Solved

Unable to access web server in DMZ on PIX 515e

Posted on 2006-07-11
8
818 Views
Last Modified: 2013-11-16
I have a PIX 515e running ver 7.2(1).

I have one web server in the DMZ. I am able to access the Internet on that server and able to access the server from internal clients. However, I cannot access the server from the outsode.

This is the sequence of events reported in the syslog:

<166>Jul 11 2006 09:12:45: %PIX-6-302013: Built inbound TCP connection 140123 for outside:72.30.132.208/56275 (72.30.132.208/56275) to DMZ:Porthos_DMZ/80 (Porthos_ext/80)

<166>Jul 11 2006 09:12:45: %PIX-6-305011: Built dynamic TCP translation from inside:Porthos_DMZ/80 to outside:69.7.32.3/17

<166>Jul 11 2006 09:12:45: %PIX-6-106015: Deny TCP (no connection) from Porthos_DMZ/80 to 72.30.132.208/56275 flags SYN ACK  on interface inside

<166>Jul 11 2006 09:12:45: %PIX-6-305011: Built dynamic TCP translation from inside:72.30.132.208/56275 to DMZ:192.168.10.1/3926

<166>Jul 11 2006 09:12:45: %PIX-6-106015: Deny TCP (no connection) from 72.30.132.208/56275 to Porthos_DMZ/80 flags RST ACK  on interface inside

<166>Jul 11 2006 09:13:15: %PIX-6-302014: Teardown TCP connection 140123 for outside:72.30.132.208/56275 to DMZ:Porthos_DMZ/80 duration 0:00:30 bytes 0 SYN Timeout

If I run the packet trace tool in ASDM, it shows that the traffic is being denied by an implicit incoming rule. What I don't understand though is that I have several servers on the Inside zone that work just fine. The server I'm having trouble with is the only one in the DMZ and I've configured it just the same as the inside servers.

I need to get this done today because I have several managers breathing down my back. I'd give more points but they only allow 500.

