?
Solved

Can't access Web server remotely through a PIX 501

Posted on 2005-05-15
16
Medium Priority
?
788 Views
Last Modified: 2013-11-21
I've visited many sites for setup tips, but still can't configure my PIX to allow me to access my Web server through it.  My Web server is a basic Windows XP Professional setup.  I've tested it.  The address is (192.168.1.35).  No Windows firewall enabled to block anything.  I can access the Web page fine from another computer on LAN.  I can ping the WAN ip remotely.  I also setup a VPN connection, and could ping the 192.168.1.35 address once connected, but couldn't see my Web page.  This definitely is a config file issue.  Anyhow, here is my file.   If you can see anything that would be holding me up, your input would be appreciated.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password o3vBDkYOjWnpuLlc encrypted
passwd o3vBDkYOjWnpuLlc encrypted
hostname firewall
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name x.x.184.138 NameOfConnection
access-list inside_outbound_nat0_acl permit ip any 192.168.1.4 255.255.255.252
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.4 255.255.255.252
access-list inbound permit tcp any host NameOfConnection eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside NameOfConnection 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool DynVPNIPs 192.168.1.4-192.168.1.6
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) NameOfconnection 192.168.1.35 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.184.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN address-pool DynVPNIPs
vpngroup VPN dns-server x.x.136.4 x.x.136.9
vpngroup VPN default-domain mydomain.com
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password Ij4v7o3l0KOW/JuT encrypted privilege 2
terminal width 80
0
Comment
Question by:bleujaegel
  • 6
  • 5
  • 5
16 Comments
 
LVL 4

Expert Comment

by:coderlen
ID: 14008971
I don't think this is is a config file issue. If you can access the Web from another computer on that same LAN, then it could be something on your computer. Like Norton.

Do you have Norton installed, by chance? Norton gave me all sorts of problems connecting to the Internet on a high-speed cable. I had the same problems you are having, could ping the website, but couldn't connect to it through a browser. I couldn't connect to any website through either of the 2 browsers I was using, IE 6.0 and FireFox. So, it wasn't a browser problem.

It turned out that it was just Norton. As soon as I uninstalled Norton, everything was fine. I think Norton just freaks out if it thinks you are getting invaded, and it just shuts down all Internet access.

You will have to COMPLETELY uninstall Norton, not just using Norton's uninstall, not just using Add/Remove Programs from the Control Panel, but you will also have to use the "nonav" utility.

Here is a link for downloading the nonav utility. Click on the "NoNav.zip" link, and download it. It will give you everything you need. This is an unsupported utility developed by Symantec. They found it was necessary to develop such a utility, because they kept getting complaints from users who found that their uninstall didn't completely uninstall Norton. I did this by hand before I knew about nonav, and it took me hours. I literally deleted every reference to "Norton" and "Symantec" in the Registry and in Windows. As soon as I did that, the Internet connection starting working again. Fortunately for you, all you need is nonav.

http://home.utm.utoronto.ca/~keith/uninstaller/
This has everything needed for "nonav", including a zip file and a pdf file describing everything about nonav.
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 14010181
I don't have antivirus or firewall software installed at all.  I can access the web from both computers, but cannot access the Web server on my LAN from a remote computer.  I can access the Web server fine from another computer on the LAN.  Thanks for the idea, though!
0
 
LVL 4

Expert Comment

by:coderlen
ID: 14012010
OK, 2 things.

First, I need a better description of your network. What do you mean by "access the Web server on my LAN from a remote computer."? Are you trying to access the web-hosting pages for your website? Also, a physical description of how you are connected to the PIX 501 would help.

Second, you're not getting nearly enough responses to your question. I mean, why would I be the only one posting to your question? You need 2 "pointer questions" posted in other topic areas, so that really qualified experts will respond. Read this link for further information:
http://www.experts-exchange.com/help.jsp#hi262

I would suggest pointer questions posted in the following 2 topic areas:

Networking>WinNT Net
Web Dev>Browser Issues

That should bring in more responses, from people who really know networking issues.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 4

Expert Comment

by:coderlen
ID: 14012018
Also, I would increase the points to 500. If you have unlimited points like me, it only makes sense. If you are limited, maybe increase it to at least 250. Experts like points, and you want them to at least look at your question.
0
 
LVL 4

Expert Comment

by:coderlen
ID: 14012064
Also, regarding the Norton thing, if you've ever had Norton installed on this computer AT ALL, then you need to run nonav. The reason is that Norton never completely uninstalls, and it just hangs around and causes problems, believe me, I know this from hard personal experience on a variety of computers.

If you acquired this computer from someone else, just run nonav to be sure. If you bought it new, you could have had Norton installed by the manufacturer. It seems that all new computers come with Norton installed on a free trial basis for 30 days, when you would need to register to get it renewed. In either case, nonav needs to be run.

