?
Solved

How to configue PIX 506e to reach from outside a WWW server hosted on the inside

Posted on 2006-04-09
9
Medium Priority
?
408 Views
Last Modified: 2010-04-08
Hello,

I just can't get it figured out! So i ask you to help me! Below is my config file. What is want is to configure the PIX 506e so that my customers on the internet can reach my server?

Hope you know whats wrong with my config.

Thanks in advance..

Katwijk
====================================================================
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx encrypted
passwd xxxxxxx encrypted
hostname pixtest
domain-name katwijk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.16 Webserver2
name 192.168.0.15 Webserver1
name 192.168.0.200 Webserver1-urenreg
name 192.168.0.201 Webserver2-drupal
object-group service SERV-Webservices-TCP tcp
  description TCP poorten gebruikt door FTP, HTTP, HTTPS
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
object-group network HOST-Inside-Webservers
  description Interne IP adressen van WWW
  network-object Webserver2 255.255.255.255
  network-object Webserver2-drupal 255.255.255.255
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq www log 7
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap notifications
logging host inside Webserver1
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action reset
ip audit signature 1000 disable
pdm location Webserver1 255.255.255.255 inside
pdm location Webserver2 255.255.255.255 inside
pdm location Webserver1-urenreg 255.255.255.255 inside
pdm location Webserver2-drupal 255.255.255.255 inside
pdm group HOST-Inside-Webservers inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0
access-group 100 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.x.x 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public_mkatwi
snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxx
: end
[OK]
=======================================================================
0
Comment
Question by:katwijk
  • 4
  • 4
9 Comments
 
LVL 11

Expert Comment

by:billwharton
ID: 16413566
1) Is your webserver sitting on 192.168.0.201?

2) Do you want Internet users only be able to access port 80 (http) on your server or any other ports too?

From you config, it seems you have everything set up fine. Where exactly do you see the problem? Do a 'show ip' and paste the outside IP address and I'll check the server communications from the outside
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16413582
You already have all the pieces in place:

\\-- allow anyone in to outside interface IP
>access-list 100 permit tcp any interface outside eq www

\\static PAT map for interface to www server:
>static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0

\\ access list applied to the outside interface:
>access-group 100 in interface outside

! DONE!

If it does not work, check the server for correct IP address, subnet mask, and default gateway.]
Default gateway *MUST* point to the PIX inside IP...

Post result of C:/>route print
From the WWW server
0
 

Author Comment

by:katwijk
ID: 16422141
Hi,

Reply for billwharton: Yep my webserver is hosted on ip 192.168.0.201 it has also another ip for the second network card which is 192.168.0.16

Second question: For a start i want users to connect to my interface, but when that works i'm going to setup an email server.

Here is the output of my show ip command.

System IP Addresses:
        ip address outside 82.156.241.82 255.255.248.0
        ip address inside 192.168.0.1 255.255.255.0
Current IP Addresses:
        ip address outside 82.156.241.82 255.255.248.0
        ip address inside 192.168.0.1 255.255.255.0


============

Reply for lrmoore: I studied other examples so i'm glad i made the good choices. To bad it ain't working yet.

webserver2-drupal has ip 192.168.0.201, netmask 255.255.255.0 and gateway 192.168.0.1. I also addes three DNS servers,the first two are from my provider and the latest one is my PIX inside 192.168.0.1 address.

Below is the route print output which i made from the www server.

