PIX 515E Port Redirection

Unanswered Question
Dec 1st, 2011

I'm trying to use port redirection to allow outside access to a internal web server. As far as I can see, everything is configured properly. The Open Port Checker tool from yougotsingle.com says that the port (80) is open. However when I goto access it the connection times out.

     The external address is static from my ISP, and I will call it xxx.xxx.xxx.xxx. The server is at 10.1.1.20, and is functioning properly over the LAN.

The commands that I used to redirect:

static (inside,outside) tcp xxx.xxx.xxx.xxx www 10.1.1.20 www netmask 255.255.255.255 0 0

access-list acl-in permit tcp any host xxx.xxx.xxx.xxx eq www

access-group acl-in in interface outside

The output of show run

PIX Version 6.3(2)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname pixfw
domain-name b2000b.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-in permit tcp any host xxx.xxx.xxx.xxx eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.0.0
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx www 10.1.1.20 www netmask 255.255.255.255 0 0
access-group acl-in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.1.40 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.100-10.1.1.150 inside
dhcpd dns 75.75.75.75 76.76.76.76
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80

I hope that someone here will be able to help me. I thank anyone for any feedback on my issue.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
varrao Thu, 12/01/2011 - 22:20

Hi William,

Configuration looks good to me, i would suggest you rely on packeta captures now to identify where the packets are being dropped. This should give you a clear picture of the packet flow, you can refer to this doc for captures:

https://supportforums.cisco.com/docs/DOC-17814

Hope that helps.

Thanks,

Varun

b2000bb2000b Fri, 12/02/2011 - 10:27

Hello, I ran the capture but I dont know how to interperate it. I ran;

capture capin interface inside access-list acl-in

The tried to connect the server, the connection timed out. I then viwed the capture (xxx.xxx.xxx.xxx is my external ip):

pixfw# show capture capin

3 packets captured

11:44:24.415658 10.1.1.100.4869 > xxx.xxx.xxx.xxx.80: S 1563977571:1563977571(0) win 65535

11:44:27.388987 10.1.1.100.4869 > xxx.xxx.xxx.xxx.80: S 1563977571:1563977571(0) win 65535

11:44:33.325651 10.1.1.100.4869 > xxx.xxx.xxx.xxx: S 1563977571:1563977571(0) win 65535

3 packets shown

Do you have any idea what this means to my situation?

varrao Fri, 12/02/2011 - 10:43

Hi William,

It seems that the request is being forwarded to the server but the server is not responding back, you can see in the captures that the S (syn) packets are going to the server but nothing coming back. You might want to check why the server is not responding. Can you also share the captures and acl's that you used, just to double check.

Thanks,

Varun

b2000bb2000b Fri, 12/02/2011 - 11:04

Thanks for the quick response Varun, I’m sure that the server is working properly. The internal address is 10.1.1.20 (for the server) I have been able to use the server from anywhere within the LAN. But not from outside the LAN.  The commands that apply to the port redirection are:

static (inside,outside) tcp xxx.xxx.xxx.xxx www 10.1.1.20 www netmask 255.255.255.255 0 0

access-list acl-in permit tcp any host xxx.xxx.xxx.xxx eq www

access-group acl-in in interface outside

And the Capture commands:

capture capin interface inside access-list acl-in

Do you have any idea why the server would work inside the LAN but not outside? I'm almost positive its a problem with the PIX.

NOTE: I had had this configuration working before I had the PIX, before I had the PIX, I had a Cisco Linksys E2000 and the forwarding with that worked fine.

varrao Fri, 12/02/2011 - 11:18

Hi William,

Use these for your captures:

access-list cap permit ip any host 10.1.1.20

access-list cap permit ip host 10.1.1.20 any

access-list cap permit ip any host xx.xx.xx.xx

access-list cap permit ip host xx.xx.xx.xx any

capture capin access-list cap interface inside

capture capo access-list cap interface outside

This would give us the exact picture.

Moreover you said that you changed devices, can you also chcek if the DG on the server is the PIX or not??

Thanks,

Varun

b2000bb2000b Fri, 12/02/2011 - 11:39

Thanks again for the speedy responce. I ran thoses cpatures, and the output of;

show capture capin:

12:54:16.023253 10.1.1.100.4974 > xxx.xxx.xxx.xxx.80: S 3870370115:3870370115(0) win 65535

12:54:18.970210 10.1.1.100.4974 > xxx.xxx.xxx.xxx.80: S 3870370115:3870370115(0) win 65535

12:54:24.906843 10.1.1.100.4974 > xxx.xxx.xxx.xxx.80: S 3870370115:3870370115(0) win 65535

The output of; show capture capo:

12:59:16.715630 xxx.xxx.xxx.xxx.6 > 192.168.1.113.427:  udp 44

12:59:21.315153 xxx.xxx.xxx.xxx.12 > 204.235.61.9.123:  udp 48

12:59:21.357708 204.235.61.9.123 > xxx.xxx.xxx.xxx.12:  udp 48

12:59:27.101496 xxx.xxx.xxx.xxx.2035 > 216.146.35.35.53:  udp 37

12:59:27.139763 216.146.35.35.53 > xxx.xxx.xxx.xxx.2035:  udp 166

The servers default gateway is the PIX and can succesfully ping www.google.com as well as a local worksation within the LAN

varrao Fri, 12/02/2011 - 11:46

Wait a minute, are you accessing the server from the inside networ on the PIX, why do i see request coming from inside interface on the public ip?? It should be coming from outside and in the captures we shoudl see the request coming form outisde, but in the captures it is opposite.

The request is coming from 10.1.1.100 whihc is your internal lan ip.

If it is so, then I guess you would need to do u-turning on the PIX.

Thanks,

Varun

Actions

Login or Register to take actions

This Discussion

Posted December 1, 2011 at 6:55 PM
Stats:
Replies:7 Avg. Rating:
Views:1262 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446