq 6887
access-list 101 permit tcp any any eq 6888
access-list 101 permit tcp any any eq 6889
access-list 101 permit tcp any any eq 6890
access-list 101 permit tcp any any eq 6891
access-list 101 permit tcp any any eq 6892
access-list 101 permit tcp any any eq 6893
access-list 101 permit tcp any any eq 6894
access-list 101 permit tcp any host xxx.xxx.xxx.5 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.5 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.21 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.21 eq pop3
access-list 101 permit udp any host xxx.xxx.xxx.21 eq dnsix
access-list 101 permit tcp any host xxx.xxx.xxx.75 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.75 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.75 eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.5 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.6 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.21 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.75 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.79 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.79 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.79 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.79 eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.79 eq telnet
access-list 101 permit tcp any host xxx.xxx.xxx.79 eq 3389
access-list 101 permit tcp any host xxx.xxx.xxx.77 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.77 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.77 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.77 eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.76 eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.76 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.78 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.78 eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.78 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.78 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.76 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.76 eq smtp
access-list 101 permit tcp any any eq pptp
access-list 101 permit udp xxx.xxx.xxx.0 255.255.255.0 any eq 5060
access-list 101 permit tcp xxx.xxx.xxx.0 255.255.255.0 any eq 5060
access-list 101 permit tcp host 38.113.24.15 any eq 2546
access-list 101 permit tcp any host xxx.xxx.xxx.80 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.80 eq https
pager lines 24
logging on
logging history informational
icmp permit xxx.xxx.1.0 255.255.255.0 outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.2 255.255.255.0
ip address inside xxx.xxx.1.1 255.255.255.0
ip address dmz xxx.xxx.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.32-xxx.xxx.xxx.63
global (outside) 1 xxx.xxx.xxx.64
global (outside) 3 xxx.xxx.xxx.65
global (dmz) 1 xxx.xxx.2.99
nat (inside) 1 xxx.xxx.1.0 255.255.255.0 0 0
nat (dmz) 3 xxx.xxx.2.0 255.255.255.0 0 0
static (dmz,outside) xxx.xxx.xxx.5 xxx.xxx.2.5 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.11 xxx.xxx.2.11 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.6 xxx.xxx.2.6 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.12 xxx.xxx.2.12 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.13 xxx.xxx.2.13 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.20 xxx.xxx.2.20 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.21 xxx.xxx.2.21 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.23 xxx.xxx.2.23 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.22 xxx.xxx.2.22 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.24 xxx.xxx.2.24 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.25 xxx.xxx.2.25 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.26 xxx.xxx.2.26 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.27 xxx.xxx.2.27 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.28 xxx.xxx.2.28 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.29 xxx.xxx.2.29 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.30 xxx.xxx.2.30 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.31 xxx.xxx.2.31 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.32 xxx.xxx.2.32 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.33 xxx.xxx.2.33 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.34 xxx.xxx.2.34 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.75 xxx.xxx.2.75 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.76 xxx.xxx.2.76 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.77 xxx.xxx.2.77 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.78 xxx.xxx.2.78 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.79 xxx.xxx.2.79 netmask 255.255.255.255 0 0
static (inside,dmz) xxx.xxx.2.55 xxx.xxx.1.55 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.80 xxx.xxx.1.50 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.1.100 255.255.255.255 inside
http xxx.xxx.1.106 255.255.255.255 inside
snmp-server host inside xxx.xxx.1.118 poll
snmp-server location Datacom
snmp-server contact Tim Moore
snmp-server community idctim
snmp-server enable traps
floodguard enable
telnet xxx.xxx.1.100 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
management-access inside
console timeout 0
dhcpd address xxx.xxx.1.101-xxx.xxx.1.200 inside
dhcpd address xxx.xxx.2.100-xxx.xxx.2.120 dmz
dhcpd dns xxx.xxx.1.51 xxx.xxx.1.52
dhcpd lease 10800
dhcpd ping_timeout 750
dhcpd enable inside
dhcpd enable dmz
0
anakin827
Asked:
anakin827
  • 2
  • 2
1 Solution
 
lrmooreCommented:
Only thing I can see in your config is that you have some overlapping statics with your nat pool

global (outside) 1 xxx.xxx.xxx.32-xxx.xxx.xxx.63
static (dmz,outside) xxx.xxx.xxx.32 xxx.xxx.2.32 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.33 xxx.xxx.2.33 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.34 xxx.xxx.2.34 netmask 255.255.255.255 0 0

You must exclude these static IP's from the nat global pool

Check the default gateway of the OWA server. Does it point to xx.xx.1.1 ?

0
 
anakin827Author Commented:
Yes the default gateway is xx.xx.1.1

Would the firewall need to be rebooted?  I thought I read somewhere that some versions of the CLI had glitches in it?
0
 
lrmooreCommented:
It can't hurt. I see that you have 6.3(1) and I do believe that particular version has a bug in that static xlates don't always "stick" until you reboot the thing. Highly suggest you update to 6.3(4) and PDM 3.03...
0
 
anakin827Author Commented:
Looks like it mysteriously started working again.  I manually cleared the xlates and it did the trick.  I will look into upgrading the versions of the CLI and PDM ASAP, thanks.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now