Atlanta_Mike
asked on
PIX 515E Traffic to web server from outside not getting through
VPN works great. Outbound internet access works great. I just can't hit my internal webserver.
Building configuration...
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
enable password ESXy/N53AGN.9NRk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MPIX
domain-name Musa.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip 10.50.10.0 255.255.255.0 10.50.20.0 255.255.255.0
access-list outside_access_in permit tcp any host xx.xx.xxx.133 range 700 701
access-list outside_access_in permit tcp any host xx.xx.xxx.133 eq 1024
access-list outside_access_in permit tcp any host xx.xx.xxx.136 eq www
access-list outside_access_in permit tcp any host xx.xx.xxx.136 eq ftp
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside xx.xx.xxx.131 255.255.255.240
ip address inside 10.50.10.131 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool MVPNPool 10.50.20.1-10.50.20.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
pdm location 10.50.10.135 255.255.255.255 inside
pdm location 10.50.10.133 255.255.255.255 inside
pdm location 10.50.10.134 255.255.255.255 inside
pdm location 10.50.10.136 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xxx.133 10.50.10.133 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xxx.134 10.50.10.134 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xxx.135 10.50.10.135 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xxx.136 10.50.10.136 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 217.162.232.173 source outside
ntp server 24.73.74.251 source outside
ntp server 68.216.79.113 source outside prefer
http server enable
http 10.50.10.135 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Mvpn address-pool MVPNPool
vpngroup Mvpn dns-server 68.70.15.246 68.70.15.247
vpngroup Mvpn idle-time 1800
vpngroup Mvpn password ********
telnet timeout 5
ssh timeout 5
vpdn group MVPN accept dialin pptp
vpdn group MVPN ppp authentication mschap
vpdn group MVPN ppp encryption mppe 128 required
vpdn group MVPN client configuration address local MVPNPool
vpdn group MVPN client configuration dns 68.70.15.246 68.70.15.247
vpdn group MVPN pptp echo 60
vpdn group MVPN client authentication local
vpdn username Mvpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address 10.50.10.10-10.50.10.20 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:846c7462a53
: end
[OK]
Building configuration...
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
enable password ESXy/N53AGN.9NRk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MPIX
domain-name Musa.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip 10.50.10.0 255.255.255.0 10.50.20.0 255.255.255.0
access-list outside_access_in permit tcp any host xx.xx.xxx.133 range 700 701
access-list outside_access_in permit tcp any host xx.xx.xxx.133 eq 1024
access-list outside_access_in permit tcp any host xx.xx.xxx.136 eq www
access-list outside_access_in permit tcp any host xx.xx.xxx.136 eq ftp
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside xx.xx.xxx.131 255.255.255.240
ip address inside 10.50.10.131 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool MVPNPool 10.50.20.1-10.50.20.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
pdm location 10.50.10.135 255.255.255.255 inside
pdm location 10.50.10.133 255.255.255.255 inside
pdm location 10.50.10.134 255.255.255.255 inside
pdm location 10.50.10.136 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xxx.133 10.50.10.133 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xxx.134 10.50.10.134 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xxx.135 10.50.10.135 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xxx.136 10.50.10.136 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 217.162.232.173 source outside
ntp server 24.73.74.251 source outside
ntp server 68.216.79.113 source outside prefer
http server enable
http 10.50.10.135 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Mvpn address-pool MVPNPool
vpngroup Mvpn dns-server 68.70.15.246 68.70.15.247
vpngroup Mvpn idle-time 1800
vpngroup Mvpn password ********
telnet timeout 5
ssh timeout 5
vpdn group MVPN accept dialin pptp
vpdn group MVPN ppp authentication mschap
vpdn group MVPN ppp encryption mppe 128 required
vpdn group MVPN client configuration address local MVPNPool
vpdn group MVPN client configuration dns 68.70.15.246 68.70.15.247
vpdn group MVPN pptp echo 60
vpdn group MVPN client authentication local
vpdn username Mvpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address 10.50.10.10-10.50.10.20 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:846c7462a53
: end
[OK]
You could try this and see if it will allow you to get to the website XXX is your outside IP. I know that Cisco did away with this in, but this works and I haven't gotten around to trying the host allows command.
conduit permit tcp host xxx.xxx.xxx.xxx eq www any
conduit permit tcp host xxx.xxx.xxx.xxx eq www any
ASKER
nope... I found the problem... I had a brain fart... I didn't have the Default Gateway defined on the web server.
Duh.
Duh.
Yea that would do it
Chris
Chris
ASKER
Doh!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cheers,
Rajesh