cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
572
Views
0
Helpful
11
Replies

Can't access Webserver behind Pix 501 - Nat problem?

Robeasts99
Level 1
Level 1

I have Pix 501 in front of a webserver and I am unable to bring up any website off of the webserver. Here is some of my config:

access-list InboundFilter permit tcp any host XXX.XXX.XXX.XXX (my public IP) eq www

http server enable

http 192.168.1.0 255.255.255.0 inside

static (inside, outside) tcp XXX.XXX.XXX.XXX www 192.168.1.1(webserver) www netmask 255.255.255.255 0 0

Everything else works fine. I am able to surf the internet, ping, etc. without a problem. Just accessing the webserver from outside my network is the problem. I have verified ip, routes, gateway etc on my webserver and everything is correct.

I am using just one public IP for everything. I have always used two, one for PIX public IP and a separate one for websites. I am waiting for a second from ISP, but in the meantime I would like to get this working. Thanks in advance for any help.

1 Accepted Solution

Accepted Solutions

access-list InboundFilter permit tcp any host 192.168.1.10 eq www

should be...

access-list InboundFilter permit tcp any host eq www

View solution in original post

11 Replies 11

acomiskey
Level 10
Level 10

Make your static...

static (inside, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255 0 0

Thanks but that didn't seem to make a difference.

Do you have...

access-group InboundFilter in interface outside

Yea I do have that, sorry I left that out. More info...

global (outside) 1 interface

nat (inside) 0 access-list nonat (No Nat'n for my VPN Client)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Thanks again.

Yea I do have that, sorry I left that out. More info...

global (outside) 1 interface

nat (inside) 0 access-list nonat (No Nat'n for my VPN Client)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Thanks again.

Robert

Your running config would help. Your webserver entry may exist in exempt nat and may flow through exempt NAT before your static. Also enter www.whatismyip.com in webserver and check if you are trying to browse the right IP& assigned static to right IP

Regards

Here is my running config...

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list InboundFilter permit icmp any any

access-list InboundFilter permit tcp any host 192.168.1.10 eq www

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside XXX.XXX.XXX.XXX 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool itpool 192.168.100.50-192.168.100.60

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0

access-group InboundFilter in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

...the rest is my VPN stuff. Also I verified the IP and it is correctly resolving to the right IP. Thanks again for all the help.

access-list InboundFilter permit tcp any host 192.168.1.10 eq www

should be...

access-list InboundFilter permit tcp any host eq www

Adding to acomiskey reply the acl should be like that and

If i am wrong please correct me.

Also make sure disable the http in PIX.

Because if your webserver is natted on the outside interface IP,PIX is also acts as HTTP server.

disable http: no http server

other wise make PIX as https and your webserver use http.

Suresh,

That would be a concern if it was SSL port, not www.

Also wont affect with the above config since http is enabled for inside only.

Regards

Robert

Do the following modification exactly in its respective order

no access-list InboundFilter permit tcp any host 192.168.1.10 eq www

access-list InboundFilter permit tcp any interface outside eq www

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: