web access port 80

i cannot get my pix 501 to allow web traffic into my inside network.  I gave up trying to figure out how to get my pix to accept a static outside address and have placed a router in front of it allowing it to obtain a dhcp static ip and the pix shows that this is working, i recieve an outside ip from the router for my pix.  My inside computers have ip addresses in the same subnet as my pix.  Is there a command i can use to allow the web traffic to pass through to my inside network so my computers can access the internet?
ShanehaggertyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jderaCommented:
Is the correct default gateway set up on the PCs?  It should be the inside IP of the firewall.
0
ShanehaggertyAuthor Commented:
yes it is, i even reapplied it to make certain, but i still cannot navigate to www.expert-exchange.com from my inside computer
0
batry_boyCommented:
>>Is there a command i can use to allow the web traffic to pass through to my inside network so my computers can access the internet?

There is a difference between allowing web traffic inbound to your inside network and allowing your inside computers to access the Internet.  Which are you trying to do?

If you need to allow outbound access to the Internet for your inside computers, then you will need something similar to the following commands in your PIX:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route (outside) 0.0.0.0 0.0.0.0 <ip_address_of_router>

Of course, as jdera mentioned above, you will need to have your inside computers configured to have their default gateway to be the inside IP address of the PIX firewall.

>>  I gave up trying to figure out how to get my pix to accept a static outside address and have placed a router in front of it allowing it to obtain a dhcp static ip and the pix shows that this is working, i recieve an outside ip from the router for my pix.

If you currently have the outside interface of the PIX configured for DHCP, then you should have a command that looks something like this:

ip address outside dhcp setroute

If you want to assign a static IP address to the outside interface, then you would put in a command like this:

ip address outside x.x.x.x y.y.y.y

where x.x.x.x = static IP address of the outside interface
           y.y.y.y = netmask of the outside interface

I'm not sure what problems you had trying to get that to work, but if you care to elaborate maybe we can help with that issue as well.  However, if you're satisfied with using the router that provides DHCP to the PIX, then that's fine too.  The router just becomes another device that can cause potential connectivity issues to troubleshoot...the fewer devices in the mix, the better, unless you need specific functionality from them.

Now, if you truly want inbound web access to your inside computers, please clarify and we can go over what it will take to do that too.

Good luck!
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

batry_boyCommented:
I just saw your last post...if you want to post your current sanitized config, I can look at it and give you exact commands on making this work.
0
jderaCommented:
Have you ever been able to connect to the internet with this default gateway that you have setup on the PCs?
0
ShanehaggertyAuthor Commented:
with the gateway (router) yes, i am on it with this computer.  I have the router 209.209.209.209 (outside public ip) connected to my pix firewall with an ip of 192.168.0.1 and my pix firewall outside ip is dynamic currently showing the ip address of 192.168.0.11 and the pix internal is 192.168.5.1 and the internal client machine is set statically with an ip of 192.168.5.5 with a subnet mask of 255.255.255.0 and a default gateway of 192.168.5.1
0
ShanehaggertyAuthor Commented:
I am using the command line utility from the gui interface because i do not have a serial connection to use my console cable.  Will this make a difference? I followed batry boy's instructions, but route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 returned a usage: [no] route<if_name><foriegn_ip><mask><gateway>[<metric>]
command failed
0
ShanehaggertyAuthor Commented:
i am also certainly willing to submit my scrubbed info as well but have forgotten the command to produce the necessary information
0
ShanehaggertyAuthor Commented:
I have set the satic outside ip several times but when i do, i do not get the green light on my 0 port on the front of the pix.  Before fixing this problem with my trust hammer, i chose to set the outside ip to dhcp and thats when i was able to proceed to the problem at hand.  I would be very happy to get the static outside ip working as well as getting the inside network access to the internet
0
batry_boyCommented:
I'm sorry about the faulty command syntax I submitted in my previous post...not enough coffee today...:)

The command should be:

route outside 0.0.0.0 0.0.0.0 192.168.0.1

If you're using the GUI, then to show the entire configuration, go to the File menu, and select "Show Running Configuration in New Window", or if you want to do it from the CLI, issue the command "show run"...
0
ShanehaggertyAuthor Commented:
Here is my info, and no problem, i appreciate you providing  help even before your coffee :)

i think that static ip that i tried to install is somehow still in there, but hopefully this helps you figure out what i am doing or not doing

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BOCZwyoE9di4h34l encrypted
passwd BOCZwyoE9di4h34l encrypted
hostname SunCityPix
domain-name Suncity.com
clock timezone mdt -7
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service everyone tcp
  port-object eq www
access-list outbound permit tcp 192.168.115.0 255.255.255.0 any eq www
access-list outside_access_in permit tcp interface outside eq www host 192.168.115.1 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 192.168.115.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 209.163.13.3 255.255.255.255 outside
pdm location 209.163.13.3 255.255.255.254 outside
pdm location 192.168.5.119 255.255.255.255 outside
pdm location 192.168.0.11 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.115.1 192.168.115.1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 209.163.130.30 255.255.255.255 209.163.130.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.115.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.115.2-192.168.115.15 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:a41becf06509ff77ab59baafc7ca962c
: end
[OK]

0
JFrederick29Commented:
The static is breaking your Internet access, remove it with this:

conf t
no static (inside,outside) 192.168.115.1 192.168.115.1 netmask 255.255.255.255 0 0
0
batry_boyCommented:
Yes, that should probably do it from the look of things.  There are some other commands that aren't put in correctly for what you are trying to do, but it looks as though that static command may be the only thing wrong with outbound Internet traffic flow.
0
ShanehaggertyAuthor Commented:
i have run that command that jfrederick 29 gave me and i cleared the static route under the system properties tab, but when i run the running configuration in new window option under file, it still shows up with the static route 209.x.x.x did i do something wrong? I made sure my last command in the command line interface was write memory
0
batry_boyCommented:
You really shouldn't have to clear out that route since it is only for one specific destination address...your default route looks OK for Internet traffic.

BTW, what kind of router are you using in front of the PIX?  What public IP address is it receiving (sanitized, of course) and how is it receiving it...static or DHCP?
0
ShanehaggertyAuthor Commented:
When configured correctly, this will go onto a network that has a static ip.  but for now, i have it at home on a time warner road runner connection which is dynamic.  Both outside routers are dlink because thats what i had at my disposal.  the outside ip here at home is 24.162.x.x and at the static location is 209.163.x.x.   would it help if i reset to factory default? I really have no information on there setup yet.  I havent gotten that far.  Nothing that would take longer than say 10 minutes to replace.
0
ShanehaggertyAuthor Commented:
when i set the firewall to use a static outside ip, dont i need to set a gateway and dns server address as well?
0
batry_boyCommented:
First, you may have to find out if RR is performing MAC address filtering, since this may be the reason why the PIX wouldn't work when you initially started using it.  They may only let the MAC address for your dlink pass traffic.  If that's so, you may have to call them up and give them the MAC address of the outside interface of the PIX in order for it to act as your edge device.

If they don't perform MAC address filtering, then you may just need to power off your cable modem for a few minutes after you remove the dlink and connect your PIX outside interface back into the cable modem directly.  This will give it time to clear out any ARP cache's that still have the old MAC address of the dlink.

I would reset the PIX to factory default and then plug it directly into the cable modem after performing the above steps.  Once you've done this, post back with the results and your current running configuration and we can go from there...
0
ShanehaggertyAuthor Commented:
This is what i got plugged straight into the rr modem.... no luck on any web surfing from inside the firewall though

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BOCZwyoE9di4h34l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.115.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.115.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.115.2-192.168.115.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:5ff8ce57359c10683524dab44a7b4fbe
: end
[OK]

0
ShanehaggertyAuthor Commented:
we are getting close, i need to assign a dns server.  I can hit a website by entering its ip address :)
0
ShanehaggertyAuthor Commented:
that did it!! put in the default gateway of my firewall and the inside address of the router and i am up and surfing!! Thank you all very very much for all your help!!!
0
batry_boyCommented:
>>when i set the firewall to use a static outside ip, dont i need to set a gateway and dns server address as well?

If I remember correctly about resetting the PIX to a factory default configuration, it will put in this command in the configuration:

ip address outside dhcp setroute

The "setroute" option on the end will tell it to use whatever default gateway is pushed down to it through DHCP from the provider's DHCP server.  The PIX won't need to perform DNS lookups.  Now, if you configure the PIX to provide DHCP services for your inside hosts, then I believe that the PIX will include the following command from the factory default configuration:

dhcpd auto_config outside

This will tell the inside hosts to use the PIX for DNS, and the PIX will act as a DNS relay for your inside hosts that receive a DHCP address from the PIX.  Make sense?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
batry_boyCommented:
You're quick!  Didn't even have time to respond...good going!
0
ShanehaggertyAuthor Commented:
Thanx again!! This was my first posting and i want to make sure i do this correctly, how do i go about awarding points?
0
batry_boyCommented:
If you go to your "Open Questions" section and click on the question in the list, it should take you to a screen that will let you accept an answer and assign points.

I can't give you exact details since I haven't done it that much...don't remember the screens...
0
ShanehaggertyAuthor Commented:
Thanx again, and would it work the same with a static ip? if i set  to static, use my static ip for the outside, use the default gateway as the outside gateway like i did now for dhcp.....for example outside 209.163.1.2 255.255.255.0 and the default gateway as 209.163.1.1 and then on the inside computers set the gateway as the internal pix ip and the dns server as the 209.163.1.1 much like i have it now as dhcp.... would that work the same?
0
batry_boyCommented:
If all of those values you listed in your last post above are correct, then yes it should work OK.  Are you sure that is the correct IP address for your DNS server?  You can verify the IP address and subnet mask you are receiving by issuing the command:

sh ip addr

and then looking at the outside interface info.
0
ShanehaggertyAuthor Commented:
i will know when i can take this thing back over to my static ip location.... but here's hopin! I will letcha know soon as i do, that way if nuthin else, when i hafta do it again and forget, i can come back and read our postings. thank you again for all your help
0
batry_boyCommented:
You're welcome...glad to assist!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.