cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3214
Views
0
Helpful
17
Replies

PIX 501 Issue redirecting HTTP

hufcor
Level 1
Level 1

Hello,

I am using a PIX 501 with IOS 6.3 (1) installed.

My issue is that I am attempting to configure my PIX to direct HTTP traffic to a local computer that is running a program to share files.  I am able to access the program from a browser on another workstation.  Therefore, the program is working.

However, when I attempt to access the program from outside the PIX – I cannot.

Here are the steps I took to set up my configuration:

Needed to configure the Interfaces

ip address outside ***.***.***.18 255.255.255.248

ip address inside 172.20.1.241 255.255.0.0

Needed to apply an access-list:

This allows Https traffic through the PIX.

access-list 101; 1 elements

access-list 101 line 1 permit tcp any interface outside eq http

Created a Static route:

This is a route that will direct traffic directly to the SSL Concentrator (172.20.1.225)

static (inside,outside) tcp interface http 172.20.1.101 http netmask 255.255.255.255 0 0

Verified the routes:

outside 0.0.0.0 0.0.0.0 ***.***.***.81 1 OTHER static

outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static

inside 172.20.0.0 255.255.0.0 172.20.1.241 1 CONNECT static

NAT

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

17 Replies 17

Jon Marshall
Hall of Fame
Hall of Fame

Hufcor wrote:

Hello,

I am using a PIX 501 with IOS 6.3 (1) installed.

My issue is that I am attempting to configure my PIX to direct HTTP traffic to a local computer that is running a program to share files.  I am able to access the program from a browser on another workstation.  Therefore, the program is working.

However, when I attempt to access the program from outside the PIX – I cannot.

Here are the steps I took to set up my configuration:

Needed to configure the Interfaces

ip address outside ***.***.***.18 255.255.255.248

ip address inside 172.20.1.241 255.255.0.0

Needed to apply an access-list:

This allows Https traffic through the PIX.

access-list 101; 1 elements

access-list 101 line 1 permit tcp any interface outside eq http

Created a Static route:

This is a route that will direct traffic directly to the SSL Concentrator (172.20.1.225)

static (inside,outside) tcp interface http 172.20.1.101 http netmask 255.255.255.255 0 0

Verified the routes:

outside 0.0.0.0 0.0.0.0 ***.***.***.81 1 OTHER static

outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static

inside 172.20.0.0 255.255.0.0 172.20.1.241 1 CONNECT static

NAT

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

Can you post full config of pix ?

Also, have you applied the acl to the outside interface ie.

access-group 101 in interface outside

Jon

Ooops!  I forgot to assign the ACL to an interface.  However, I am still not able to ping the outside address – much less gain access.

Leo

PIX Version 6.3(1)

interface ethernet0 auto shutdown

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password cPlBJP0wS8qSVcsh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname airwall

domain-name MyDomain.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit tcp any interface outside eq www

access-list 101 permit tcp any interface outside eq https

access-list 101 permit tcp any interface outside eq ftp

pager lines 24

logging console debugging

logging buffered informational

logging trap debugging

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.84 255.255.255.248

ip address inside 172.20.1.243 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool1 192.168.221.1-192.168.221.23

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.2

55 0 0

static (inside,outside) tcp interface ftp 172.20.1.4 ftp netmask 255.255.255.255

0 0

static (inside,outside) tcp interface https 172.20.1.225 https netmask 255.255.2

55.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http ***.***.***.84 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac

crypto dynamic-map DynMap1 10 set transform-set TransSet1

crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1

crypto map CryptMap1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup GroupVpn1 address-pool ippool1

vpngroup GroupVpn1 idle-time 1800

vpngroup GroupVpn1 password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:373876906db09cc3dbfe01db3eb2409b

: end

MyDomain(config)#

Follow up message…

I have been attempting to diagnose this problem.  I ran Debug and the following is what I received when I attempted to open a browser session directed to the inside interface of my PIX (172.20.1.243).

Entries:

710005: TCP request discarded from 172.20.1.101/2757 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/2758 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/2758 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/2758 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/2759 to inside:172.20.1.243/www

This is after I decided to just open it up by allowing anything (ACL's).  Yet I am still not able to ping the outside address from another node or am I able to reach any other device from the PIX (cannot ping an outside address).

Latest Config:

:

PIX Version 6.3(1)

interface ethernet0 auto shutdown

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password cPlBJP0wS8qSVcsh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname MyDomain

domain-name hufcorairwall.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit ip any any

pager lines 24

logging console debugging

logging buffered informational

logging trap debugging

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.84 255.255.255.248

ip address inside 172.20.1.243 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool1 192.168.221.1-192.168.221.23

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.2

55 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http ***.***.***.84 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac

crypto dynamic-map DynMap1 10 set transform-set TransSet1

crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1

crypto map CryptMap1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup GroupVpn1 address-pool ippool1

vpngroup GroupVpn1 idle-time 1800

vpngroup GroupVpn1 password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:e4c2cae3dba87baccb4de8656975ce73

: end

Hi Leo,

You have enabed HTTP management service(PDM or ASDM) on outside interface.

And using smae interface to SNAT internal IP.

Can you pelase disable that and check it out.

no http 0.0.0.0 0.0.0.0 outside

Dileep

Since you have already mapped port 80 access to outside ifc of PIX, you can not map the same port 80 access of outside ifc to another internal IIP using static translations. Hence, I agree with Dileep.

You might wanna use a separate external IP in the static command and then allow traffic to the ext IP using access-list on the outside ifc IN direction.

