PIX 501 Web Server Inside

Unanswered Question
Mar 3rd, 2008

I have a PIX 501 and a webserver Inside with the following ip addresses:

yyy.yyy.yyy.201 Web server nic ip addr.

yyy.yyy.yyy.200 Pix inside ip addr.

xxx.xxx.xxx.81 Router inside ip addr.

xxx.xxx.xxx.82 Pix outside ip addr

xxx.xxx.xxx.84 Public Web server ip (BIND)

I am unable to see my web server.

This is my configuration:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ooooooooooooo encrypted

passwd ooooooooooooo encrypted

hostname pix

domain-name cisco.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit icmp any host xxx.xxx.xxx.44 echo-reply

access-list outside_in permit tcp any interface outside eq www

access-list outside_in permit tcp any interface outside eq https

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.42 255.255.255.248

ip address inside yyy.yyy,yyy.200 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location yyy.yyy,yyy.40 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www yyy.yyy,yyy.201 www netmask

255.255.255.255 0 0

static (inside,outside) tcp interface https yyy.yyy,yyy.201 https netmask

255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http yyy.yyy,yyy.40 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Any syggestions?

Thank you

Dimitris

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Tue, 03/04/2008 - 03:14

Hi Dimitris

You forgot to assign the ACL to interface

access-group outside_in in interface outside

Regards

Dimitris Mingos Tue, 03/04/2008 - 07:48

Hi,

I did but I do not have any result.

Am I missing anything else?

Pls be specific.

The new config is:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password oooooooooooooo encrypted

passwd oooooooooooooo encrypted

hostname pix

domain-name cisco.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

access-list outside_in permit icmp any host xxx.xxx.xxx.44 echo-reply

access-list outside_in permit tcp any interface outside eq www

access-list outside_in permit tcp any interface outside eq https

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.42 255.255.255.248

ip address inside yyy.yyy.yyy.200 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location yyy.yyy.yyy.40 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

access-group outside_in in interface outside

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http yyy.yyy.yyy.40 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

++++++++++

added lines

++++++++++

Regards

Dimitris

husycisco Tue, 03/04/2008 - 09:24

Dimitris,

Try running " clear xlate ". This will drop connections temporarily. If doesnt work, try "no fixup protocol http 80". If stilld oesnt work, please attach your full config with IPs and without the encrytption hash of your enable and user passwords.

Regards

jojuarez Sat, 03/08/2008 - 19:45

The second configuration you attached doesn't even have static translations. I don't like to use letters so let's suppose the private IP of the server is 192.168.1.1. You're using the IP address of the outside interface so:

static (inside, outside) tcp interface 80 192.168.1.1 80

access-l outside_in permit tcp any interface outside eq 80

access-g outside_in in int outside

clear xlate

If you're still unable to access the web server, you need to run traffic captures in order to figure out what the problem is.

Actions

This Discussion