01-07-2010 08:42 PM - edited 03-11-2019 09:54 AM
Hello,
I am using a PIX 501 with IOS 6.3 (1) installed.
My issue is that I am attempting to configure my PIX to direct HTTP traffic to a local computer that is running a program to share files. I am able to access the program from a browser on another workstation. Therefore, the program is working.
However, when I attempt to access the program from outside the PIX – I cannot.
Here are the steps I took to set up my configuration:
Needed to configure the Interfaces
ip address outside ***.***.***.18 255.255.255.248
ip address inside 172.20.1.241 255.255.0.0
Needed to apply an access-list:
This allows Https traffic through the PIX.
access-list 101; 1 elements
access-list 101 line 1 permit tcp any interface outside eq http
Created a Static route:
This is a route that will direct traffic directly to the SSL Concentrator (172.20.1.225)
static (inside,outside) tcp interface http 172.20.1.101 http netmask 255.255.255.255 0 0
Verified the routes:
outside 0.0.0.0 0.0.0.0 ***.***.***.81 1 OTHER static
outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static
inside 172.20.0.0 255.255.0.0 172.20.1.241 1 CONNECT static
NAT
global (outside) 1 interface
nat (inside) 1 172.20.0.0 255.255.0.0 0 0
01-07-2010 11:51 PM
Hufcor wrote:
Hello,
I am using a PIX 501 with IOS 6.3 (1) installed.
My issue is that I am attempting to configure my PIX to direct HTTP traffic to a local computer that is running a program to share files. I am able to access the program from a browser on another workstation. Therefore, the program is working.
However, when I attempt to access the program from outside the PIX – I cannot.
Here are the steps I took to set up my configuration:
Needed to configure the Interfaces
ip address outside ***.***.***.18 255.255.255.248
ip address inside 172.20.1.241 255.255.0.0
Needed to apply an access-list:
This allows Https traffic through the PIX.
access-list 101; 1 elements
access-list 101 line 1 permit tcp any interface outside eq http
Created a Static route:
This is a route that will direct traffic directly to the SSL Concentrator (172.20.1.225)
static (inside,outside) tcp interface http 172.20.1.101 http netmask 255.255.255.255 0 0
Verified the routes:
outside 0.0.0.0 0.0.0.0 ***.***.***.81 1 OTHER static
outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static
inside 172.20.0.0 255.255.0.0 172.20.1.241 1 CONNECT static
NAT
global (outside) 1 interface
nat (inside) 1 172.20.0.0 255.255.0.0 0 0
Can you post full config of pix ?
Also, have you applied the acl to the outside interface ie.
access-group 101 in interface outside
Jon
01-08-2010 12:40 PM
Ooops! I forgot to assign the ACL to an interface. However, I am still not able to ping the outside address – much less gain access.
Leo
PIX Version 6.3(1)
interface ethernet0 auto shutdown
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password cPlBJP0wS8qSVcsh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname airwall
domain-name MyDomain.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit tcp any interface outside eq www
access-list 101 permit tcp any interface outside eq https
access-list 101 permit tcp any interface outside eq ftp
pager lines 24
logging console debugging
logging buffered informational
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.84 255.255.255.248
ip address inside 172.20.1.243 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool1 192.168.221.1-192.168.221.23
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.20.0.0 255.255.0.0 0 0
static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface ftp 172.20.1.4 ftp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface https 172.20.1.225 https netmask 255.255.2
55.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http ***.***.***.84 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac
crypto dynamic-map DynMap1 10 set transform-set TransSet1
crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1
crypto map CryptMap1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup GroupVpn1 address-pool ippool1
vpngroup GroupVpn1 idle-time 1800
vpngroup GroupVpn1 password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:373876906db09cc3dbfe01db3eb2409b
: end
MyDomain(config)#
01-08-2010 08:08 PM
Follow up message…
I have been attempting to diagnose this problem. I ran Debug and the following is what I received when I attempted to open a browser session directed to the inside interface of my PIX (172.20.1.243).
