PIX 501 Issue redirecting HTTP

Unanswered Question
Jan 7th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Hello,


I am using a PIX 501 with IOS 6.3 (1) installed.


My issue is that I am attempting to configure my PIX to direct HTTP traffic to a local computer that is running a program to share files.  I am able to access the program from a browser on another workstation.  Therefore, the program is working.


However, when I attempt to access the program from outside the PIX – I cannot.


Here are the steps I took to set up my configuration:


Needed to configure the Interfaces


ip address outside ***.***.***.18 255.255.255.248

ip address inside 172.20.1.241 255.255.0.0


Needed to apply an access-list:

This allows Https traffic through the PIX.


access-list 101; 1 elements

access-list 101 line 1 permit tcp any interface outside eq http


Created a Static route:

This is a route that will direct traffic directly to the SSL Concentrator (172.20.1.225)


static (inside,outside) tcp interface http 172.20.1.101 http netmask 255.255.255.255 0 0


Verified the routes:


outside 0.0.0.0 0.0.0.0 ***.***.***.81 1 OTHER static

outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static

inside 172.20.0.0 255.255.0.0 172.20.1.241 1 CONNECT static


NAT


global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 01/07/2010 - 23:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hufcor wrote:



Hello,


I am using a PIX 501 with IOS 6.3 (1) installed.


My issue is that I am attempting to configure my PIX to direct HTTP traffic to a local computer that is running a program to share files.  I am able to access the program from a browser on another workstation.  Therefore, the program is working.


However, when I attempt to access the program from outside the PIX – I cannot.


Here are the steps I took to set up my configuration:


Needed to configure the Interfaces


ip address outside ***.***.***.18 255.255.255.248

ip address inside 172.20.1.241 255.255.0.0


Needed to apply an access-list:

This allows Https traffic through the PIX.


access-list 101; 1 elements

access-list 101 line 1 permit tcp any interface outside eq http


Created a Static route:

This is a route that will direct traffic directly to the SSL Concentrator (172.20.1.225)


static (inside,outside) tcp interface http 172.20.1.101 http netmask 255.255.255.255 0 0


Verified the routes:


outside 0.0.0.0 0.0.0.0 ***.***.***.81 1 OTHER static

outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static

inside 172.20.0.0 255.255.0.0 172.20.1.241 1 CONNECT static


NAT


global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0



Can you post full config of pix ?


Also, have you applied the acl to the outside interface ie.


access-group 101 in interface outside


Jon

Hufcor_2 Fri, 01/08/2010 - 12:40
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Ooops!  I forgot to assign the ACL to an interface.  However, I am still not able to ping the outside address – much less gain access.


Leo


PIX Version 6.3(1)

interface ethernet0 auto shutdown

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password cPlBJP0wS8qSVcsh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname airwall

domain-name MyDomain.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit tcp any interface outside eq www

access-list 101 permit tcp any interface outside eq https

access-list 101 permit tcp any interface outside eq ftp

pager lines 24

logging console debugging

logging buffered informational

logging trap debugging

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.84 255.255.255.248

ip address inside 172.20.1.243 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool1 192.168.221.1-192.168.221.23

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.2

55 0 0

static (inside,outside) tcp interface ftp 172.20.1.4 ftp netmask 255.255.255.255

0 0

static (inside,outside) tcp interface https 172.20.1.225 https netmask 255.255.2

55.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http ***.***.***.84 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac

crypto dynamic-map DynMap1 10 set transform-set TransSet1

crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1

crypto map CryptMap1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup GroupVpn1 address-pool ippool1

vpngroup GroupVpn1 idle-time 1800

vpngroup GroupVpn1 password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:373876906db09cc3dbfe01db3eb2409b

: end

MyDomain(config)#

Hufcor_2 Fri, 01/08/2010 - 20:08
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Follow up message…


I have been attempting to diagnose this problem.  I ran Debug and the following is what I received when I attempted to open a browser session directed to the inside interface of my PIX (172.20.1.243).


Entries:

710005: TCP request discarded from 172.20.1.101/2757 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/2758 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/2758 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/2758 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/2759 to inside:172.20.1.243/www


This is after I decided to just open it up by allowing anything (ACL's).  Yet I am still not able to ping the outside address from another node or am I able to reach any other device from the PIX (cannot ping an outside address).


Latest Config:


:

PIX Version 6.3(1)

interface ethernet0 auto shutdown

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password cPlBJP0wS8qSVcsh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname MyDomain

domain-name hufcorairwall.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit ip any any

pager lines 24

logging console debugging

logging buffered informational

logging trap debugging

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.84 255.255.255.248

ip address inside 172.20.1.243 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool1 192.168.221.1-192.168.221.23

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.2

55 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http ***.***.***.84 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac

crypto dynamic-map DynMap1 10 set transform-set TransSet1

crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1

crypto map CryptMap1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup GroupVpn1 address-pool ippool1

vpngroup GroupVpn1 idle-time 1800

vpngroup GroupVpn1 password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:e4c2cae3dba87baccb4de8656975ce73

: end

Dileep Sivadas ... Fri, 01/08/2010 - 21:12
User Badges:

Hi Leo,


You have enabed HTTP management service(PDM or ASDM) on outside interface.


