×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can RDP into Server 2003 but cant browse http

Answered Question
Apr 30th, 2012
User Badges:

I can RDP into this server 2003 on a colo network but I cant browse the internet on it.  I need it to be able to pull captcha information.  The server is a client of mine and he hosts his website on it via IIS.  The site responds fine over http.  The config for the firewall is below.  I dont know if the IP address matter but I tried to make them coded to show the different IP's.  Thanks for the help.


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd encrypted

hostname koeppelpix

domain-name koeppeldirect.local

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service RDP tcp-udp

  port-object range 3389 3389

access-list outside_access_in permit tcp any host 65.99.xxx.xxx object-group RDP

access-list outside_access_in permit tcp any host 65.99.xxx.xxx eq www

access-list outside_access_in permit tcp any host 65.99.xxx.xxx eq ftp

access-list inside_access_in permit tcp any eq smtp any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 65.99.xxx.xxx 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 65.99.xxx.xxx 192.168.1.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 65.99.xxx.zzz 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 206.123.aaa.aaa 206.123.aaa.bbb

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:d446b36119af7c14f458d3936522f45f

: end

Correct Answer by syedmubarakahmed about 5 years 3 months ago

Access-list inside ACCESSin permit tcp any any eq http

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Marvin Rhoads Mon, 04/30/2012 - 18:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Traffic initiated FROM the server will hit:


access-list inside_access_in permit tcp any eq smtp any


which only allows smtp (mail) outbound.


I'd try adding an Access Control Entry (ACE) to that access list as follows:


access-list inside_access_in permit tcp any eq http any


...and then give it another try.

Francisco Gonzalez Tue, 05/01/2012 - 09:19
User Badges:

I dont know how I missed that.  You know when you are working on something for so long and you start getting tunnel vision.  I havent tried this yet but I'm 99% sure that is it.  Thank you. 

Francisco Gonzalez Tue, 05/01/2012 - 09:41
User Badges:

Just to close this out, yes that was the problem.  However, adding the access-list inside_access_in permit tcp any eq http any did not allow browsing.  Instead, I just removed the access-group inside_access_in in int inside and it worked right away.  I cant see any reason why that ACL exists can you guys?

Marvin Rhoads Tue, 05/01/2012 - 09:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Glad it's working now.


At one point someone only wanted mail to be the only permissible traffic initiated from the inside.

Actions

This Discussion