Entries:
710005: TCP request discarded from 172.20.1.101/2757 to inside:172.20.1.243/www
710005: TCP request discarded from 172.20.1.101/2758 to inside:172.20.1.243/www
710005: TCP request discarded from 172.20.1.101/2758 to inside:172.20.1.243/www
710005: TCP request discarded from 172.20.1.101/2758 to inside:172.20.1.243/www
710005: TCP request discarded from 172.20.1.101/2759 to inside:172.20.1.243/www
This is after I decided to just open it up by allowing anything (ACL's). Yet I am still not able to ping the outside address from another node or am I able to reach any other device from the PIX (cannot ping an outside address).
Latest Config:
:
PIX Version 6.3(1)
interface ethernet0 auto shutdown
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password cPlBJP0wS8qSVcsh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MyDomain
domain-name hufcorairwall.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip any any
pager lines 24
logging console debugging
logging buffered informational
logging trap debugging
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.84 255.255.255.248
ip address inside 172.20.1.243 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool1 192.168.221.1-192.168.221.23
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.20.0.0 255.255.0.0 0 0
static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.2
55 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http ***.***.***.84 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac
crypto dynamic-map DynMap1 10 set transform-set TransSet1
crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1
crypto map CryptMap1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup GroupVpn1 address-pool ippool1
vpngroup GroupVpn1 idle-time 1800
vpngroup GroupVpn1 password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:e4c2cae3dba87baccb4de8656975ce73
: end
01-08-2010 09:12 PM
Hi Leo,
You have enabed HTTP management service(PDM or ASDM) on outside interface.
And using smae interface to SNAT internal IP.
Can you pelase disable that and check it out.
no http 0.0.0.0 0.0.0.0 outside
Dileep
01-09-2010 12:00 PM
Since you have already mapped port 80 access to outside ifc of PIX, you can not map the same port 80 access of outside ifc to another internal IIP using static translations. Hence, I agree with Dileep.
You might wanna use a separate external IP in the static command and then allow traffic to the ext IP using access-list on the outside ifc IN direction.
This will surely help you.
VIjaya
01-10-2010 11:52 AM
Thanks for your help…
But it did not seem to resolve my issue. I am attempting to understand this process. As I mentioned at the beginning, I have a program that I am attempting to gain access from outside my network. User will gain access via their browser. Therefore, I do not believe I need to have a route from my internal node (172.20.1.101) to my PIX (.243). Since, the .101 computer will be pointing to the PIX as the Gateway. But I need a static route from my PIX to the .101 node (I don’t want HTTP traffic going anywhere else).
Therefore, I removed the following:
static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.255 0 0
I also removed all the http entries – I do not use the PDM:
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
Also, at one time – I use to use this as my VPN server. But, I no longer have users access the device through the PIX. Therefore, is it critical to remove it (all the entries)?
Current Config.
PIX Version 6.3(1)
interface ethernet0 auto shutdown
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password cPlBJP0wS8qSVcsh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname hufcorairwall
domain-name hufcorairwall.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip any any
pager lines 24
logging console debugging
logging buffered informational
logging trap debugging
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.84 255.255.255.248
ip address inside 172.20.1.243 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool1 192.168.221.1-192.168.221.23
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.20.0.0 255.255.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac
crypto dynamic-map DynMap1 10 set transform-set TransSet1
crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1
crypto map CryptMap1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup GroupVpn1 address-pool ippool1
vpngroup GroupVpn1 idle-time 1800
vpngroup GroupVpn1 password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:1225e257808d8147151d8fd06b471c3a
: end
hufcorairwall(config)#
01-10-2010 06:10 PM
I went through your config, and I see the static command still missing. We need to add a static as I explained in my previous post.
