bleujaegel
asked on
Can't access Web server remotely through a PIX 501
I've visited many sites for setup tips, but still can't configure my PIX to allow me to access my Web server through it. My Web server is a basic Windows XP Professional setup. I've tested it. The address is (192.168.1.35). No Windows firewall enabled to block anything. I can access the Web page fine from another computer on LAN. I can ping the WAN ip remotely. I also setup a VPN connection, and could ping the 192.168.1.35 address once connected, but couldn't see my Web page. This definitely is a config file issue. Anyhow, here is my file. If you can see anything that would be holding me up, your input would be appreciated.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password o3vBDkYOjWnpuLlc encrypted
passwd o3vBDkYOjWnpuLlc encrypted
hostname firewall
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name x.x.184.138 NameOfConnection
access-list inside_outbound_nat0_acl permit ip any 192.168.1.4 255.255.255.252
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.4 255.255.255.252
access-list inbound permit tcp any host NameOfConnection eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside NameOfConnection 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool DynVPNIPs 192.168.1.4-192.168.1.6
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) NameOfconnection 192.168.1.35 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.184.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN address-pool DynVPNIPs
vpngroup VPN dns-server x.x.136.4 x.x.136.9
vpngroup VPN default-domain mydomain.com
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password Ij4v7o3l0KOW/JuT encrypted privilege 2
terminal width 80
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password o3vBDkYOjWnpuLlc encrypted
passwd o3vBDkYOjWnpuLlc encrypted
hostname firewall
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name x.x.184.138 NameOfConnection
access-list inside_outbound_nat0_acl permit ip any 192.168.1.4 255.255.255.252
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.4 255.255.255.252
access-list inbound permit tcp any host NameOfConnection eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside NameOfConnection 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool DynVPNIPs 192.168.1.4-192.168.1.6
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) NameOfconnection 192.168.1.35 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.184.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN address-pool DynVPNIPs
vpngroup VPN dns-server x.x.136.4 x.x.136.9
vpngroup VPN default-domain mydomain.com
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password Ij4v7o3l0KOW/JuT encrypted privilege 2
terminal width 80
ASKER
I don't have antivirus or firewall software installed at all. I can access the web from both computers, but cannot access the Web server on my LAN from a remote computer. I can access the Web server fine from another computer on the LAN. Thanks for the idea, though!
OK, 2 things.
First, I need a better description of your network. What do you mean by "access the Web server on my LAN from a remote computer."? Are you trying to access the web-hosting pages for your website? Also, a physical description of how you are connected to the PIX 501 would help.
Second, you're not getting nearly enough responses to your question. I mean, why would I be the only one posting to your question? You need 2 "pointer questions" posted in other topic areas, so that really qualified experts will respond. Read this link for further information:
https://www.experts-exchange.com/help.jsp#hi262
I would suggest pointer questions posted in the following 2 topic areas:
Networking>WinNT Net
Web Dev>Browser Issues
That should bring in more responses, from people who really know networking issues.
First, I need a better description of your network. What do you mean by "access the Web server on my LAN from a remote computer."? Are you trying to access the web-hosting pages for your website? Also, a physical description of how you are connected to the PIX 501 would help.
Second, you're not getting nearly enough responses to your question. I mean, why would I be the only one posting to your question? You need 2 "pointer questions" posted in other topic areas, so that really qualified experts will respond. Read this link for further information:
https://www.experts-exchange.com/help.jsp#hi262
I would suggest pointer questions posted in the following 2 topic areas:
Networking>WinNT Net
Web Dev>Browser Issues
That should bring in more responses, from people who really know networking issues.
Also, I would increase the points to 500. If you have unlimited points like me, it only makes sense. If you are limited, maybe increase it to at least 250. Experts like points, and you want them to at least look at your question.
Also, regarding the Norton thing, if you've ever had Norton installed on this computer AT ALL, then you need to run nonav. The reason is that Norton never completely uninstalls, and it just hangs around and causes problems, believe me, I know this from hard personal experience on a variety of computers.
If you acquired this computer from someone else, just run nonav to be sure. If you bought it new, you could have had Norton installed by the manufacturer. It seems that all new computers come with Norton installed on a free trial basis for 30 days, when you would need to register to get it renewed. In either case, nonav needs to be run.
No matter what the situation, I would run nonav just to be sure.
If you acquired this computer from someone else, just run nonav to be sure. If you bought it new, you could have had Norton installed by the manufacturer. It seems that all new computers come with Norton installed on a free trial basis for 30 days, when you would need to register to get it renewed. In either case, nonav needs to be run.
No matter what the situation, I would run nonav just to be sure.
ASKER
To clarify, site A has the PIX 501 firewall, with the Web server behind it. Site B is a laptop with a dial-up connection. I am trying to access my home page from site B. I get the page unavailable error. Basically, the PIX is blocking it. I think the reason no one else has responded is because I didn't put it it the 'routers' category by mistake.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried your suggestion, and it still fails to work. I'm sure were very close, tough. Anyhow, as I mistakenly stated, I'm having a 'Timeout connection faillure', not a 'Page Unavailable error'. Sorry about that. I decided to create a bare miminum file and insert your commands and it still won't work. I can connect to the internet still, but I got rid of the VPN and other unneccessary stuff to try to simply this. Here is my new config file with your commands inserted:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name mydom.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name x.x.184.138 MyISP
access-list inbound permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside MyISP 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.35 www netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.184.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name mydom.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name x.x.184.138 MyISP
access-list inbound permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside MyISP 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.35 www netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.184.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Please give me the website address so I can see if I can access the site without timing out. If I can get there without any problems, then the problem lies with your laptop. If I can't, then it's a config issue on the server, or the PIX 501, like you have been saying. Thanks.
Two questions:
1) is the server's default gateway pointing to the PIX 192.168.1.1 ?
Can you post result of C:\>route print to confirm?
2) Are you trying to access this public interface from a public location, or from your own machine inside the PIX?
If outside - it "should" be working as is, assuming the answer to #1 is positive
If inside - it "won't" work - that's just the way it is. You have no choice from the inside lan to use the inside private ip of the server. I assume that http://192.168.1.35 gives you access to the web site in question?
1) is the server's default gateway pointing to the PIX 192.168.1.1 ?
Can you post result of C:\>route print to confirm?
2) Are you trying to access this public interface from a public location, or from your own machine inside the PIX?
If outside - it "should" be working as is, assuming the answer to #1 is positive
If inside - it "won't" work - that's just the way it is. You have no choice from the inside lan to use the inside private ip of the server. I assume that http://192.168.1.35 gives you access to the web site in question?
ASKER
1> Yes, it's pointing to 192.168.1.1
Here is my routing table:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.35 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.35 192.168.1.35 20
192.168.1.35 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.35 192.168.1.35 20
224.0.0.0 240.0.0.0 192.168.1.35 192.168.1.35 20
255.255.255.255 255.255.255.255 192.168.1.35 192.168.1.35 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
None
2>I am trying to access it from a public location, just as if I'd given you the address. I'm entering it as usual http://x.x.184.168. I would give both of you the url, but I worry about people trying to hack. Am I being paranoid? Is it safe???
Here is my routing table:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.35 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.35 192.168.1.35 20
192.168.1.35 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.35 192.168.1.35 20
224.0.0.0 240.0.0.0 192.168.1.35 192.168.1.35 20
255.255.255.255 255.255.255.255 192.168.1.35 192.168.1.35 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
None
2>I am trying to access it from a public location, just as if I'd given you the address. I'm entering it as usual http://x.x.184.168. I would give both of you the url, but I worry about people trying to hack. Am I being paranoid? Is it safe???
If you want the general public to access the URL, then it doesn't matter because the IP address will have to be published in DNS anyway...
Have a look at "sho access-list" and see if the (hitcount= ) has any hits..
Have a look at "sho access-list" and see if the (hitcount= ) has any hits..
ASKER
I'm only making it accessible via a numerical URL. I tried accessing the URL with a different computer via dialup, and same problem.
Here is the sho access-list results:
pix(config)# sho access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list inbound; 1 elements
access-list inbound line 1 permit tcp any interface outside eq www (hitcnt=9)
I re-ran the command after each failed attempt to connect, and noticed the hitcnt incremented each time. I've Windows web servers many times through regular 'home user' grade routers, and have never had access issues like this before. Usually it's just a simple port forwarding entry, then it works. I set this Web server up the same as usual. Only new variable = CISCO.
Here is the sho access-list results:
pix(config)# sho access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list inbound; 1 elements
access-list inbound line 1 permit tcp any interface outside eq www (hitcnt=9)
I re-ran the command after each failed attempt to connect, and noticed the hitcnt incremented each time. I've Windows web servers many times through regular 'home user' grade routers, and have never had access issues like this before. Usually it's just a simple port forwarding entry, then it works. I set this Web server up the same as usual. Only new variable = CISCO.
Save your config. Shut down the PIX. Wait 2 full minutes then power it back up.
As long as the hitcount is increasing, the packets should be getting to the server.
Anything in the server logs?
As long as the hitcount is increasing, the packets should be getting to the server.
Anything in the server logs?
ASKER
I installed IIS on another computer with the same IP address (removing the other Web server), and it works now. I set up both Web servers exactly the same. No firewalls installed on either computer to interfere. I had ZoneAlarm installed at one point, and I noticed a couple .dll files still loading (msinfo32) even though I had removed it a long time ago. I had a significant amount of spyware on the computer a while back, which I have removed. It is possible that it may have damaged the registry or some files that IIS may depend on. I will have to investigate further. Anyhow, your answer earlier was correct. Thank you very much for your help!
Glad you're working!
- Cheers!
- Cheers!
Do you have Norton installed, by chance? Norton gave me all sorts of problems connecting to the Internet on a high-speed cable. I had the same problems you are having, could ping the website, but couldn't connect to it through a browser. I couldn't connect to any website through either of the 2 browsers I was using, IE 6.0 and FireFox. So, it wasn't a browser problem.
It turned out that it was just Norton. As soon as I uninstalled Norton, everything was fine. I think Norton just freaks out if it thinks you are getting invaded, and it just shuts down all Internet access.
You will have to COMPLETELY uninstall Norton, not just using Norton's uninstall, not just using Add/Remove Programs from the Control Panel, but you will also have to use the "nonav" utility.
Here is a link for downloading the nonav utility. Click on the "NoNav.zip" link, and download it. It will give you everything you need. This is an unsupported utility developed by Symantec. They found it was necessary to develop such a utility, because they kept getting complaints from users who found that their uninstall didn't completely uninstall Norton. I did this by hand before I knew about nonav, and it took me hours. I literally deleted every reference to "Norton" and "Symantec" in the Registry and in Windows. As soon as I did that, the Internet connection starting working again. Fortunately for you, all you need is nonav.
http://home.utm.utoronto.ca/~keith/uninstaller/
This has everything needed for "nonav", including a zip file and a pdf file describing everything about nonav.