Port forwarding SSL on my PIX 501

Unanswered Question
Jun 19th, 2007
User Badges:

I am attempting to configure my PIX 501 to port forward SSL traffic from the Internet to my SSL Concentrator located inside my network ? which has an address of 172.20.1.201


In the PIX, I entered the following:


Static (inside,outside) tcp interface 443 172.20.1.201 443


I set my ACL to ?any any? to see if that was the cause ? however ? I still cannot make the connection.


How do I resolve this?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vitripat Tue, 06/19/2007 - 15:47
User Badges:
  • Gold, 750 points or more

Hi ..


You would need following commands in your configuration-


Static (inside,outside) tcp interface 443 172.20.1.201 443


access-list outin permit tcp any interface outside eq 443

access-group outin in interface outside


**You may replace "outin" with access-list applied on outside interface in your configuration.


Let us know if you already have these commands in.


If yes, do you see "hitcnt" incrementing if you use-


show access-list outin


Are you able to access concentrator locally, from 172.20.x.x subnet ?


Regards,

Vibhor.

hufcor Tue, 06/19/2007 - 17:58
User Badges:

No luck,


From my browser ? I receive a message stating it timed out. Here is what my current ACL looks like:


access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list noNAT; 1 elements

access-list noNAT line 1 permit ip any any (hitcnt=0)

access-list 101; 1 elements

access-list 101 line 1 permit ip any any (hitcnt=0)

access-list 101 line 2 permit tcp any interface outside eq https (hitcnt=0)


I had NAT turned off because I had issue back when I set up my VPN connections. It has been working fine.


Thanks again,


Leo


hufcor Thu, 06/21/2007 - 14:12
User Badges:

I am still attempting to resolve my connectivity issue. Below is what my current ACL?s look like. I mentioned in my previous posting that I use the PIX solely for VPN connections (and it works). However, I currently have the need to bring in my SSL Concentrator ? but ? I cannot connect to the device.


I had someone assist me with the VPN connection (a few years ago) and now reviewing my ACL?s, I thing my ?noNAT? statement is causing issues. But, I don?t want to trade one problem for another (meaning my VPN currently works).


Your assistance would be greatly appreciated!


access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list noNAT; 1 elements

access-list noNAT line 1 permit ip any any (hitcnt=0)

access-list 101; 1 elements

access-list 101 line 1 permit ip any any (hitcnt=0)

access-list 101 line 2 permit tcp any interface outside eq https (hitcnt=0)


acomiskey Thu, 06/21/2007 - 15:08
User Badges:
  • Green, 3000 points or more

Are you doing https:// 172.20.1.201 or https://pix.outside.interface.ip ? Which do you want to do?


Your noNAT acl is likely the problem here. Is there a reason you need it to be any any? With that exemption in place the static will not work.


You could simple make it like this instead.


access-list noNAT permit ip any

hufcor Thu, 06/21/2007 - 16:23
User Badges:

Well,


I reduced my ACL to the following:


pixfirewall(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list 101; 1 elements

access-list 101 line 1 permit tcp any interface outside eq https (hitcnt=0)

pixfirewall(config)#


From outside the network ? I attempted to communicate with my SSL by typing:

https:// - My browser returns the message ?The connection has timed out?.


Also, I just attempted to connect via the inside port (using https://172.1.20.201). This address takes me to the PDM (PIX Device Manager).


Fernando_Meza Thu, 06/21/2007 - 17:14
User Badges:
  • Gold, 750 points or more

Hi .. can you post you configuration removing any sensitive info .. that would help in providing you with the help you need.


hufcor Thu, 06/21/2007 - 17:40
User Badges:

Here is basically what it looks like. I went back and added my original ACL?s (Prior to this afternoons edits) and make my VPN functional. However, now that is not working.


See below:


pixfirewall(config)# sh run

:

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name mydomain.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit ip any any

access-list 101 permit tcp any interface outside eq https

access-list noNAT permit ip any any

pager lines 24

logging timestamp

logging buffered debugging

logging trap debugging

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.*** 255.255.255.***

ip address inside 172.20.1.225 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool myPOOL 172.20.1.126-172.20.1.130

pdm history enable

arp timeout 14400

static (inside,outside) tcp ***.***.***.*** https 172.20.1.225 https netmask 255.2

55.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set mySET esp-des esp-md5-hmac

crypto dynamic-map myDYN 10 set transform-set mySET

crypto map myMAP 10 ipsec-isakmp dynamic myDYN

crypto map myMAP interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup myGROUP idle-time 1800

vpngroup tmorad idle-time 1800

vpngroup airwall address-pool myPOOL

vpngroup airwall split-tunnel 101

vpngroup airwall idle-time 1800

vpngroup airwall password ********

vpngroup andyslaptop address-pool myPOOL

vpngroup andyslaptop split-tunnel 101

vpngroup andyslaptop idle-time 1800

vpngroup andyslaptop password ********

vpngroup sharon address-pool myPOOL

vpngroup sharon split-tunnel 101

vpngroup sharon idle-time 1800

vpngroup sharon password ********

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

pixfirewal


acomiskey Thu, 06/21/2007 - 19:04
User Badges:
  • Green, 3000 points or more

To get your vpn to work again you need


nat (inside) 0 access-list noNAT


but as long as the acl is "any any" the static will not work for your ssl. Also, make your static like this...


static (inside,outside) tcp interface https 172.20.1.225 https netmask 255.2

55.255.255 0 0

hufcor Fri, 06/22/2007 - 16:36
User Badges:

Hello,


I cleared out what I had ? in regards to NAT and for the moment ? I am just focusing on getting the SSL to work.


I entered the following commands:


static (inside,outside) tcp interface https 172.20.1.225 https netmask 255.255.255.255 0 0

access-list 101 permit tcp any interface outside eq 443

access-group 101 in interface outside


Which for the first time ? I got a reading on the hitcnt (2). However, my browser still timed out. It gives me the error: The connection has timed out.


Fernando_Meza Sat, 06/23/2007 - 03:32
User Badges:
  • Gold, 750 points or more

Hi .. Ok so the static NAT is configured as it should now and you are able to see hits on the respective access list entry. Now you need to make sure that the packets are actually reaching your ssl server once the firewall forwards them. You can use the below command on your firewall


show local-host 172.20.1.225 .. you should be able to see some information about TCP attempts to your SSL server from the outside host.


Next .. check your SSL logs if you have any .. otherwise you could get ethereal and see whether you are getting those request on your server. If you are then you need to make sure that the return packets from the SSL server are routed correctly to the firewall (you might have a routing issue here). If you can't see any request reaching your SSL server, then the issue can be isolated to something between the firewall and you server .. you will need to check what could be in the middle ( you could also have a routing or access issue there)


I hope it helps .. !!!






hufcor Wed, 06/27/2007 - 12:35
User Badges:

I am back attempting to resolve my problem ? here is what I have done.


I have isolated my SSL issue by using my Lab PIX. I notice that in a lab setting I can connect to my SSL Concentrator. Which is accomplished with a wireless hub with a public IP on the outside (& Internet Access) and my internal network on the inside (172 network).


However, when I have someone attempt to connect from outside the office (and on the Internet somewhere)?there connection times out.


Here is my ACL:

hufcor2# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list 101; 1 elements

access-list 101 line 1 permit tcp any interface outside eq https (hitcnt=2)


What am I blocking?



acomiskey Wed, 06/27/2007 - 12:37
User Badges:
  • Green, 3000 points or more

What is the static command you have in place?

hufcor Fri, 06/29/2007 - 17:13
User Badges:

Thank you! Thank you!


That resolved it!


Here is what I have:


outside 0.0.0.0 0.0.0.0 ***.***.***.17 1 OTHER static

outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static

inside 172.*.*.* 255.255.0.0 172.*.*.225 1 CONNECT static


I had to add the route to my ISP Gateway (the *.*.*.17 address). Before I did that ? it worked ? but only between my lab LAN and our production LAN. However, when I had someone try it off the property ? it failed. Since, adding the default route ? all is well!


Thank you again!


Actions

This Discussion