Why can't I reach internal Web Server from outside?

Answered Question
Jul 27th, 2010

I have a PIX 501 connected to my home ISP providing NAT/PAT, and routing. Internal hosts can get out no problem. Have an Apache web server running internally. I can reach it from inside with no problem. But no matter what I try, I can't seem to reach it from outside.

The local address for the webserver is 192.168.1.201. From outside I'm trying to reach it by typing in the ip address of the outside interface; that's the way to get to it right? So if my public IP was 10.176.101.4 (hypothetical - not my real public IP) I would type http://10.176.101.4 in the browser, correct? I'm attaching a show config, show version, show interface, show route and show xlate from the PIX. Please let me know if you see where I'm going wrong. Thanks!!

-Bk


PIX2# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123XYZ encrypted
passwd 123XYZ encrypted
hostname PIX2
domain-name ecc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound permit ip any any
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside-in permit tcp any host 10.176.101.4 eq www
access-list outside-in permit tcp any host 192.168.1.201 eq www
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 22
logging host inside 192.168.1.201
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0 (note: I've also tried'nat (inside) 1 0.0.0.0 0.0.0.0 0 0')
static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group outbound in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.12 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-3des esp-md5-hmac
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 10.171.58.125
crypto map bmw 1 set transform-set toyota
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 10.171.58.125 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:123XYZ
: end

PIX2# show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a529
IP address 10.176.101.4, subnet mask 255.255.248.0
MTU 1500 bytes, BW 100000 Kbit full duplex
377294 packets input, 25432436 bytes, 0 no buffer
Received 358219 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
17515 packets output, 1928916 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/41)
output queue (curr/max blocks): hardware (0/14) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a52a
IP address 192.168.1.199, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
22937 packets input, 2050026 bytes, 0 no buffer
Received 67 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
56998 packets output, 9991631 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/14)
output queue (curr/max blocks): hardware (0/27) software (0/1)


PIX2# show ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PIX2 up 10 hours 52 mins

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000b.be94.a529, irq 9
1: ethernet1: address is 000b.be94.a52a, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.

PIX2# show route
outside 0.0.0.0 0.0.0.0 10.176.96.1 1 DHCP static
outside 10.176.96.0 255.255.248.0 10.176.101.4 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.199 1 CONNECT static


PIX2# show xlate
8 in use, 71 most used
PAT Global 10.176.101.4(7505) Local 192.168.1.201(39900)
PAT Global 10.176.101.4(7507) Local 192.168.1.201(41609)
PAT Global 10.176.101.4(7506) Local 192.168.1.201(58216)
PAT Global 10.176.101.4(7509) Local 192.168.1.201(45599)
PAT Global 10.176.101.4(7508) Local 192.168.1.201(33990)
PAT Global 10.176.101.4(1031) Local 192.168.1.13(4302)
PAT Global 10.176.101.4(7510) Local 192.168.1.201(39729)
PAT Global 10.176.101.4(2991) Local 192.168.1.13(32209)

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

Then I guess you need to work with your ISP to see if they are blocking

anything at their end. Let us try this:

no static (inside,outside) tcp interface www 192.168.1.201 www netmask

255.255.255.255

static (inside,outside) tcp interface 8880 192.168.1.201 www netmask

255.255.255.255

access-list outside-in permit tcp any interface outside eq 8880

Then try to access the web server on port 8880 from outside:

http://:8880

This will let us know if the ISP is blocking port 80.

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Tue, 07/27/2010 - 10:05

Hello,

Can you please try the following:

no access-list outside-in permit tcp any host 10.176.101.4 eq www

no access-list outside-in permit tcp any host 192.168.1.201 eq www

access-list outside-in permit tcp any interface outside eq www

In the older version of the code, using the interface IP for the outside access-list was not completely supported. You had to use interface keyword.

Hope this helps.

Regards,

NT

BarryJoseph Tue, 07/27/2010 - 10:19

Hi NT,

Actually I've made the change you recommended, cleared the xlate table and tried again.  I still can't get through; the access list isn't showing any hits either.

Thank you!

-bk

Correct Answer
Nagaraja Thanthry Tue, 07/27/2010 - 10:24

Hello,

Then I guess you need to work with your ISP to see if they are blocking

anything at their end. Let us try this:

no static (inside,outside) tcp interface www 192.168.1.201 www netmask

255.255.255.255

static (inside,outside) tcp interface 8880 192.168.1.201 www netmask

255.255.255.255

access-list outside-in permit tcp any interface outside eq 8880

Then try to access the web server on port 8880 from outside:

http://:8880

This will let us know if the ISP is blocking port 80.

Hope this helps.

Regards,

NT

BarryJoseph Tue, 07/27/2010 - 11:03

I was really hopeful when I saw your reply - thought it was quite likely that was exactly what is happening (ISP blocking port 80 incoming).  But I made the change as you recommended - still nothing    Here's my current config entry changes - please let me know if you see that I missed something:

access-list outside-in permit tcp any interface outside eq www
access-list outside-in permit tcp any interface outside eq 8880
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 8880 192.168.1.201 www netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group outbound in interface inside

Access list stats:

access-list outside-in; 2 elements
access-list outside-in line 1 permit tcp any interface outside eq www (hitcnt=0)
access-list outside-in line 2 permit tcp any interface outside eq 8880 (hitcnt=0)

And the URL I'm trying to reach:

http://70.176.101.4:8880/

Thank you!

-Bk

BarryJoseph Tue, 07/27/2010 - 12:54

NT you were right.  Turns out it wasn't working for me - apparently my corporate office must be blocking non well-known ports.  Tried from another network, and got right in.  Apparently the ISP is in fact blocking port 80.

Thanks again for your advice and assistance!

-Bk

Diego Armando C... Tue, 07/27/2010 - 10:10

Everything seems to configured right. Im seeing that you are getting your outside IP via DHCP.Aare you sure that the IP address that you are trying to access from the browser is the one that you have in the outside?.

Do u have any available public IP address to try (no the one in the interface).

Or remove the fixup protocol http 80 and try again.

SOmething have to work.

BarryJoseph Tue, 07/27/2010 - 10:26

Hello Diego,

Yes I'm getting a DHCP address, from the ISP.  I am able to make an outside SSH connection to the PIX (I'm connected as we speak) so I'm sure it's the correct address.  No unfortunately I don't have another available public address to try.

I made the fixup change you've recommended and tried again - no change.  I agree with you that "something has got to work"!!  I'm sure I'm missing something simple, probably nothing to do with the config.

Thank you - please let me know if you have any other ideas!

-bk

Diego Armando C... Tue, 07/27/2010 - 10:33

Is the default gateway of the Server the INSIDE of the PIX?

If you use a sniffer in the server are you able to see the Syn packets coming from the outside.?

Actions

This Discussion