Here's the config:
----------------------------
asdm image flash:/asdm-521.bin
asdm location NISC_inbound_Mandan 255.255.255.255 outside
asdm location ES 255.255.248.0 inside
asdm location 172.16.1.2 255.255.255.255 inside
asdm location Proton_int 255.255.255.255 inside
asdm location Brian_int 255.255.255.255 inside
asdm location 0.0.0.0 255.255.248.0 inside
asdm location 172.16.1.5 255.255.255.255 inside
asdm location FH 255.255.248.0 inside
asdm location ebill_ext 255.255.255.255 outside
asdm location Proton_ext 255.255.255.255 outside
asdm location Porthos_ext 255.255.255.255 outside
asdm location C1-3060_ext 255.255.255.255 outside
asdm location iVUE_Server 255.255.255.255 inside
asdm location Athos_DMZ 255.255.255.255 DMZ
asdm location Porthos_DMZ 255.255.255.255 DMZ
asdm location Andromeda_int 255.255.255.255 inside
asdm location Dartagnan_int 255.255.255.255 inside
asdm location C1-3060_int 255.255.255.255 inside
asdm location NISC_inbound_StLewis 255.255.255.255 outside
asdm group Domain_Controllers inside
asdm group Domain_Controllers_ref DMZ reference Domain_Controllers
asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname PIX515
domain-name opalco.com
enable password xxxx encrypted
names
name 172.16.4.1 Brian_int
name 172.16.1.3 Proton_int
name 69.7.xx.xx Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.xx.xx ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
name 172.16.1.8 Andromeda_int
name 172.16.1.14 Dartagnan_int
name 207.243.68.200 NISC_inbound_Mandan
name 12.10.126.135 NISC_inbound_StLewis
name 69.7.xx.xx Porthos_ext
name 172.16.1.18 C1-3060_int
name 69.7.xx.xx C1-3060_ext
dns-guard
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 69.7.xx.xx 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.16.0.2 255.255.248.0
!
interface Ethernet2
 nameif DMZ
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
passwd xxxx encrypted
banner login ----------------------------------------------------------------------
banner login                         Authorized access only!
banner login        Disconnect IMMEDIATELY if you are not an authorized user
banner login ----------------------------------------------------------------------
boot system flash:/pix721.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server Andromeda_int
 name-server Dartagnan_int
 domain-name opalco.com
object-group service TERMINAL_SERVICES tcp
 description Microsoft Terminal Services
 port-object eq 3389
object-group service Messenger_File_Transfer tcp
 port-object range 6891 6900
object-group service Windows_TCP_Domain_Services tcp
 description Services required for a domain member to comunicate
 port-object eq 88
 port-object eq netbios-ssn
 port-object eq ldap
 port-object eq 3268
 port-object eq 135
 port-object eq 445
 port-object eq domain
 port-object eq 1026
 port-object eq 8530
object-group service Windows_UDP_Domain_Services udp
 description Services required for a domain member to comunicate
 port-object eq 88
 port-object eq 389
 port-object eq netbios-ns
 port-object eq ntp
 port-object eq domain
 port-object eq 8530
object-group network Domain_Controllers
 network-object Andromeda_int 255.255.255.255
 network-object Dartagnan_int 255.255.255.255
access-list acl_out extended permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out extended permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out extended permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out extended permit tcp any host Proton_ext eq smtp
access-list acl_out remark E-Bill
access-list acl_out extended permit tcp any host ebill_ext eq https
access-list acl_out remark NISC Mandan secure telnet
access-list acl_out extended permit tcp host NISC_inbound_Mandan host ebill_ext eq ssh
access-list acl_out remark NISC Mandan RDP access
access-list acl_out extended permit tcp host NISC_inbound_Mandan host C1-3060_ext object-group TERMINAL_SERVICES
access-list acl_out remark NISC St. Lewis secure telnet
access-list acl_out extended permit tcp host NISC_inbound_StLewis host ebill_ext eq ssh
access-list acl_out remark NISC St. Lewis RDP access
access-list acl_out extended permit tcp host NISC_inbound_StLewis host C1-3060_ext object-group TERMINAL_SERVICES
access-list acl_out remark Web Site
access-list acl_out extended permit tcp any host Porthos_ext eq www
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out remark Outlook Web Access
access-list acl_out remark Inbound mail
access-list acl_out remark New web site
access-list acl_out remark E-Bill
access-list acl_out remark NISC secure telnet
access-list acl_out remark NISC Term Svcs to Positron
access-list inside_outbound_nat0_acl extended permit ip any ES 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip any 172.16.2.240 255.255.255.240
access-list DMZaccess_in extended permit udp host Porthos_DMZ object-group Domain_Controllers object-group Windows_UDP_Domain_Services
access-list DMZaccess_in extended permit tcp host Porthos_DMZ object-group Domain_Controllers object-group Windows_TCP_Domain_Services
access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq www
access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq https
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list outside_cryptomap extended permit ip any 172.16.2.240 255.255.255.240
no pager
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap informational
logging asdm informational
logging host inside Brian_int
no logging message 405001
no logging message 106023
logging rate-limit 1 300 message 313005
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 10 0.0.0.0 0.0.0.0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255
static (DMZ,outside) Porthos_ext Porthos_DMZ netmask 255.255.255.255
static (inside,DMZ) Andromeda_int Andromeda_int netmask 255.255.255.255
static (inside,DMZ) Dartagnan_int Dartagnan_int netmask 255.255.255.255
static (inside,outside) C1-3060_ext C1-3060_int netmask 255.255.255.255
access-group acl_out in interface outside
access-group DMZaccess_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 172.16.1.8 172.16.1.14
 dns-server value 172.16.1.8 172.16.1.14
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value opalco.com
username BrianL password xxxx== nt-encrypted privilege 15
username CWestlake password xxxx== nt-encrypted
username Beth password xxxx== nt-encrypted
username Betty password xxxx== nt-encrypted
username Rick password xxxx== nt-encrypted
username orcaspower password xxxx encrypted privilege 15
username Judi password xxxx== nt-encrypted
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http ES 255.255.248.0 inside
http FH 255.255.248.0 inside
snmp-server location Eastsound, WA
snmp-server contact Brian S. Longworth
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp DMZ
crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-128_SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 default-group-policy DefaultRAGroup
 dhcp-server Dartagnan_int
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
no vpn-addr-assign local
telnet ES 255.255.248.0 inside
telnet FH 255.255.248.0 inside
telnet timeout 10
ssh timeout 5
ssh version 1
console timeout 10
management-access inside
vpdn group PPTP_Group ppp authentication pap
vpdn group PPTP_Group ppp authentication chap
vpdn group PPTP_Group ppp authentication mschap
dhcp-client update dns server both
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ntp server 131.107.1.10 source outside prefer
tftp-server inside Brian_int /pix_config
smtp-server 172.16.1.3
prompt hostname context
Cryptochecksum:6adc651571ad2c5646f76619d919ed5c
: end
0
Comment
Question by:brian975
  • 5
  • 3
8 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17083518
Looks like you have most of the requirements covered:
 access-list - OK
>access-list acl_out extended permit tcp any host Porthos_ext eq www

 static xlate - OK
>static (DMZ,outside) Porthos_ext Porthos_DMZ netmask 255.255.255.255

Acl applied to DMZ interface looks a bit deceiving:
>access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq www
>access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq https

I would expect the source port to be www, not the destination:
access-list DMZaccess_in extended permit tcp host Porthos_DMZ eq www any

Try it on for size and see what happens.
0
 

Author Comment

by:brian975
ID: 17083657
That seems to have done it. Thanks!  :)

Question though: does that command invalidate or render redundant these commands?

access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq www
access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq https

I had those in there so that the web server could only access http and https web sites. I didn't want it trying to communicate to any other ports on the Internet.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17083692
No, they can augment those acls entries so that they can only access http/s sites and at the same time can serve www sites.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17083703
Any time you apply an acl on a DMZ or inside interface you have to be careful of inintended consequences. You may find now that your other DMZ servers can't do anything..
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:brian975
ID: 17083842
Well, right now, the web server is the only one in the DMZ. Soon I will be adding a front-end SMTP server in the DMZ. Do you foresee any problems here?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17084007
No problems as long you plan it well and modify the acl as you add servers
0
 

Author Comment

by:brian975
ID: 17084060
Excellent. Thank you very much for your good advice.
I greatly apprecaite it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17084241
Glad to help!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now