How to configue PIX 506e to reach from outside a WWW server hosted on the inside

Hello,

I just can't get it figured out! So i ask you to help me! Below is my config file. What is want is to configure the PIX 506e so that my customers on the internet can reach my server?

Hope you know whats wrong with my config.

Thanks in advance..

Katwijk
====================================================================
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx encrypted
passwd xxxxxxx encrypted
hostname pixtest
domain-name katwijk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.16 Webserver2
name 192.168.0.15 Webserver1
name 192.168.0.200 Webserver1-urenreg
name 192.168.0.201 Webserver2-drupal
object-group service SERV-Webservices-TCP tcp
  description TCP poorten gebruikt door FTP, HTTP, HTTPS
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
object-group network HOST-Inside-Webservers
  description Interne IP adressen van WWW
  network-object Webserver2 255.255.255.255
  network-object Webserver2-drupal 255.255.255.255
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq www log 7
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap notifications
logging host inside Webserver1
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action reset
ip audit signature 1000 disable
pdm location Webserver1 255.255.255.255 inside
pdm location Webserver2 255.255.255.255 inside
pdm location Webserver1-urenreg 255.255.255.255 inside
pdm location Webserver2-drupal 255.255.255.255 inside
pdm group HOST-Inside-Webservers inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0
access-group 100 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.x.x 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public_mkatwi
snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxx
: end
[OK]
=======================================================================
katwijkAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

billwhartonCommented:
1) Is your webserver sitting on 192.168.0.201?

2) Do you want Internet users only be able to access port 80 (http) on your server or any other ports too?

From you config, it seems you have everything set up fine. Where exactly do you see the problem? Do a 'show ip' and paste the outside IP address and I'll check the server communications from the outside
lrmooreCommented:
You already have all the pieces in place:

\\-- allow anyone in to outside interface IP
>access-list 100 permit tcp any interface outside eq www

\\static PAT map for interface to www server:
>static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0

\\ access list applied to the outside interface:
>access-group 100 in interface outside

! DONE!

If it does not work, check the server for correct IP address, subnet mask, and default gateway.]
Default gateway *MUST* point to the PIX inside IP...

Post result of C:/>route print
From the WWW server
katwijkAuthor Commented:
Hi,

Reply for billwharton: Yep my webserver is hosted on ip 192.168.0.201 it has also another ip for the second network card which is 192.168.0.16

Second question: For a start i want users to connect to my interface, but when that works i'm going to setup an email server.

Here is the output of my show ip command.

System IP Addresses:
        ip address outside 82.156.241.82 255.255.248.0
        ip address inside 192.168.0.1 255.255.255.0
Current IP Addresses:
        ip address outside 82.156.241.82 255.255.248.0
        ip address inside 192.168.0.1 255.255.255.0


============

Reply for lrmoore: I studied other examples so i'm glad i made the good choices. To bad it ain't working yet.

webserver2-drupal has ip 192.168.0.201, netmask 255.255.255.0 and gateway 192.168.0.1. I also addes three DNS servers,the first two are from my provider and the latest one is my PIX inside 192.168.0.1 address.

Below is the route print output which i made from the www server.

===========================================================================
Interfacelijst
0x1 ........................... MS TCP Loopback interface
0x1000005 ...00 e0 81 00 42 06 ...... Intel 8255x-based Integrated Fast Ethernet
0x3000006 ...00 02 44 05 e9 e8 ...... NDIS 5.0 driver                                                                  
===========================================================================
===========================================================================
Active routes:
Networkaddress             Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.16        1
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.201        1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.0.0    255.255.255.0     192.168.0.16    192.168.0.16        1
      192.168.0.0    255.255.255.0    192.168.0.201   192.168.0.201        1
     192.168.0.16  255.255.255.255        127.0.0.1       127.0.0.1        1
    192.168.0.201  255.255.255.255        127.0.0.1       127.0.0.1        1
    192.168.0.255  255.255.255.255     192.168.0.16    192.168.0.16        1
    192.168.0.255  255.255.255.255    192.168.0.201   192.168.0.201        1
        224.0.0.0        224.0.0.0     192.168.0.16    192.168.0.16        1
        224.0.0.0        224.0.0.0    192.168.0.201   192.168.0.201        1
  255.255.255.255  255.255.255.255    192.168.0.201   192.168.0.201        1
Default-gateway:       192.168.0.1
===========================================================================
Permanent routes:
  None
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

lrmooreCommented:
>I also addes three DNS servers,the first two are from my provider and the latest one is my PIX inside 192.168.0.1 address.
That won't work. The PIX cannot be a dns proxy for you. Yes, I know any little Linksys or Dlink can, but not the PIX. Keeping the ISP provided IP's for nameservers should be OK.
You may need to add the "dns" keyword to your static xlate:
>static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0

  clear xlate
  no static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface www Webserver2-drupal www dns netmask 255.255.255.255 0 0
                                                                                                  ^^


>Networkaddress             Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.16       1
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.201       1

Part of the problem is that outbound traffic has two same-metric paths out. Try disabling one NIC on the server and see if everything works then.
Load-balancing out dual nic's is difficult to say the least..
katwijkAuthor Commented:
Hi lrmoore,

I disabled one NIC only the 192.168.0.201 is active now.
I removed all three DNS addresses (i guess thats was the direction you gave??)

I copy pasted the three line in the telnet shell.

I did a write mem but still no reachable www server.  I found these route definitions. Are the correct?

outside 0.0.0.0 0.0.0.0 82.156.240.1 1 DHCP static
outside 82.156.240.0 255.255.248.0 82.156.241.82 1 CONNECT static
inside 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static

The route print command now gives these data.

===========================================================================
Interfacelijst
0x1 ........................... MS TCP Loopback interface
0x1000005 ...00 e0 81 00 42 06 ...... Intel 8255x-based Integrated Fast Ethernet

===========================================================================
===========================================================================
Actiee routes:
Networkaddress             Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.201       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0    192.168.0.201   192.168.0.201       1
    192.168.0.201  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.0.255  255.255.255.255    192.168.0.201   192.168.0.201       1
        224.0.0.0        224.0.0.0    192.168.0.201   192.168.0.201       1
  255.255.255.255  255.255.255.255    192.168.0.201   192.168.0.201       1
Standaard-gateway:       192.168.0.1
===========================================================================
Permanent routes:
  None

Any suggestions left! i hope so ...
lrmooreCommented:
>I removed all three DNS addresses (i guess thats was the direction you gave??)
You need to keep the 2 that the ISP gave you.

>I did a write mem but still no reachable www server.
Just to verify - you are trying to access this server from *outside* your network, right?
katwijkAuthor Commented:
Hi,

I'm now thinking perhaps my ISP is blocking port 80 for some reason, how do i redirect www to port (lets say) 81.

I added the two default DNS ip's. Yes i'm trying to unlock my server for the outside..

Another thought of mind. Is it possible that i can't use my www adres from the inside?

Thanks in advance.
lrmooreCommented:
>Is it possible that i can't use my www adres from the inside?
No

>how do i redirect www to port (lets say) 81

Change this:
  static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0

To this:
  static (inside,outside) tcp interface 81 Webserver2-drupal 81 netmask 255.255.255.255 0 0

And this:
  access-list 100 permit tcp any interface outside eq www

to this:
 access-list 100 permit tcp any interface outside eq 81

Then use your browser:
 http://<yourwebsite>.com:81

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
katwijkAuthor Commented:
Hi,
Website is reachable. It works !! thanks for the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.