And using smae interface to SNAT internal IP.


Can you pelase disable that and check it out.


no http 0.0.0.0 0.0.0.0 outside



Dileep

vilaxmi Sat, 01/09/2010 - 12:00
User Badges:
  • Cisco Employee,

Since you have already mapped port 80 access to outside ifc of PIX, you can not map the same port 80 access of outside ifc to another internal IIP using static translations. Hence, I agree with Dileep.


You might wanna use a separate external IP in the static command and then allow traffic to the ext IP using access-list on the outside ifc IN direction.


This will surely help you.


VIjaya

Hufcor_2 Sun, 01/10/2010 - 11:52
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Thanks for your help…


But it did not seem to resolve my issue.  I am attempting to understand this process.  As I mentioned at the beginning, I have a program that I am attempting to gain access from outside my network.  User will gain access via their browser.  Therefore, I do not believe I need to have a route from my internal node (172.20.1.101) to my PIX (.243).  Since, the .101 computer will be pointing to the PIX as the Gateway.  But I need a static route from my PIX to the .101 node (I don’t want HTTP traffic going anywhere else).


Therefore, I removed the following:


static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.255 0 0


I also removed all the http entries – I do not use the PDM:


http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside


Also, at one time – I use to use this as my VPN server.  But, I no longer have users access the device through the PIX.  Therefore, is it critical to remove it (all the entries)?


Current Config.

PIX Version 6.3(1)

interface ethernet0 auto shutdown

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password cPlBJP0wS8qSVcsh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname hufcorairwall

domain-name hufcorairwall.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit ip any any

pager lines 24

logging console debugging

logging buffered informational

logging trap debugging

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.84 255.255.255.248

ip address inside 172.20.1.243 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool1 192.168.221.1-192.168.221.23

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac

crypto dynamic-map DynMap1 10 set transform-set TransSet1

crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1

crypto map CryptMap1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup GroupVpn1 address-pool ippool1

vpngroup GroupVpn1 idle-time 1800

vpngroup GroupVpn1 password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:1225e257808d8147151d8fd06b471c3a

: end

hufcorairwall(config)#


vilaxmi Sun, 01/10/2010 - 18:10
User Badges:
  • Cisco Employee,

I went through your config, and I see the static command still missing. We need to add a static as I explained in my previous post.


Anytime you need to be able to access from outside (lower-security level) to any of the inside servers (connected on higher security-level ifc), then you need to add a static translation for the server's inside IP to the server's external IP. And then on the outside ACL (101 in your case) you just need to allow users to access the external IP of server, instead of allowing ALL (like you have done now, as it is not secure at al)


HTH


Vijaya

Hufcor_2 Tue, 01/12/2010 - 15:57
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Thank you!


Uuugh!  Once I got the Outside interface up – I was able to ping.  I was also able to access the resource that I had been attempting.  I plan to tighten my ACL and just limit it to HTTP traffic to my .243 node.


Yes, I will change my ACL to limit traffic.  I opened it up simply because I could not determine where the problem existed.  I plan on only having one entry in my ACL:


Access-list 101 permit tcp any interface outside eq http


One last thing…I am attempting to understand what is going on?  I notice that I can access the resource from outside my network.  However, when I open up my browser from the node hosting my program – it fails to connect.  Not critical – but I am just attempting to understand.

Kureli Sankar Tue, 01/12/2010 - 16:45
User Badges:
  • Cisco Employee,

Pls. try http://127.0.0.1 - from the computer that is hosting it.


Pls. do not use the translated (public) ip address on the host that is hosting it.


-KS

Hufcor_2 Tue, 01/19/2010 - 17:12
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Hello,


I am still having issues…


My original intention was to have a file sharing program that can be viewed outside my network via a browser – that part works.


However, the software has some functions that require access to the Internet via Port 80.  Therefore, when I opened my browser from the host machine – it does not work – meaning I cannot access a page on the Internet.


I know it is nothing wrong with the host computer (I can ping the local host) – when I type it within my browser – I get the interface of my program that I want others to see outside my network.  When I connect it via another source and it gains access.


When I ran debug on the PIX – this is what I received:


710005: UDP request discarded from 172.20.1.101/138 to inside:172.20.255.255/net bios-dgm

710005: UDP request discarded from 172.20.1.157/137 to inside:172.20.255.255/net

bios-ns

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: UDP request discarded from 172.20.1.157/137 to inside:172.20.255.255/net

bios-ns

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: UDP request discarded from 172.20.1.19/1185 to inside:172.20.255.255/net

bios-ns

710005: UDP request discarded from 172.20.1.101/138 to inside:172.20.255.255/net

bios-dgm

710005: UDP request discarded from 172.20.1.157/137 to inside:172.20.255.255/net

bios-ns

Kureli Sankar Tue, 01/19/2010 - 18:06
User Badges:
  • Cisco Employee,

172.20.1.243 - is the IP address of the inside interface.


