12-17-2007 09:09 AM - edited 03-12-2019 05:51 PM
I have Pix 501 in front of a webserver and I am unable to bring up any website off of the webserver. Here is some of my config:
access-list InboundFilter permit tcp any host XXX.XXX.XXX.XXX (my public IP) eq www
http server enable
http 192.168.1.0 255.255.255.0 inside
static (inside, outside) tcp XXX.XXX.XXX.XXX www 192.168.1.1(webserver) www netmask 255.255.255.255 0 0
Everything else works fine. I am able to surf the internet, ping, etc. without a problem. Just accessing the webserver from outside my network is the problem. I have verified ip, routes, gateway etc on my webserver and everything is correct.
I am using just one public IP for everything. I have always used two, one for PIX public IP and a separate one for websites. I am waiting for a second from ISP, but in the meantime I would like to get this working. Thanks in advance for any help.
Solved! Go to Solution.
12-18-2007 06:55 AM
access-list InboundFilter permit tcp any host 192.168.1.10 eq www
should be...
access-list InboundFilter permit tcp any host
12-17-2007 09:14 AM
Make your static...
static (inside, outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255 0 0
12-17-2007 10:14 AM
Thanks but that didn't seem to make a difference.
12-17-2007 10:28 AM
Do you have...
access-group InboundFilter in interface outside
12-17-2007 11:08 AM
Yea I do have that, sorry I left that out. More info...
global (outside) 1 interface
nat (inside) 0 access-list nonat (No Nat'n for my VPN Client)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Thanks again.
12-17-2007 11:34 AM
Yea I do have that, sorry I left that out. More info...
global (outside) 1 interface
nat (inside) 0 access-list nonat (No Nat'n for my VPN Client)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Thanks again.
12-17-2007 11:51 AM
Robert
Your running config would help. Your webserver entry may exist in exempt nat and may flow through exempt NAT before your static. Also enter www.whatismyip.com in webserver and check if you are trying to browse the right IP& assigned static to right IP
Regards
12-18-2007 06:31 AM
Here is my running config...
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list InboundFilter permit icmp any any
access-list InboundFilter permit tcp any host 192.168.1.10 eq www
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool itpool 192.168.100.50-192.168.100.60
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0
access-group InboundFilter in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
...the rest is my VPN stuff. Also I verified the IP and it is correctly resolving to the right IP. Thanks again for all the help.
12-18-2007 06:55 AM
access-list InboundFilter permit tcp any host 192.168.1.10 eq www
should be...
access-list InboundFilter permit tcp any host
12-18-2007 07:11 AM
Adding to acomiskey reply the acl should be like that and
If i am wrong please correct me.
Also make sure disable the http in PIX.
Because if your webserver is natted on the outside interface IP,PIX is also acts as HTTP server.
disable http: no http server
other wise make PIX as https and your webserver use http.
12-18-2007 07:22 AM
Suresh,
That would be a concern if it was SSL port, not www.
Also wont affect with the above config since http is enabled for inside only.
Regards
12-18-2007 07:18 AM
Robert
Do the following modification exactly in its respective order
no access-list InboundFilter permit tcp any host 192.168.1.10 eq www
access-list InboundFilter permit tcp any interface outside eq www
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: