Can't get my Pix 501 configured

Unanswered Question
Mar 9th, 2010
User Badges:

The company I work for uses a Pix 501 Firewall. I am trying to allow access to our web server but am having no luck. Before I post my config file, perhaps I should clarify our situation. We recently switched to a new T1 provider who issued us a slash 29 IP address range. We haven't actually made the DNS changes to associate one of those IP addresses with our domain name but I am figuring I can enter the IP address in my web browser and the request will eventually wind up at our router. Won't it? What little I know about IT is self taught. Anyway, I have a web site hosted on 192.168.2.6  The actual IP address will eventually be 12.235.76.156  I think I have set my access list and static route correctly but I don't get a web page to pop up on my browser. Posted below is the config from the firewall. If anyone can see a problem (or tell me that the firewall is configured correctly) I would love to hear it.


As always, I thank everyone who contributes to forums.


Steven




Result of firewall command: "write t"


Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password IBulMkHo3PoFMxKJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.2.6 Intranet

access-list outside_access_in permit tcp any host 12.235.76.155 eq ftp

access-list outside_access_in permit tcp any host 12.235.76.156 eq www

access-list capout permit tcp host 216.212.53.186 eq ftp any

access-list capin permit tcp any host 192.168.1.3 eq ftp

access-list capin permit tcp host 192.168.1.3 eq ftp any

access-list capin permit tcp host 192.168.2.32 any eq domain

access-list capin permit tcp any eq domain host 192.168.2.32

access-list inside_outbound_nat0_acl permit ip any host 192.168.2.155

access-list acl_in permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 12.235.76.154 255.255.255.248

ip address inside 192.168.2.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool 192.168.2.155 192.168.2.155

pdm location 216.212.53.186 255.255.255.255 inside

pdm location 192.186.1.3 255.255.255.255 inside

pdm location 192.168.1.3 255.255.255.255 inside

pdm location 171.68.225.212 255.255.255.255 outside

pdm location 192.168.2.155 255.255.255.255 outside

pdm location 192.168.1.7 255.255.255.255 inside

pdm location 192.168.1.123 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.2.3 255.255.255.255 inside

pdm location 192.168.2.7 255.255.255.255 inside

pdm location Intranet 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 12.235.76.155 192.168.2.3 dns netmask 255.255.255.255 0 0

static (inside,outside) 12.235.76.156 Intranet dns netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 12.235.76.153 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet timeout 5

ssh 171.68.225.212 255.255.255.255 outside

ssh timeout 60

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local 192.168.2.155

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username creoservice password *********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:666a474685aa6dc1bb2907318a6dc25e

: end

[OK]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 03/09/2010 - 14:13
User Badges:
  • Green, 3000 points or more

Hi,


To reach the internal server from the outside world, you need the following:


access-list outside_access_in permit tcp any host 12.235.76.156 eq www
access-group outside_access_in in interface outside
static (inside,outside) 12.235.76.156 Intranet dns netmask 255.255.255.255 0 0


Those statements above is all you need.
Now, let's make a test (since you have those commands already on your posted config)...


telnet 12.235.76.156 80

Are you getting there?


Can you get out to the Internet if you source a packet from the server itself?


Federico.

stevensutton Tue, 03/09/2010 - 14:22
User Badges:

Thanks for the quick (immediate!) response Federico! Only problem is, I don't understand what you asked me to test. By "Telnet" do you mean accessing the PIx using a computer connected to the COM port? I was never able to do that. I'm afraid I also do not understand what you meant when you asked "Can you get out to the Internet if you source a packet from the server itself?" I do have Internet access from computers on our network using the Pix as their gateway. Is that what you mean? I apologize for my lack of understanding but as I said before 'self-taught' and sometimes you get what you pay for. :-)

Federico Coto F... Tue, 03/09/2010 - 14:26
User Badges:
  • Green, 3000 points or more

No worries, we're all here learning something everyday ;-)


I wanted to know if you can get out to the Internet from the server itself.


Try from a computer (on the Internet) to open a Command Prompt (On windows, Start / run / cmd)

Type:


telnet PUBLIC_IP_OF_THE_SERVER 80


This is going to send packets on port 80 destined to the server that you want to reach. If you get inside you can type anything, like get, so that you will get a response to see if you reach the server.


Let me know.


Federico.

stevensutton Tue, 03/09/2010 - 14:47
User Badges:

No connection. Just for fun, I tried to connect to our actual website and did get connected. Never saw anything on my screen but did seem to get connected.


Now I wonder if I lost you with "our actual website". Our company has a website (www.texomaweb.com) which we host on one of our servers. That server is connected to the router on our original T1 line. That network configuration goes: T1 line (Provider 1) > router 1 > network card in server (server 2)  that hosts the website.  I can't try connecting to that website until I get this configuration issue worked out as well as some other issues with Provider 2. So here is the network config that I am having problems with: T1 line (Provider 2) > router 2 > firewall > switch. Server 2 has a second NIC with a local IP address (192.168.2.6) which has a little Intranet site I built. That NIC is connected to the same switch as the firewall. My thinking is, we have a set of IP addresses issued by our new provider (Provider 2). When I open a browser and type in 'http://12.235.76.156' that request gets routed to our router. The router sends the request through to 192.168.2.6 which is configured to dish out a webpage when requested on port 80. Whew. I hope that made sense. I also hope I'm not trying to do something that just doesn't make sense. Thanks for all your input. You can quit anytime you want. :-)

Federico Coto F... Tue, 03/09/2010 - 14:59
User Badges:
  • Green, 3000 points or more

Let's see if when you attempt to open the browser to get to the server, those packets are getting to the ASA:


This is the line on the ACL that allows the incoming port 80 to the server:


access-list outside_access_in permit tcp any host 12.235.76.156 eq www


So, try to access the server http://12.235.76.156 and then do the command:   show access-list outside_access_in


from the Command Line on the ASA. (This will let us know if the traffic is reaching the ASA, if you see hitcounts incrementing everytime you try to access the server.


If you don't get any hitcounts on the SHOW command, then the traffic is not even reaching the ASA.

If you do see the hitcounts incrementing everytime, we know the traffic is reaching the ASA, so we will need to check if it's coming back.


Let me know.


Federico.

stevensutton Tue, 03/09/2010 - 15:29
User Badges:

Here is the result of the Show:



Result of firewall command: "show access-list outside_access_in"


access-list outside_access_in; 2 elements

access-list outside_access_in line 1 permit tcp any host 12.235.76.155 eq ftp (hitcnt=5)

access-list outside_access_in line 2 permit tcp any host 12.235.76.156 eq www (hitcnt=16)



I tried accessing the FTP site too which is why the line 1 show 5 hit counts. So this means the packets are getting routed to the firewall doesn't it? Now I just have to figure out why they aren't reaching the server I want. Something to investigate tomorrow. Thanks Fedirico for all your assistance.

Actions

This Discussion