The only logs that pertain to port 80 access are these below:

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www


All of these are talking about accessing the inside interface using port 80.


This tells me that either the static line is missing or it is refering to the IP address 172.20.1.243 and not the keyword "interface"


You mentioned that the website is fine and working on the computer.

This web server is unable to go out to the internet.

No one from the internet is able to reach this web server.


Pls. provide the following:

1. inside ip addres of the web server

2. sh  static

3. sh access-group

4. sh access-list (for the access-lists that show up in the above command)


-KS

Hufcor_2 Tue, 01/19/2010 - 18:52
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

My internal web server is 172.20.1.101.  The inside interface on the PIX is .243.


airwall(config)# sh static

static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.255 0 0

airwall(config)# sh access-group

access-group 101 in interface outside

airwall(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

            alert-interval 300

access-list 101; 1 elements

access-list 101 line 1 permit ip any any (hitcnt=745)

airwall(config)#


Yes, currently I am permitting anything in an effort to get it to work first and then tighten it down (once I can verify it works).  My understanding of the PIX is that all information from the inside can go out unless it has been denied?


Also, the web service is working fine from the host computer (.101).  I am able to route this through my proxy gateway (another device…another IP) and send & receive information.  It is when I attempt to route through the PIX (.243) is when I encounter problems.

Kureli Sankar Tue, 01/19/2010 - 20:21
User Badges:
  • Cisco Employee,

It appears from the logs that you are trying to access 172.20.1.253 from 172.20.1.101.


Pls. use a computer on the internet (from home may be) and access the outside IP address using a browser (http://***.***.***.84) and it will load the web page hosted in 172.20.1.101


-KS

Dileep Sivadas ... Tue, 01/19/2010 - 20:26
User Badges:


Yes, currently I am permitting anything in an effort to get it to work
first and then tighten it down (once I can verify it works).  My understanding of the PIX is that all information from the inside can go out unless it has been denied?


This is when you do not have any access-list configured on interfaces. In your case the missing part may be an access-list on inside interface that permits http traffic from your internal web server to internet.



access-list 102  permit tcp host 172.20.1.101 any eq http

access-list 102  permit tcp host 172.20.1.101 any eq https


access-group 102 in interface inside


Also make sure that you have proper DNS resolution for internet access.



Dileep

Hufcor_2 Thu, 01/21/2010 - 18:54
User Badges:



/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Hello,


I got my PIX working…however…


After over analyzing the issue, I decided to isolate the problem and remove the PIX from my network.  I plugged another node directly to the hub ports in the back of the PIX and it worked (after allowing nearly full access).


On the network, the node I was attempting to reach was not directly plugged into the hub of the PIX.  But, I was able to ping the inside port of the PIX and the PIX was able to ping the node.  Therefore, I did not believe that to be an issue?


Anyway, now my problem is with ACL’s.  I basically had to allow anything in and out because when I applied the suggested ACL’s (the Access-list 102 suggestion) – I do not gain access.


This is what I have currently applied:


access-list 101; 1 elements

access-list 101 line 1 permit ip any any (hitcnt=1167)

access-list 102; 2 elements

access-list 102 line 1 permit tcp any any eq www (hitcnt=0)

access-list 102 line 2 permit tcp any any eq https (hitcnt=0)


Log information (Note: The public address is the assign DNS server.  I transferred the application to my lab workstation which is 172.20.1.103):


106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.252/53 by access-group "102"

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"

710005: UDP request discarded from 172.20.1.81/138 to inside:172.20.255.255/netbios-dgm

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.252/53 by access-group "102"

710005: UDP request discarded from 172.20.1.11/137 to inside:172.20.255.255/netb ios-ns

710005: UDP request discarded from 172.20.1.78/138 to inside:172.20.255.255/netb ios-dgm

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.252/53 by access-group "102"


What can I do to tighten my ACL’s while still allowing traffic to pass back and forth?

Dileep Sivadas ... Thu, 01/21/2010 - 20:31
User Badges:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full
 

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password cPlBJP0wS8qSVcsh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname hufcorairwall

domain-name hufcorairwall.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

access-list 101 permit tcp any interface outside eq http
access-list 102 permit tcp 172.20.0.0 255.255.0.0 any eq http
access-list 102 permit tcp 172.20.0.0 255.255.0.0 any eq https
access-list 102 permit udp 172.20.0.0 255.255.0.0 any eq dns


pager lines 24

logging console debugging

logging buffered informational

logging trap debugging

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.84 255.255.255.248

ip address inside 172.20.1.243 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool1 192.168.221.1-192.168.221.23

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.255 0 0

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

access-group 101 in interface outside

access-group 102 in interface inside

route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public 

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac

crypto dynamic-map DynMap1 10 set transform-set TransSet1

crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1

crypto map CryptMap1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup GroupVpn1 address-pool ippool1

vpngroup GroupVpn1 idle-time 1800

vpngroup GroupVpn1 password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:1225e257808d8147151d8fd06b471c3a

: end



I have pasted your config , edited lines are highlighted




Dileep

Actions

This Discussion