[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:

cannot browse site locally

I can not browse the site which is hosted on local server behind firewall with public IP. I can browse the same site from out side of the network. I know there should be something to modify on the firewall. Eveything seems working fine - EXCEPT I can not browse the site from within the network. the other problem is I am running Mailenable on the same server - I can receive emails but can not send emails. Here is the PIX configuration



: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FNdMnItvzDxHwepz encrypted
passwd mFULZTgB626BHV2W encrypted
hostname ironstone-pix01
domain-name agelessshop.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1433
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.125.4 nsisk
access-list brock_vpn permit ip 192.168.125.0 255.255.255.0 172.17.2.0 255.255.2
55.0
access-list nonat permit ip 192.168.125.0 255.255.255.0 172.17.0.0 255.255.0.0
access-list nonat permit ip 192.168.125.0 255.255.255.0 192.168.1.0 255.255.255.
0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.125.0 255.255.255.
0
access-list nonat permit tcp any host 192.168.125.152 eq 2000
access-list nonat permit tcp any any eq 2000
access-list 101 permit ip 192.168.125.0 255.255.255.0 172.17.0.0 255.255.0.0
access-list nat_zero permit ip 192.168.125.0 255.255.255.0 192.168.233.0 255.255
.255.0
access-list split_tunnel permit ip 192.168.125.0 255.255.255.0 192.168.233.0 255
.255.255.0
access-list acl_outside permit tcp any host 209.222.54.86 eq www
access-list acl_outside permit tcp any host 209.222.54.86 eq https
access-list acl_outside permit tcp any host 209.222.54.86 eq 3389
access-list acl_outside permit tcp any host 209.222.54.86 eq ftp-data
access-list acl_outside permit tcp any host 209.222.54.86 eq ftp
access-list acl_outside permit tcp any host 209.222.54.86 eq smtp
access-list acl_outside permit tcp any host 209.222.54.86 eq pop3
access-list acl_outside permit tcp any host 209.222.54.86 eq 1443
access-list acl_outside permit tcp any host 209.222.54.86 eq 19638
access-list acl_outside permit tcp any host 209.222.54.86 eq 19640
access-list acl_outside permit tcp any host 209.222.54.86 eq domain
access-list acl_outside permit udp any host 209.222.54.86 eq domain
access-list acl_outside permit udp any host 209.222.54.86 eq 445
access-list acl_outside permit tcp any host 209.222.54.86 eq sqlnet
pager lines 24
logging on
logging timestamp
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.125.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.1.1-192.168.1.50
ip local pool VPNPOOL 192.168.233.1-192.168.233.50
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat_zero
nat (inside) 2 access-list 101 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.0.0 3389 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface www nsisk www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface sqlnet 192.168.125.11 sqlnet netmask 255.2
55.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.125.5 pop3 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp interface smtp 192.168.125.5 smtp netmask 255.255.25
5.255 0 0
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.125.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set brock esp-des esp-md5-hmac
crypto ipsec transform-set nsp esp-des esp-md5-hmac
crypto ipsec transform-set NSP esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set mynewset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set mynewset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNPOOL outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nspaccess address-pool VPNPOOL
vpngroup nspaccess dns-server 192.168.125.11
vpngroup nspaccess default-domain agelessshop.com
vpngroup nspaccess split-tunnel split_tunnel
vpngroup nspaccess idle-time 1800
vpngroup nspaccess password ********
telnet 192.168.125.0 255.255.255.0 inside
telnet timeout 20
ssh 216.254.139.147 255.255.255.255 outside
ssh 69.192.142.10 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.125.0 255.255.255.0 inside
ssh timeout 20
management-access inside
console timeout 0
vpdn group mycybernet request dialout pppoe
vpdn group mycybernet localname nsiadslp@mycybernet.net
vpdn group mycybernet ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
dhcpd address 192.168.125.30-192.168.125.99 inside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80

: end
anyone help ME PLEASE
0
patelkalp_a
Asked:
patelkalp_a
  • 8
  • 5
  • 5
  • +1
1 Solution
 
myrondCommented:
When you say you cannot browse the site... at what level?

Does you SYN packet get through?
if it does, do you get a login prompt?
if you can login does it hang on the port command?
are you connecting from inside to the external firewall interface or directly to the internal IP of the ftp server?
0
 
Cyclops3590Commented:
sorry not possible, need to run your own internal dns server or add an entry to your host file.

what you want is called DNS doctoring where it changes the public ip in the DNS query packet to the static mapped private IP; however this doesn't work on PAT static's like you have, it needs to be a NAT
0
 
lrmooreCommented:
>I can not browse the site which is hosted on local server behind firewall with public IP
That is correct. This is a design "feature" of PIX
The only way around it is to use dns doctoring, but it only works if the dns server actually lives outside your lan. Then the pix can intercept the dns response and substitute the inside ip for the public ip making it appear to the client that they connect to the public ip, but in reality they only connect to the local private ip.