This will surely help you.

VIjaya

Thanks for your help…

But it did not seem to resolve my issue.  I am attempting to understand this process.  As I mentioned at the beginning, I have a program that I am attempting to gain access from outside my network.  User will gain access via their browser.  Therefore, I do not believe I need to have a route from my internal node (172.20.1.101) to my PIX (.243).  Since, the .101 computer will be pointing to the PIX as the Gateway.  But I need a static route from my PIX to the .101 node (I don’t want HTTP traffic going anywhere else).

Therefore, I removed the following:

static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.255 0 0

I also removed all the http entries – I do not use the PDM:

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

Also, at one time – I use to use this as my VPN server.  But, I no longer have users access the device through the PIX.  Therefore, is it critical to remove it (all the entries)?

Current Config.

PIX Version 6.3(1)

interface ethernet0 auto shutdown

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password cPlBJP0wS8qSVcsh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname hufcorairwall

domain-name hufcorairwall.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit ip any any

pager lines 24

logging console debugging

logging buffered informational

logging trap debugging

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.84 255.255.255.248

ip address inside 172.20.1.243 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool1 192.168.221.1-192.168.221.23

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac

crypto dynamic-map DynMap1 10 set transform-set TransSet1

crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1

crypto map CryptMap1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup GroupVpn1 address-pool ippool1

vpngroup GroupVpn1 idle-time 1800

vpngroup GroupVpn1 password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:1225e257808d8147151d8fd06b471c3a

: end

hufcorairwall(config)#

I went through your config, and I see the static command still missing. We need to add a static as I explained in my previous post.

Anytime you need to be able to access from outside (lower-security level) to any of the inside servers (connected on higher security-level ifc), then you need to add a static translation for the server's inside IP to the server's external IP. And then on the outside ACL (101 in your case) you just need to allow users to access the external IP of server, instead of allowing ALL (like you have done now, as it is not secure at al)

HTH

Vijaya

Your config shows that eth0 is shutdown??

Thank you!

Uuugh!  Once I got the Outside interface up – I was able to ping.  I was also able to access the resource that I had been attempting.  I plan to tighten my ACL and just limit it to HTTP traffic to my .243 node.

Yes, I will change my ACL to limit traffic.  I opened it up simply because I could not determine where the problem existed.  I plan on only having one entry in my ACL:

Access-list 101 permit tcp any interface outside eq http

One last thing…I am attempting to understand what is going on?  I notice that I can access the resource from outside my network.  However, when I open up my browser from the node hosting my program – it fails to connect.  Not critical – but I am just attempting to understand.

Pls. try http://127.0.0.1 - from the computer that is hosting it.

Pls. do not use the translated (public) ip address on the host that is hosting it.

-KS

Hello,

I am still having issues…

My original intention was to have a file sharing program that can be viewed outside my network via a browser – that part works.

However, the software has some functions that require access to the Internet via Port 80.  Therefore, when I opened my browser from the host machine – it does not work – meaning I cannot access a page on the Internet.

I know it is nothing wrong with the host computer (I can ping the local host) – when I type it within my browser – I get the interface of my program that I want others to see outside my network.  When I connect it via another source and it gains access.

When I ran debug on the PIX – this is what I received:

710005: UDP request discarded from 172.20.1.101/138 to inside:172.20.255.255/net bios-dgm

710005: UDP request discarded from 172.20.1.157/137 to inside:172.20.255.255/net

bios-ns

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: UDP request discarded from 172.20.1.157/137 to inside:172.20.255.255/net

bios-ns

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: UDP request discarded from 172.20.1.19/1185 to inside:172.20.255.255/net

bios-ns

710005: UDP request discarded from 172.20.1.101/138 to inside:172.20.255.255/net

bios-dgm

710005: UDP request discarded from 172.20.1.157/137 to inside:172.20.255.255/net

bios-ns

172.20.1.243 - is the IP address of the inside interface.

The only logs that pertain to port 80 access are these below:

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

710005: TCP request discarded from 172.20.1.101/1303 to inside:172.20.1.243/www

All of these are talking about accessing the inside interface using port 80.

This tells me that either the static line is missing or it is refering to the IP address 172.20.1.243 and not the keyword "interface"

You mentioned that the website is fine and working on the computer.

This web server is unable to go out to the internet.

No one from the internet is able to reach this web server.

Pls. provide the following:

1. inside ip addres of the web server

2. sh  static

3. sh access-group

4. sh access-list (for the access-lists that show up in the above command)

-KS

My internal web server is 172.20.1.101.  The inside interface on the PIX is .243.

airwall(config)# sh static

static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.255 0 0

airwall(config)# sh access-group

access-group 101 in interface outside

airwall(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

            alert-interval 300

access-list 101; 1 elements

access-list 101 line 1 permit ip any any (hitcnt=745)

airwall(config)#

Yes, currently I am permitting anything in an effort to get it to work first and then tighten it down (once I can verify it works).  My understanding of the PIX is that all information from the inside can go out unless it has been denied?

Also, the web service is working fine from the host computer (.101).  I am able to route this through my proxy gateway (another device…another IP) and send & receive information.  It is when I attempt to route through the PIX (.243) is when I encounter problems.

It appears from the logs that you are trying to access 172.20.1.253 from 172.20.1.101.

Pls. use a computer on the internet (from home may be) and access the outside IP address using a browser (http://***.***.***.84) and it will load the web page hosted in 172.20.1.101

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: