Can't access Webserver behind Pix 501 - Nat problem?

Answered Question
Dec 17th, 2007
User Badges:

I have Pix 501 in front of a webserver and I am unable to bring up any website off of the webserver. Here is some of my config:


access-list InboundFilter permit tcp any host XXX.XXX.XXX.XXX (my public IP) eq www


http server enable

http 192.168.1.0 255.255.255.0 inside


static (inside, outside) tcp XXX.XXX.XXX.XXX www 192.168.1.1(webserver) www netmask 255.255.255.255 0 0


Everything else works fine. I am able to surf the internet, ping, etc. without a problem. Just accessing the webserver from outside my network is the problem. I have verified ip, routes, gateway etc on my webserver and everything is correct.


I am using just one public IP for everything. I have always used two, one for PIX public IP and a separate one for websites. I am waiting for a second from ISP, but in the meantime I would like to get this working. Thanks in advance for any help.

Correct Answer by acomiskey about 9 years 4 months ago

access-list InboundFilter permit tcp any host 192.168.1.10 eq www


should be...


access-list InboundFilter permit tcp any host eq www


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 12/17/2007 - 09:14
User Badges:
  • Green, 3000 points or more

Make your static...


static (inside, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255 0 0

acomiskey Mon, 12/17/2007 - 10:28
User Badges:
  • Green, 3000 points or more

Do you have...


access-group InboundFilter in interface outside

Robeasts99 Mon, 12/17/2007 - 11:08
User Badges:

Yea I do have that, sorry I left that out. More info...


global (outside) 1 interface

nat (inside) 0 access-list nonat (No Nat'n for my VPN Client)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


Thanks again.

Robeasts99 Mon, 12/17/2007 - 11:34
User Badges:

Yea I do have that, sorry I left that out. More info...


global (outside) 1 interface

nat (inside) 0 access-list nonat (No Nat'n for my VPN Client)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


Thanks again.

husycisco Mon, 12/17/2007 - 11:51
User Badges:
  • Gold, 750 points or more

Robert

Your running config would help. Your webserver entry may exist in exempt nat and may flow through exempt NAT before your static. Also enter www.whatismyip.com in webserver and check if you are trying to browse the right IP& assigned static to right IP


Regards

Robeasts99 Tue, 12/18/2007 - 06:31
User Badges:

Here is my running config...


interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list InboundFilter permit icmp any any

access-list InboundFilter permit tcp any host 192.168.1.10 eq www

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside XXX.XXX.XXX.XXX 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool itpool 192.168.100.50-192.168.100.60

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0

access-group InboundFilter in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable


...the rest is my VPN stuff. Also I verified the IP and it is correctly resolving to the right IP. Thanks again for all the help.

Correct Answer
acomiskey Tue, 12/18/2007 - 06:55
User Badges:
  • Green, 3000 points or more

access-list InboundFilter permit tcp any host 192.168.1.10 eq www


should be...


access-list InboundFilter permit tcp any host eq www


psureshrao Tue, 12/18/2007 - 07:11
User Badges:

Adding to acomiskey reply the acl should be like that and

If i am wrong please correct me.


Also make sure disable the http in PIX.

Because if your webserver is natted on the outside interface IP,PIX is also acts as HTTP server.

disable http: no http server


other wise make PIX as https and your webserver use http.

husycisco Tue, 12/18/2007 - 07:22
User Badges:
  • Gold, 750 points or more

Suresh,

That would be a concern if it was SSL port, not www.

Also wont affect with the above config since http is enabled for inside only.


Regards

husycisco Tue, 12/18/2007 - 07:18
User Badges:
  • Gold, 750 points or more

Robert

Do the following modification exactly in its respective order

no access-list InboundFilter permit tcp any host 192.168.1.10 eq www

access-list InboundFilter permit tcp any interface outside eq www


Regards



Actions

This Discussion