jklobas
asked on
Unable to reach webserver from outside
I am fairly new to this and am completely baffled.
I set up a new web server and everything works great...inside my LAN. Users from outside are unable to contact the server. When I'm outside, I can't ping or connect but the DNS resolves correctly. I think this must be a firewall problem since the ports I'm using (80 and 8080) aren't open.
I have a PIX 515E running 6.3 (4). There is another web server that works properly, so I mimicked the settings. I can ping the new web server from the firewall and I can access the ports from hosts in the Admin access-group.
Here's the pertinent config. Maybe I'm missing something obvious.
name 10.20.0.0 dmzexch
name 10.20.1.25 webserver
name 10.16.7.0 Admin
access-list INSIDE permit icmp any any
access-list INSIDE permit tcp Admin 255.255.255.0 host 10.20.1.25 eq www
access-list INSIDE permit tcp Admin 255.255.255.0 host 10.20.1.25 eq 8080
access-list INSIDE permit tcp Admin 255.255.255.0 host 10.20.1.25 eq https
access-list DMZEXCH permit tcp host 10.20.1.25 any eq https
access-list DMZEXCH permit tcp host 10.20.1.25 any eq www
access-list DMZEXCH permit udp host 10.20.1.25 host SR16SC01 eq domain
access-list DMZEXCH permit udp host 10.20.1.25 host SR16SC02 eq domain
access-list DMZEXCH permit udp host 10.20.1.25 host SR16SC14 eq domain
access-list DMZEXCH permit udp host 10.20.1.25 host SR16SC35 eq domain
access-list DMZEXCH permit tcp host 10.20.1.25 any eq 8080
access-list OUTSIDE permit tcp any host 72.xxx.xxx.41 eq www
access-list OUTSIDE permit tcp any host 72.xxx.xxx.41 eq https
access-list OUTSIDE permit tcp any host 72.xxx.xxx.41 eq 8080
global (outside) 1 72.xxx.xxx.58 netmask 255.255.255.224
nat (inside) 1 Admin 255.25.255.0 0 0
nat (dmzexch) 1 10.20.1.25 255.255.255.255 0 0
static (dmzexch,outside) 72.xxx.xxx.41 10.20.1.25 netmask 255.255.255.255 0 0
ip address outside 72.xxx.xxx.34 255.255.255.224
ip address inside 10.16.0.3 255.255.0.0
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
access-group DMZEXCH in interface dmzexch
Thanks in advance!
I set up a new web server and everything works great...inside my LAN. Users from outside are unable to contact the server. When I'm outside, I can't ping or connect but the DNS resolves correctly. I think this must be a firewall problem since the ports I'm using (80 and 8080) aren't open.
I have a PIX 515E running 6.3 (4). There is another web server that works properly, so I mimicked the settings. I can ping the new web server from the firewall and I can access the ports from hosts in the Admin access-group.
Here's the pertinent config. Maybe I'm missing something obvious.
name 10.20.0.0 dmzexch
name 10.20.1.25 webserver
name 10.16.7.0 Admin
access-list INSIDE permit icmp any any
access-list INSIDE permit tcp Admin 255.255.255.0 host 10.20.1.25 eq www
access-list INSIDE permit tcp Admin 255.255.255.0 host 10.20.1.25 eq 8080
access-list INSIDE permit tcp Admin 255.255.255.0 host 10.20.1.25 eq https
access-list DMZEXCH permit tcp host 10.20.1.25 any eq https
access-list DMZEXCH permit tcp host 10.20.1.25 any eq www
access-list DMZEXCH permit udp host 10.20.1.25 host SR16SC01 eq domain
access-list DMZEXCH permit udp host 10.20.1.25 host SR16SC02 eq domain
access-list DMZEXCH permit udp host 10.20.1.25 host SR16SC14 eq domain
access-list DMZEXCH permit udp host 10.20.1.25 host SR16SC35 eq domain
access-list DMZEXCH permit tcp host 10.20.1.25 any eq 8080
access-list OUTSIDE permit tcp any host 72.xxx.xxx.41 eq www
access-list OUTSIDE permit tcp any host 72.xxx.xxx.41 eq https
access-list OUTSIDE permit tcp any host 72.xxx.xxx.41 eq 8080
global (outside) 1 72.xxx.xxx.58 netmask 255.255.255.224
nat (inside) 1 Admin 255.25.255.0 0 0
nat (dmzexch) 1 10.20.1.25 255.255.255.255 0 0
static (dmzexch,outside) 72.xxx.xxx.41 10.20.1.25 netmask 255.255.255.255 0 0
ip address outside 72.xxx.xxx.34 255.255.255.224
ip address inside 10.16.0.3 255.255.0.0
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
access-group DMZEXCH in interface dmzexch
Thanks in advance!
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
hitsotntd:
That is correct, in 'show xlate' i get this:
Global 72.xxx.xxx.41 Local 10.20.1.25
rbadua: The line "name 10.20.1.25 webserver" isn't actually in my config...i was hoping to make things a bit easier to read. Upon review, I forgot to change all the host references to "webserver" so just ignore it.
The brackets after static refer to the interfaces and not names, right?
That is correct, in 'show xlate' i get this:
Global 72.xxx.xxx.41 Local 10.20.1.25
rbadua: The line "name 10.20.1.25 webserver" isn't actually in my config...i was hoping to make things a bit easier to read. Upon review, I forgot to change all the host references to "webserver" so just ignore it.
The brackets after static refer to the interfaces and not names, right?
correct it refers to the interface name and not the aliases (names)
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I'll give it a shot and let you know.
Thanks!
Thanks!
ASKER
Still no luck.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thank you so much for your help! I totally neglected to check my edge router. It turns out I just needed to add an allow rule for the outside IP. Works like a charm.
static (dmzexch,outside) 72.xxx.xxx.41 10.20.1.25 netmask 255.255.255.255 0 0
be:
static (webserver,outside) 72.xxx.xxx.41 10.20.1.25 netmask 255.255.255.255 0 0
???