===========================================================================
Interfacelijst
0x1 ........................... MS TCP Loopback interface
0x1000005 ...00 e0 81 00 42 06 ...... Intel 8255x-based Integrated Fast Ethernet
0x3000006 ...00 02 44 05 e9 e8 ...... NDIS 5.0 driver                                                                  
===========================================================================
===========================================================================
Active routes:
Networkaddress             Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.16        1
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.201        1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.0.0    255.255.255.0     192.168.0.16    192.168.0.16        1
      192.168.0.0    255.255.255.0    192.168.0.201   192.168.0.201        1
     192.168.0.16  255.255.255.255        127.0.0.1       127.0.0.1        1
    192.168.0.201  255.255.255.255        127.0.0.1       127.0.0.1        1
    192.168.0.255  255.255.255.255     192.168.0.16    192.168.0.16        1
    192.168.0.255  255.255.255.255    192.168.0.201   192.168.0.201        1
        224.0.0.0        224.0.0.0     192.168.0.16    192.168.0.16        1
        224.0.0.0        224.0.0.0    192.168.0.201   192.168.0.201        1
  255.255.255.255  255.255.255.255    192.168.0.201   192.168.0.201        1
Default-gateway:       192.168.0.1
===========================================================================
Permanent routes:
  None
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16422299
>I also addes three DNS servers,the first two are from my provider and the latest one is my PIX inside 192.168.0.1 address.
That won't work. The PIX cannot be a dns proxy for you. Yes, I know any little Linksys or Dlink can, but not the PIX. Keeping the ISP provided IP's for nameservers should be OK.
You may need to add the "dns" keyword to your static xlate:
>static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0

  clear xlate
  no static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0
  static (inside,outside) tcp interface www Webserver2-drupal www dns netmask 255.255.255.255 0 0
                                                                                                  ^^


>Networkaddress             Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.16       1
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.201       1

Part of the problem is that outbound traffic has two same-metric paths out. Try disabling one NIC on the server and see if everything works then.
Load-balancing out dual nic's is difficult to say the least..
0
 

Author Comment

by:katwijk
ID: 16422471
Hi lrmoore,

I disabled one NIC only the 192.168.0.201 is active now.
I removed all three DNS addresses (i guess thats was the direction you gave??)

I copy pasted the three line in the telnet shell.

I did a write mem but still no reachable www server.  I found these route definitions. Are the correct?

outside 0.0.0.0 0.0.0.0 82.156.240.1 1 DHCP static
outside 82.156.240.0 255.255.248.0 82.156.241.82 1 CONNECT static
inside 192.168.0.0 255.255.255.0 192.168.0.1 1 CONNECT static

The route print command now gives these data.

===========================================================================
Interfacelijst
0x1 ........................... MS TCP Loopback interface
0x1000005 ...00 e0 81 00 42 06 ...... Intel 8255x-based Integrated Fast Ethernet

===========================================================================
===========================================================================
Actiee routes:
Networkaddress             Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.201       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0    192.168.0.201   192.168.0.201       1
    192.168.0.201  255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.0.255  255.255.255.255    192.168.0.201   192.168.0.201       1
        224.0.0.0        224.0.0.0    192.168.0.201   192.168.0.201       1
  255.255.255.255  255.255.255.255    192.168.0.201   192.168.0.201       1
Standaard-gateway:       192.168.0.1
===========================================================================
Permanent routes:
  None

Any suggestions left! i hope so ...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16422538
>I removed all three DNS addresses (i guess thats was the direction you gave??)
You need to keep the 2 that the ISP gave you.

>I did a write mem but still no reachable www server.
Just to verify - you are trying to access this server from *outside* your network, right?
0
 

Author Comment

by:katwijk
ID: 16432091
Hi,

I'm now thinking perhaps my ISP is blocking port 80 for some reason, how do i redirect www to port (lets say) 81.

I added the two default DNS ip's. Yes i'm trying to unlock my server for the outside..

Another thought of mind. Is it possible that i can't use my www adres from the inside?

Thanks in advance.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 16432189
>Is it possible that i can't use my www adres from the inside?
No

>how do i redirect www to port (lets say) 81

Change this:
  static (inside,outside) tcp interface www Webserver2-drupal www netmask 255.255.255.255 0 0

To this:
  static (inside,outside) tcp interface 81 Webserver2-drupal 81 netmask 255.255.255.255 0 0

And this:
  access-list 100 permit tcp any interface outside eq www

to this:
 access-list 100 permit tcp any interface outside eq 81

Then use your browser:
 http://<yourwebsite>.com:81

0
 

Author Comment

by:katwijk
ID: 16439124
Hi,
Website is reachable. It works !! thanks for the help.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question