ndidomenico
asked on
Pix 501 - problem redirecting port 80 to internal ip address
I reconfigured an old Pix 501 we had using a configuration file from a similar working Pix. I modified the internal, external ip, vpn names, etc. Everything works ok, including Vpn access. But when I try to add a redirection of port 80 to an internal web server ip address, it's not working, and I'm not able to see what I'm missing.
Any ideas what I'm not doing properly in this config ?
Here is the configuration of the Pix 501:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password kig2mWe5SfGES2pX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-biblio
domain-name testdomain.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 68.179.x.y eq 80
access-list nonat permit ip 10.200.6.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list SPLIT permit ip 10.200.6.0 255.255.255.0 10.10.8.0 255.255.255.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 68.179.x.y 255.255.255.0
ip address inside 10.200.6.29 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.10.8.1-10.10.8.254
pdm location 10.200.6.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 80 10.200.6.25 80 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.179.x.y 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.200.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto dynamic-map VPNCLIENTS 10 set transform-set VPN
crypto map mymap 10 ipsec-isakmp dynamic VPNCLIENTS
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup 2mtbib address-pool vpnpool1
vpngroup 2mtbib dns-server 10.200.6.5
vpngroup 2mtbib wins-server 10.200.6.5
vpngroup 2mtbib default-domain testdomain.local
vpngroup 2mtbib split-tunnel SPLIT
vpngroup 2mtbib idle-time 1800
vpngroup 2mtbib password xxxxxxxxx
telnet timeout 5
ssh 10.200.6.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
username aaaaaaaaaa password oZ4OzVZUIiu6KidY encrypted privilege 15
terminal width 80
Any ideas what I'm not doing properly in this config ?
Here is the configuration of the Pix 501:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password kig2mWe5SfGES2pX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-biblio
domain-name testdomain.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 68.179.x.y eq 80
access-list nonat permit ip 10.200.6.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list SPLIT permit ip 10.200.6.0 255.255.255.0 10.10.8.0 255.255.255.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 68.179.x.y 255.255.255.0
ip address inside 10.200.6.29 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.10.8.1-10.10.8.254
pdm location 10.200.6.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 80 10.200.6.25 80 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.179.x.y 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.200.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto dynamic-map VPNCLIENTS 10 set transform-set VPN
crypto map mymap 10 ipsec-isakmp dynamic VPNCLIENTS
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup 2mtbib address-pool vpnpool1
vpngroup 2mtbib dns-server 10.200.6.5
vpngroup 2mtbib wins-server 10.200.6.5
vpngroup 2mtbib default-domain testdomain.local
vpngroup 2mtbib split-tunnel SPLIT
vpngroup 2mtbib idle-time 1800
vpngroup 2mtbib password xxxxxxxxx
telnet timeout 5
ssh 10.200.6.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
username aaaaaaaaaa password oZ4OzVZUIiu6KidY encrypted privilege 15
terminal width 80
I don't see where you are defining what internal address to send the web traffic too.
I seem to recall that in the old versions of the PIX IOS there was a command called Conduit that handled this function.
Example:
Note: the conduits syntax could be confusing due to the order the source and destination is specified which is opposite to the ACL statements.
#conduit permit <proto> <destination> <dest-mask> <port> <source> <src-mask> <src-port>
//define conduits to control the inbound traffic
#conduit permit tcp host 200.31.21.2 host 205.189.2.1 eq http
#conduit deny tcp any host 205.189.2.1
Example:
Note: the conduits syntax could be confusing due to the order the source and destination is specified which is opposite to the ACL statements.
#conduit permit <proto> <destination> <dest-mask> <port> <source> <src-mask> <src-port>
//define conduits to control the inbound traffic
#conduit permit tcp host 200.31.21.2 host 205.189.2.1 eq http
#conduit deny tcp any host 205.189.2.1
ASKER
External IP of Pix is 68.179.x.y
Port 80 is redirected to 10.200.6.25
Below are the commands I added to accomplish this :
access-list outside_access_in permit tcp any host 68.179.x.y eq 80
static (inside,outside) tcp interface 80 10.200.6.25 80 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
Port 80 is redirected to 10.200.6.25
Below are the commands I added to accomplish this :
access-list outside_access_in permit tcp any host 68.179.x.y eq 80
static (inside,outside) tcp interface 80 10.200.6.25 80 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
Oops, sorry missed that in the config. Maybe try replacing the 80 with www?
Don't use conduits...you have the latest 6.x code and Cisco has deprecated these commands in the new 7.x code. You should use access lists instead. Put in these commands:
no access-list outside_access_in permit tcp any host 68.179.x.y eq 80
access-list outside_access_in permit tcp any interface outside eq 80
See if that helps...
no access-list outside_access_in permit tcp any host 68.179.x.y eq 80
access-list outside_access_in permit tcp any interface outside eq 80
See if that helps...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Changed with "interface outside" but still doesn't work.
Would the nat command I added when configuring the Vpn cause any issue ?
I guess I will try with a blank factory-default config and work my way up with a config as simple as possible - define external ip, internal ip, and then port 80 forwarding - no Vpn - and see what happens.
Any other suggestions ? Any type of logging that would allow me to see where it blocks ?
Would the nat command I added when configuring the Vpn cause any issue ?
I guess I will try with a blank factory-default config and work my way up with a config as simple as possible - define external ip, internal ip, and then port 80 forwarding - no Vpn - and see what happens.
Any other suggestions ? Any type of logging that would allow me to see where it blocks ?
Please post your current running configuration again and let's take a look...this should not be a hard one at all, I think we just need to see what you currently have...
ASKER
Thanks for the "interface" correction. That did the trick. It did not work the first time I tried it because I was not using a proper Web server application for checking the port 80 redirection - I was doing the configuration and tests in a lab environment before actually installing it. Works ok now.