No matter what the situation, I would run nonav just to be sure.
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 14015611
To clarify, site A has the PIX 501 firewall, with the Web server behind it.  Site B is a laptop with a dial-up connection.  I am trying to access my home page from site B.  I get the page unavailable error.  Basically, the PIX is blocking it.  I think the reason no one else has responded is because I didn't put it it the 'routers' category by mistake.  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 14015681
Let's change some terminology here:

These are the critical lines:

access-list inbound permit tcp any host NameOfConnection eq www
ip address outside NameOfConnection 255.255.255.248
static (inside,outside) NameOfconnection 192.168.1.35 netmask 255.255.255.255 0 0
access-group inbound in interface outside

>ip address outside NameOfConnection 255.255.255.248
Given that information, let's change the rest of it to literal. Use these "exactly" as they are:

no static (inside,outside) NameOfconnection 192.168.1.35 netmask 255.255.255.255 0 0
no access-group inbound in interface outside
no access-list inbound
clear xlate

static (inside,outside) tcp interface http 192.168.1.35 http netmask 255.255.255.255
access-list inbound permit tcp any interface outside eq http
access-group inbound in interface outside


0
 
LVL 2

Author Comment

by:bleujaegel
ID: 14027144
I tried your suggestion, and it still fails to work.  I'm sure were very close, tough.  Anyhow, as I mistakenly stated, I'm having a 'Timeout connection faillure', not a 'Page Unavailable error'.  Sorry about that.  I decided to create a bare miminum file and insert your commands and it still won't work.  I can connect to the internet still, but I got rid of the VPN and other unneccessary stuff to try to simply this.  Here is my new config file with your commands inserted:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name mydom.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name x.x.184.138 MyISP
access-list inbound permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside MyISP 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.35 www netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.184.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

0
 
LVL 4

Expert Comment

by:coderlen
ID: 14027378
Please give me the website address so I can see if I can access the site without timing out. If I can get there without any problems, then the problem lies with your laptop. If I can't, then it's a config issue on the server, or the PIX 501, like you have been saying. Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14027399
Two questions:
1) is the server's default gateway pointing to the PIX 192.168.1.1 ?
 Can you post result of C:\>route print   to confirm?

2) Are you trying to access this public interface from a public location, or from your own machine inside the PIX?
If outside - it "should" be working as is, assuming the answer to #1 is positive
If inside - it "won't" work - that's just the way it is. You have no choice from the inside lan to use the inside private ip of the server. I assume that http://192.168.1.35  gives you access to the web site in question?
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 14032134
1> Yes, it's pointing to 192.168.1.1

Here is my routing table:

Active Routes:
Network Destination        Netmask               Gateway         Interface              Metric
          0.0.0.0                0.0.0.0                 192.168.1.1     192.168.1.35        20
        127.0.0.0               255.0.0.0             127.0.0.1        127.0.0.1              1
      192.168.1.0             255.255.255.0      192.168.1.35   192.168.1.35        20
     192.168.1.35            255.255.255.255   127.0.0.1        127.0.0.1             20
    192.168.1.255           255.255.255.255   192.168.1.35   192.168.1.35        20
        224.0.0.0              240.0.0.0              192.168.1.35   192.168.1.35       20
  255.255.255.255         255.255.255.255    192.168.1.35   192.168.1.35       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

2>I am trying to access it from a public location, just as if I'd given you the address.  I'm entering it as usual http://x.x.184.168.   I would give both of you the url, but I worry about people trying to hack.  Am I being paranoid?  Is it safe???
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14032162
If you want the general public to access the URL, then it doesn't matter because the IP address will have to be published in DNS anyway...

Have a look at "sho access-list" and see if the (hitcount=  ) has any hits..
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 14033546
I'm only making it accessible via a numerical URL.  I tried accessing the URL with a different computer via dialup, and same problem.  

Here is the sho access-list results:

pix(config)# sho access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list inbound; 1 elements
access-list inbound line 1 permit tcp any interface outside eq www (hitcnt=9)

I re-ran the command after each failed attempt to connect, and noticed the hitcnt incremented each time.   I've Windows web servers many times through regular 'home user' grade routers, and have never had access issues like this before.  Usually it's just a simple port forwarding entry, then it works.  I set this Web server up the same as usual.  Only new variable = CISCO.    
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14035352
Save your config. Shut down the PIX. Wait 2 full minutes then power it back up.
As long as the hitcount is increasing, the packets should be getting to the server.
Anything in the server logs?
0
 
LVL 2

Author Comment

by:bleujaegel
ID: 14036948
I installed IIS on another computer with the same IP address (removing the other Web server), and it works now.  I set up both Web servers exactly the same.  No firewalls installed on either computer to interfere.  I had ZoneAlarm installed at one point, and I noticed a couple .dll files still loading (msinfo32) even though I had removed it a long time ago.  I had a significant amount of spyware on the computer a while back, which I have removed.  It is possible that it may have damaged the registry or some files that IIS may depend on.  I will have to investigate further.  Anyhow, your answer earlier was correct.  Thank you very much for your help!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14041022
Glad you're working!
- Cheers!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month17 days, 6 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question