Outbound email should not be an issue. It may be a configuration on the mail server. Does it have proper dns entries?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
patelkalp_aAuthor Commented:
How do I configure "dns doctoring"?? I do have DNS server on the LAN which is working perfactly as I am running multiple sites with Host Header. Can you advice me how to configure "dns doctoring"???
0
 
Cyclops3590Commented:
is this your static entry?
static (inside,outside) tcp interface www nsisk www netmask 255.255.255.255 0 0
if so, you can't do DNS doctoring for reasons I already gave, you have to have a different IP for it
static (inside,outside) <<ip address>> nsisk dns

you just add the dns key word after the explicit or implicit netmask part
0
 
lrmooreCommented:
Your dns server must be outside your lan.
You can use the same port xlates that you have with the dns tag

static (inside,outside) tcp interface www nsisk www dns netmask 255.255.255.255 0 0
                                                                                   ^^^
0
 
Cyclops3590Commented:
lrmoore am I missing something.  I know you know this stuff better than me so I just want to confirm.  This is the static usage I get:

6.3:
Usage:  [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
7.x:
USAGE:

        [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        show running-config [all] static [<mapped_ip>]
        clear configure static
Also, you may have gotten PAT DNS doctoring to work, but I never have personally.  This what I found on that on a cisco page and its was one talking about the 7.2 version.
Note: DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.

patelkalp_a,
what is your DNS server.  also does it host the public authorititative zone for your organization.  if so, you may require setting up different views if your server supports it.  Also, i don't believe it should matter if the dns server is inside or outside.  If the server is inside, it needs to contain the inside IP, if outside, the public IP and the dns doctoring takes care of the rest; however, i've never had an environment with the dns server inside and trying doctoring in that direction so am only speculating.
0
 
patelkalp_aAuthor Commented:
What if I remove this entry?
static (inside,outside) tcp interface www nsisk www netmask 255.255.255.255 0 0

AND

How do I forward any all web traffic to a specific LAP IP?
0
 
patelkalp_aAuthor Commented:
Sorry LAN IP
0
 
Cyclops3590Commented:
either the way you have it or in a nat entry, do you have more than just the public IP assigned to your interface, if not, then you're stuck with the PAT static entry
0
 
patelkalp_aAuthor Commented:
No I have only 1 public IP
0
 
Cyclops3590Commented:
how is your DNS server configured.  caching-only, host public zone, host any zones, etc.?
0
 
lrmooreCommented:
Just add dns to what you have
 static (inside,outside) tcp interface www nsisk www dns netmask 255.255.255.255 0 0
                                                                                    ^^
Once again, if your DNS server that resolves www.yourcompany.com is not located physically outside of  your firewall, then the PIX cannot intercept the dns resolve packet and make the substitution.


0
 
patelkalp_aAuthor Commented:
can I use ISP's DNS IP address for this?
0
 
lrmooreCommented:
Do you have Active Directory with integrated DNS? If yes, then the answer is no. If not, then if you change to use the ISP's dns you will not be able to resolve anything inside the firewall.
2 options:
1) make sure that your local dns server does not have any record for www.yoursite.com, and it is not authorative for yoursite.com domain. This will force the local dns server to forward the request to the ISP and the pix can doctor the response
2) make sure that the local dns server does have a record for www.yoursite.com that resolves to the private IP 192.168.125.5
0
 
patelkalp_aAuthor Commented:
Well AS I said earlier I am running multiple sites with host header. For that I must have entries for these sites in my local DNS server. Is there any other alternative?
0
 
lrmooreCommented:
I know it's not what you want to hear, but not really. This is a design issue with the PIX firewall and there is no other alternative.
 Local users have to resolve to local IP address. Period. If the local DNS server cannot accomodate, try adding an entry in the users hosts file that resolves the url to the private IP address. Not elegant and not very conducive to mobilty...

Perhaps you can use a different A record for internal use only. Internal users go to iww.yourcompany.com - resolve to 192.168.125.5
External users go to www.yourcompany.com - resolves to 209.222.54.86

0
 
patelkalp_aAuthor Commented:
how do I configure PIX if I get 2nd public IP? I am in the process of getting 1 more public IP.
0
 
patelkalp_aAuthor Commented:
I got some external IPs and now its working fine...thank you for your help
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 5
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now