Solved

PIX 515E Traffic to web server from outside not getting through

Posted on 2006-06-28
7
471 Views
Last Modified: 2013-11-16
VPN works great. Outbound internet access works great. I just can't hit my internal webserver.

Building configuration...
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
enable password ESXy/N53AGN.9NRk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MPIX
domain-name Musa.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip 10.50.10.0 255.255.255.0 10.50.20.0 255.255.255.0
access-list outside_access_in permit tcp any host xx.xx.xxx.133 range 700 701
access-list outside_access_in permit tcp any host xx.xx.xxx.133 eq 1024
access-list outside_access_in permit tcp any host xx.xx.xxx.136 eq www
access-list outside_access_in permit tcp any host xx.xx.xxx.136 eq ftp
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside xx.xx.xxx.131 255.255.255.240
ip address inside 10.50.10.131 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool MVPNPool 10.50.20.1-10.50.20.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
pdm location 10.50.10.135 255.255.255.255 inside
pdm location 10.50.10.133 255.255.255.255 inside
pdm location 10.50.10.134 255.255.255.255 inside
pdm location 10.50.10.136 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xxx.133 10.50.10.133 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xxx.134 10.50.10.134 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xxx.135 10.50.10.135 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xxx.136 10.50.10.136 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 217.162.232.173 source outside
ntp server 24.73.74.251 source outside
ntp server 68.216.79.113 source outside prefer
http server enable
http 10.50.10.135 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Mvpn address-pool MVPNPool
vpngroup Mvpn dns-server 68.70.15.246 68.70.15.247
vpngroup Mvpn idle-time 1800
vpngroup Mvpn password ********
telnet timeout 5
ssh timeout 5
vpdn group MVPN accept dialin pptp
vpdn group MVPN ppp authentication mschap
vpdn group MVPN ppp encryption mppe 128 required
vpdn group MVPN client configuration address local MVPNPool
vpdn group MVPN client configuration dns 68.70.15.246 68.70.15.247
vpdn group MVPN pptp echo 60
vpdn group MVPN client authentication local
vpdn username Mvpn password *********
vpdn enable outside
vpdn enable inside
dhcpd address 10.50.10.10-10.50.10.20 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:846c7462a53a85e2109533f8a6f31859
: end
[OK]
0
Comment
Question by:Atlanta_Mike
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17007204
From within the VPN session or from Internet ?

Cheers,
Rajesh
0
 

Expert Comment

by:cmorris01
ID: 17008957
You could try this and see if it will allow you to get to the website XXX is your outside IP. I know that Cisco did away with this in, but this works and I haven't gotten around to trying the  host allows command.

conduit permit tcp host xxx.xxx.xxx.xxx eq www any
0
 
LVL 13

Author Comment

by:Atlanta_Mike
ID: 17012680
nope... I found the problem... I had a brain fart... I didn't have the Default Gateway defined on the web server.

Duh.
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 

Expert Comment

by:cmorris01
ID: 17012888
Yea that would do it

               Chris
0
 
LVL 13

Author Comment

by:Atlanta_Mike
ID: 17013035
Doh!
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 17210367
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question