Solved

Pix and Apache Web Server

Posted on 2006-11-03
17
282 Views
Last Modified: 2013-11-16
What has to be opened up on a PIX 506e to allow name based virtual hosts to pass through the pix to the webserver.  I know it has something to do with dns.  Is it just opening up the dns port inbound?
0
Comment
Question by:Thermo1
  • 6
  • 3
  • 3
  • +2
17 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17869044
You shouldn't have to do anything other than open up port 80. As long as external DNS resolves all host names to the same public IP address that the PIX has natted to the Web server.
If it doesn't work, try disabling fixup http
  no fixup protocol http
0
 
LVL 1

Author Comment

by:Thermo1
ID: 17870169
The server works fine when I put it directly on the internet, something about the PIX blocks it.  Ill have to set the pix up again and try that no fixup.  I got so frustrated with it I just left the webserver directly on the internet.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17873841
Take a break and then have a look at the configuration again. If still no joy post the configuration here so that we can take a look at it.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:Thermo1
ID: 17881007
I put the old configuration back in, put in the no fixup 80.  Still no luck.  Even with changing the service group to letting all tcp ports, still doesnt work.  See config below.  Thanks

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.101.254 WebServerInside
name 64.xxx.xxx.221 WebServerOutside
object-group service webservices tcp
  port-object eq www
  port-object eq ftp-data
  port-object eq https
  port-object eq ftp
  port-object eq hostname
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host WebServerOutside object-group webservices
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.xxx.xxx.218 255.255.255.248
ip address inside 192.168.101.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name DropAndKill attack action drop reset
ip audit name DropInfo info action drop reset
ip audit interface outside DropInfo
ip audit interface outside DropAndKill
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.101.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) WebServerOutside WebServerInside netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 64.xxx.xxx.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.101.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.101.125 \pixbackup
floodguard enable
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17896855
There's nothing at all wrong with your PIX configuration, and nothing that I'm aware of that could possibly be causing this issue. Unfortunately I don't know how the Apache server is looking at the GET requests and the user headers. The PIX does not rewrite anything at all, it just passes packets that are allowed.

One last ditch effort. Try adding "dns" keyword to the xlate

no static (inside,outside) WebServerOutside WebServerInside netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) WebServerOutside WebServerInside dns netmask 255.255.255.255 0 0
                                                                                      ^^
0
 
LVL 1

Author Comment

by:Thermo1
ID: 17901902
how do you post one of those cross reference links over to the apache forum to see if those guys have any answers?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17903013
Just copy the URL from this page and post a new *pointer* question in the Apache forum, then paste this link into the comment box..
I can do it for you if you'd like..
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:Thermo1
ID: 17903451
I think I got it.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17903724
What error do you get?  What does the Apache logs show?

I would suggest that you install a packet tracing program on the Apache Server (http://www.wireshark.org is good and free) and run a trace.

As long as the http request gets to the apache sever without being modifed there should be no issue.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17904708
Add the following line to Your pix config (http is not allowed by firewall at all)

enable
config t
access-list 100 permit tcp any host ip.of.Your.server eq www
exit
#then save config with
write mem
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17906279
ravenpl:

Shouldn't:

--> access-list 100 permit tcp any host WebServerOutside object-group webservices

and

--> object-group service webservices tcp
-->   port-object eq www
-->   port-object eq ftp-data
-->   port-object eq https
-->   port-object eq ftp
-->   port-object eq hostname

cover that?
0
 
LVL 1

Author Comment

by:Thermo1
ID: 17933877
I got the traces, but I dont really understand them.  Is there anyway to post them to be looked at.  I opened them in notepad, and they get kinda scrambled.  Anyway to export the trace as text?
0
 
LVL 1

Author Comment

by:Thermo1
ID: 17934001
One thing i did notice.... from the apache access log.

On the firewall:

64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET / HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET /apache_pb.gif HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET /favicon.ico HTTP/1.1" 404 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET / HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET /apache_pb.gif HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET /favicon.ico HTTP/1.1" 404 -


Off the firewall:

64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET / HTTP/1.1" 200 328
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /imgs/Cam01.jpg HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /imgs/Cam03.jpg HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /imgs/Cam02.jpg HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /imgs/Cam04.jpg HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /favicon.ico HTTP/1.1" 404 -


The first get http header has some different numbers after it.  Does that mean anything?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 250 total points
ID: 17934226
All of these are the "responses" to the GETs.

--> 64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET / HTTP/1.1" 304 -

A non-specific GET using HTTP 1.1 was done.  This causes the Web sever to either serve up a document that matches the default document name (normally index.html), show a directory listing (if enabled and there is no "default document found), or say directory listing/browsing is denied (if directory listing is disabled and there is no default document).

The "304" is the HTTP return code that the Apache returned.  In this it case Apache is saying the document has not changed and so use the "cached" version.  Which is weird, as I did not think you could return a 304 for a "/" request.  That it had be be a request for a specific file name (like/imgs/Cam01.jpg).  

If the browser has a cached copy of the file, when it issues the GET it will include an HTTP header with the datetime stamp of the file in cached.  If the file has not changed the sever will return "304", it is has changed it will return a "200" and the file.

On the second instance:

--> 64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET / HTTP/1.1" 200 328

The same get was issued, but this time Apache returned "200", which means the get was succesfull, here is the document and oh by the way it is 328 bytes long.

I don't see how using a PIX firewall would cause this.  Unless when using the PIX it is re-routing request through some type of inbound (reverse) proxy sever.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now