Anytime you need to be able to access from outside (lower-security level) to any of the inside servers (connected on higher security-level ifc), then you need to add a static translation for the server's inside IP to the server's external IP. And then on the outside ACL (101 in your case) you just need to allow users to access the external IP of server, instead of allowing ALL (like you have done now, as it is not secure at al)
HTH
Vijaya
01-10-2010 08:04 PM
Your config shows that eth0 is shutdown??
01-12-2010 03:57 PM
Thank you!
Uuugh! Once I got the Outside interface up – I was able to ping. I was also able to access the resource that I had been attempting. I plan to tighten my ACL and just limit it to HTTP traffic to my .243 node.
Yes, I will change my ACL to limit traffic. I opened it up simply because I could not determine where the problem existed. I plan on only having one entry in my ACL:
Access-list 101 permit tcp any interface outside eq http
One last thing…I am attempting to understand what is going on? I notice that I can access the resource from outside my network. However, when I open up my browser from the node hosting my program – it fails to connect. Not critical – but I am just attempting to understand.
01-12-2010 04:45 PM
Pls. try http://127.0.0.1 - from the computer that is hosting it.
Pls. do not use the translated (public) ip address on the host that is hosting it.
-KS
01-19-2010 05:12 PM
Hello,
I am still having issues…
My original intention was to have a file sharing program that can be viewed outside my network via a browser – that part works.
However, the software has some functions that require access to the Internet via Port 80. Therefore, when I opened my browser from the host machine – it does not work – meaning I cannot access a page on the Internet.
I know it is nothing wrong with the host computer (I can ping the local host) – when I type it within my browser – I get the interface of my program that I want others to see outside my network. When I connect it via another source and it gains access.
When I ran debug on the PIX – this is what I received:
710005: UDP request discarded from 172.20.1.101/138 to inside:172.20.255.255/net bios-dgm
710005: UDP request discarded from 172.20.1.157/137 to inside:172.20.255.255/net
bios-ns
710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www
710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www
710005: UDP request discarded from 172.20.1.157/137 to inside:172.20.255.255/net
bios-ns
710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www
710005: UDP request discarded from 172.20.1.19/1185 to inside:172.20.255.255/net
bios-ns
710005: UDP request discarded from 172.20.1.101/138 to inside:172.20.255.255/net
bios-dgm
710005: UDP request discarded from 172.20.1.157/137 to inside:172.20.255.255/net
bios-ns
01-19-2010 06:06 PM
172.20.1.243 - is the IP address of the inside interface.
The only logs that pertain to port 80 access are these below:
710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www
710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www
710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www
All of these are talking about accessing the inside interface using port 80.
This tells me that either the static line is missing or it is refering to the IP address 172.20.1.243 and not the keyword "interface"
You mentioned that the website is fine and working on the computer.
This web server is unable to go out to the internet.
No one from the internet is able to reach this web server.
Pls. provide the following:
1. inside ip addres of the web server
2. sh static
3. sh access-group
4. sh access-list (for the access-lists that show up in the above command)
-KS
01-19-2010 06:52 PM
My internal web server is 172.20.1.101. The inside interface on the PIX is .243.
airwall(config)# sh static
static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.255 0 0
airwall(config)# sh access-group
access-group 101 in interface outside
airwall(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 1 elements
access-list 101 line 1 permit ip any any (hitcnt=745)
airwall(config)#
Yes, currently I am permitting anything in an effort to get it to work first and then tighten it down (once I can verify it works). My understanding of the PIX is that all information from the inside can go out unless it has been denied?
Also, the web service is working fine from the host computer (.101). I am able to route this through my proxy gateway (another device…another IP) and send & receive information. It is when I attempt to route through the PIX (.243) is when I encounter problems.
01-19-2010 08:21 PM
It appears from the logs that you are trying to access 172.20.1.253 from 172.20.1.101.
Pls. use a computer on the internet (from home may be) and access the outside IP address using a browser (http://***.***.***.84) and it will load the web page hosted in 172.20.1.101
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: