06-19-2007 03:32 PM - edited 03-11-2019 03:32 AM
I am attempting to configure my PIX 501 to port forward SSL traffic from the Internet to my SSL Concentrator located inside my network ? which has an address of 172.20.1.201
In the PIX, I entered the following:
Static (inside,outside) tcp interface 443 172.20.1.201 443
I set my ACL to ?any any? to see if that was the cause ? however ? I still cannot make the connection.
How do I resolve this?
06-19-2007 03:47 PM
Hi ..
You would need following commands in your configuration-
Static (inside,outside) tcp interface 443 172.20.1.201 443
access-list outin permit tcp any interface outside eq 443
access-group outin in interface outside
**You may replace "outin" with access-list applied on outside interface in your configuration.
Let us know if you already have these commands in.
If yes, do you see "hitcnt" incrementing if you use-
show access-list outin
Are you able to access concentrator locally, from 172.20.x.x subnet ?
Regards,
Vibhor.
06-19-2007 05:58 PM
No luck,
From my browser ? I receive a message stating it timed out. Here is what my current ACL looks like:
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list noNAT; 1 elements
access-list noNAT line 1 permit ip any any (hitcnt=0)
access-list 101; 1 elements
access-list 101 line 1 permit ip any any (hitcnt=0)
access-list 101 line 2 permit tcp any interface outside eq https (hitcnt=0)
I had NAT turned off because I had issue back when I set up my VPN connections. It has been working fine.
Thanks again,
Leo
06-21-2007 02:12 PM
I am still attempting to resolve my connectivity issue. Below is what my current ACL?s look like. I mentioned in my previous posting that I use the PIX solely for VPN connections (and it works). However, I currently have the need to bring in my SSL Concentrator ? but ? I cannot connect to the device.
I had someone assist me with the VPN connection (a few years ago) and now reviewing my ACL?s, I thing my ?noNAT? statement is causing issues. But, I don?t want to trade one problem for another (meaning my VPN currently works).
Your assistance would be greatly appreciated!
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list noNAT; 1 elements
access-list noNAT line 1 permit ip any any (hitcnt=0)
access-list 101; 1 elements
access-list 101 line 1 permit ip any any (hitcnt=0)
access-list 101 line 2 permit tcp any interface outside eq https (hitcnt=0)
06-21-2007 03:08 PM
Are you doing https:// 172.20.1.201 or https://pix.outside.interface.ip ? Which do you want to do?
Your noNAT acl is likely the problem here. Is there a reason you need it to be any any? With that exemption in place the static will not work.
You could simple make it like this instead.
access-list noNAT permit ip any
06-21-2007 04:23 PM
Well,
I reduced my ACL to the following:
pixfirewall(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 permit tcp any interface outside eq https (hitcnt=0)
pixfirewall(config)#
From outside the network ? I attempted to communicate with my SSL by typing:
https://
Also, I just attempted to connect via the inside port (using https://172.1.20.201). This address takes me to the PDM (PIX Device Manager).
06-21-2007 05:14 PM
Hi .. can you post you configuration removing any sensitive info .. that would help in providing you with the help you need.
06-21-2007 05:40 PM
Here is basically what it looks like. I went back and added my original ACL?s (Prior to this afternoons edits) and make my VPN functional. However, now that is not working.
See below:
pixfirewall(config)# sh run
:
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname pixfirewall
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip any any
access-list 101 permit tcp any interface outside eq https
access-list noNAT permit ip any any
pager lines 24
logging timestamp
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.*** 255.255.255.***
ip address inside 172.20.1.225 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool myPOOL 172.20.1.126-172.20.1.130
pdm history enable
arp timeout 14400
static (inside,outside) tcp ***.***.***.*** https 172.20.1.225 https netmask 255.2
55.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mySET esp-des esp-md5-hmac
crypto dynamic-map myDYN 10 set transform-set mySET
crypto map myMAP 10 ipsec-isakmp dynamic myDYN
crypto map myMAP interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup myGROUP idle-time 1800
vpngroup tmorad idle-time 1800
vpngroup airwall address-pool myPOOL
vpngroup airwall split-tunnel 101
vpngroup airwall idle-time 1800
vpngroup airwall password ********
vpngroup andyslaptop address-pool myPOOL
vpngroup andyslaptop split-tunnel 101
vpngroup andyslaptop idle-time 1800
vpngroup andyslaptop password ********
vpngroup sharon address-pool myPOOL
vpngroup sharon split-tunnel 101
vpngroup sharon idle-time 1800
vpngroup sharon password ********
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxx
: end
pixfirewal
06-21-2007 07:04 PM
To get your vpn to work again you need
nat (inside) 0 access-list noNAT
but as long as the acl is "any any" the static will not work for your ssl. Also, make your static like this...
static (inside,outside) tcp interface https 172.20.1.225 https netmask 255.2
55.255.255 0 0
06-22-2007 04:36 PM
Hello,
I cleared out what I had ? in regards to NAT and for the moment ? I am just focusing on getting the SSL to work.
I entered the following commands:
static (inside,outside) tcp interface https 172.20.1.225 https netmask 255.255.255.255 0 0
access-list 101 permit tcp any interface outside eq 443
access-group 101 in interface outside
Which for the first time ? I got a reading on the hitcnt (2). However, my browser still timed out. It gives me the error: The connection has timed out.
06-23-2007 03:32 AM
Hi .. Ok so the static NAT is configured as it should now and you are able to see hits on the respective access list entry. Now you need to make sure that the packets are actually reaching your ssl server once the firewall forwards them. You can use the below command on your firewall
show local-host 172.20.1.225 .. you should be able to see some information about TCP attempts to your SSL server from the outside host.
Next .. check your SSL logs if you have any .. otherwise you could get ethereal and see whether you are getting those request on your server. If you are then you need to make sure that the return packets from the SSL server are routed correctly to the firewall (you might have a routing issue here). If you can't see any request reaching your SSL server, then the issue can be isolated to something between the firewall and you server .. you will need to check what could be in the middle ( you could also have a routing or access issue there)
I hope it helps .. !!!
06-27-2007 12:35 PM
I am back attempting to resolve my problem ? here is what I have done.
I have isolated my SSL issue by using my Lab PIX. I notice that in a lab setting I can connect to my SSL Concentrator. Which is accomplished with a wireless hub with a public IP on the outside (& Internet Access) and my internal network on the inside (172 network).
However, when I have someone attempt to connect from outside the office (and on the Internet somewhere)?there connection times out.
Here is my ACL:
hufcor2# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 permit tcp any interface outside eq https (hitcnt=2)
What am I blocking?
06-27-2007 12:37 PM
What is the static command you have in place?
06-29-2007 05:13 PM
Thank you! Thank you!
That resolved it!
Here is what I have:
outside 0.0.0.0 0.0.0.0 ***.***.***.17 1 OTHER static
outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static
inside 172.*.*.* 255.255.0.0 172.*.*.225 1 CONNECT static
I had to add the route to my ISP Gateway (the *.*.*.17 address). Before I did that ? it worked ? but only between my lab LAN and our production LAN. However, when I had someone try it off the property ? it failed. Since, adding the default route ? all is well!
Thank you again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: