06-23-2008 10:57 PM - edited 03-11-2019 06:03 AM
I have a single public IP address that I have assigned to my outside interface,and i want to access the internal web server 192.168.10.7 from internet.i have configed but still can not access from internet,what is wrong with my configuration? the following is my configuration:
PIX Version 7.2(1)
!
hostname wanshitong
domain-name wanshitong.com
enable password xxx
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 218.xx.xx.26 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
passwd vda4u.Aio7ssMh5X encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name wanshitong.com
same-security-traffic permit intra-interface
access-list 100 extended permit tcp any interface outside eq www
access-list 100 extended permit ip any any
access-list 101 extended permit ip any any
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 192.168.20.0 255.255.255.0
nat (inside) 1 192.168.30.0 255.255.255.0
nat (inside) 1 192.168.100.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.10.7 www netmask 255.255.255.255
access-group 100 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 218.xx.xx.254 1
route inside 192.168.10.0 255.255.255.0 192.168.100.2 1
route inside 192.168.20.0 255.255.255.0 192.168.100.2 1
route inside 192.168.30.0 255.255.255.0 192.168.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
username cisco password 3USUcOPFUiMCO4Jk encrypted
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.10.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.30.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
telnet 58.63.6.0 255.255.255.0 outside
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.30.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect http
inspect ftp
inspect dns
inspect icmp
inspect icmp error
inspect tftp
inspect esmtp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect sqlnet
inspect sunrpc
inspect xdmcp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
tftp-server inside 192.168.100.100 pix721
prompt hostname context
Cryptochecksum:xxx
: end
appreciate you !
Solved! Go to Solution.
06-24-2008 12:21 AM
Access lists and NAT seems ok.
Could you check what port the server 192.168.10.7 is listening on.. port 80 or something else.
Is the server 192.168.10.7 reachable from the firewall.
06-24-2008 12:00 AM
Hi Dear,
you can try to replace this line: 'nat (inside) 1 192.168.10.0 255.255.255.0 '
with: 'nat (inside) 1 access-list 102' and in access-list 102 deny the ip address of the server 192.168.10.7 and then permit 192.168.10.0/24.
you can issue a show xlate and post it as it may help diagnose the problem.
Thanks.
06-24-2008 05:15 PM
Thanks mohammed_moustafa
I am a newbie at firewall,I am puzzle how to write the statement about " in access-list 102 deny the ip address of the server 192.168.10.7 and then permit 192.168.10.0/24. "
It will be nice of you if you give me some example .
06-24-2008 11:17 PM
Hi Jordielau,
Here are the commands:
access-list 102 deny host 192.168.10.7
access-list 102 permit 192.168.10.0 255.255.255.0
no nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 access-list 102
Hope it works,
06-25-2008 06:17 AM
thanks mohammed_moustafa
when i execute the statements you gave and the error happen:
wanshitong(config)# nat (inside) 1 access-list 102
ERROR: Cannot mix different types of access lists
ERROR: Access-list "102" does not exist
Usage: [no] nat (
[dns] [outside]
[[tcp]
[udp
[no] nat (if_name)
[dns] [outside]
[[tcp]
[udp
what is wrong?
06-24-2008 12:21 AM
Access lists and NAT seems ok.
Could you check what port the server 192.168.10.7 is listening on.. port 80 or something else.
Is the server 192.168.10.7 reachable from the firewall.
06-24-2008 05:00 PM
Thanks dhananjoychowdhury
I can ping from inside of the firewall but outside can't reachable!
***************************
wanshitong# ping inside 192.168.10.7
Sending 5, 100-byte ICMP Echos to 192.168.10.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
wanshitong# ping out
wanshitong# ping outside 192.168.10.7
Sending 5, 100-byte ICMP Echos to 192.168.10.7, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
wanshitong#
06-25-2008 11:09 PM
Hi all,the problem is still remain and
following is the packet-tracer command
**********************************************
wanshitong# packet-tracer input outside tcp 202.101.103.55 www 192.168.10.7 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 100 in interface outside
access-list 100 extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2587818, priority=12, domain=permit, deny=false
hits=263683, user_data=0x2985b90, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x25853e8, priority=0, domain=permit-ip-option, deny=true
hits=637567, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x291e718, priority=70, domain=inspect-http, deny=false
hits=12, user_data=0x2920d18, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,outside) tcp 218.66.13.26 www 192.168.10.7 www netmask 255.255.255.255
match tcp inside host 192.168.10.7 eq 80 outside any
static translation to 218.66.13.26/80
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x18a41d0, priority=5, domain=nat-reverse, deny=false
hits=5, user_data=0x29dadb8, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.10.7, mask=255.255.255.255, port=80
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
wanshitong#
07-02-2008 10:33 PM
Thanks everyone!I finally found out the problem.as dhananjoychowdhury said,it's ok on my pix515e configuration but the configuration of the web server.strangely,the 80 port can't be used to web server but I changed to other port (82) and it work correctly.Just change the port NO. on my web server! oh my god ,I have spent one month for this case!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: