We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Pix and Apache Web Server

Thermo1
Thermo1 asked
on
Medium Priority
303 Views
Last Modified: 2013-11-16
What has to be opened up on a PIX 506e to allow name based virtual hosts to pass through the pix to the webserver.  I know it has something to do with dns.  Is it just opening up the dns port inbound?
Comment
Watch Question

Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
You shouldn't have to do anything other than open up port 80. As long as external DNS resolves all host names to the same public IP address that the PIX has natted to the Web server.
If it doesn't work, try disabling fixup http
  no fixup protocol http

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
The server works fine when I put it directly on the internet, something about the PIX blocks it.  Ill have to set the pix up again and try that no fixup.  I got so frustrated with it I just left the webserver directly on the internet.
Take a break and then have a look at the configuration again. If still no joy post the configuration here so that we can take a look at it.

Cheers,
Rajesh

Author

Commented:
I put the old configuration back in, put in the no fixup 80.  Still no luck.  Even with changing the service group to letting all tcp ports, still doesnt work.  See config below.  Thanks

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.101.254 WebServerInside
name 64.xxx.xxx.221 WebServerOutside
object-group service webservices tcp
  port-object eq www
  port-object eq ftp-data
  port-object eq https
  port-object eq ftp
  port-object eq hostname
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host WebServerOutside object-group webservices
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.xxx.xxx.218 255.255.255.248
ip address inside 192.168.101.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name DropAndKill attack action drop reset
ip audit name DropInfo info action drop reset
ip audit interface outside DropInfo
ip audit interface outside DropAndKill
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.101.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) WebServerOutside WebServerInside netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 64.xxx.xxx.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.101.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.101.125 \pixbackup
floodguard enable
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
[OK]
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
There's nothing at all wrong with your PIX configuration, and nothing that I'm aware of that could possibly be causing this issue. Unfortunately I don't know how the Apache server is looking at the GET requests and the user headers. The PIX does not rewrite anything at all, it just passes packets that are allowed.

One last ditch effort. Try adding "dns" keyword to the xlate

no static (inside,outside) WebServerOutside WebServerInside netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) WebServerOutside WebServerInside dns netmask 255.255.255.255 0 0
                                                                                      ^^

Author

Commented:
how do you post one of those cross reference links over to the apache forum to see if those guys have any answers?
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Just copy the URL from this page and post a new *pointer* question in the Apache forum, then paste this link into the comment box..
I can do it for you if you'd like..

Author

Commented:
I think I got it.
CERTIFIED EXPERT
Top Expert 2014

Commented:
What error do you get?  What does the Apache logs show?

I would suggest that you install a packet tracing program on the Apache Server (http://www.wireshark.org is good and free) and run a trace.

As long as the http request gets to the apache sever without being modifed there should be no issue.
Top Expert 2005

Commented:
Add the following line to Your pix config (http is not allowed by firewall at all)

enable
config t
access-list 100 permit tcp any host ip.of.Your.server eq www
exit
#then save config with
write mem
CERTIFIED EXPERT
Top Expert 2014

Commented:
ravenpl:

Shouldn't:

--> access-list 100 permit tcp any host WebServerOutside object-group webservices

and

--> object-group service webservices tcp
-->   port-object eq www
-->   port-object eq ftp-data
-->   port-object eq https
-->   port-object eq ftp
-->   port-object eq hostname

cover that?

Author

Commented:
I got the traces, but I dont really understand them.  Is there anyway to post them to be looked at.  I opened them in notepad, and they get kinda scrambled.  Anyway to export the trace as text?

Author

Commented:
One thing i did notice.... from the apache access log.

On the firewall:

64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET / HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET /apache_pb.gif HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET /favicon.ico HTTP/1.1" 404 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET / HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET /apache_pb.gif HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET /favicon.ico HTTP/1.1" 404 -


Off the firewall:

64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET / HTTP/1.1" 200 328
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /imgs/Cam01.jpg HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /imgs/Cam03.jpg HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /imgs/Cam02.jpg HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /imgs/Cam04.jpg HTTP/1.1" 304 -
64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET /favicon.ico HTTP/1.1" 404 -


The first get http header has some different numbers after it.  Does that mean anything?
CERTIFIED EXPERT
Top Expert 2014
Commented:
All of these are the "responses" to the GETs.

--> 64.xxx.xxx.222 - - [13/Nov/2006:16:54:58 -0500] "GET / HTTP/1.1" 304 -

A non-specific GET using HTTP 1.1 was done.  This causes the Web sever to either serve up a document that matches the default document name (normally index.html), show a directory listing (if enabled and there is no "default document found), or say directory listing/browsing is denied (if directory listing is disabled and there is no default document).

The "304" is the HTTP return code that the Apache returned.  In this it case Apache is saying the document has not changed and so use the "cached" version.  Which is weird, as I did not think you could return a 304 for a "/" request.  That it had be be a request for a specific file name (like/imgs/Cam01.jpg).  

If the browser has a cached copy of the file, when it issues the GET it will include an HTTP header with the datetime stamp of the file in cached.  If the file has not changed the sever will return "304", it is has changed it will return a "200" and the file.

On the second instance:

--> 64.xxx.xxx.222 - - [13/Nov/2006:16:56:23 -0500] "GET / HTTP/1.1" 200 328

The same get was issued, but this time Apache returned "200", which means the get was succesfull, here is the document and oh by the way it is 328 bytes long.

I don't see how using a PIX firewall would cause this.  Unless when using the PIX it is re-routing request through some type of inbound (reverse) proxy sever.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.