PIX 501 Configuration

nalleyp · ‎10-07-2003

I am having an incredible amount of trouble getting my PIX 501 configured. I can get up on the net with it but when anyone from outside tries to access my webserver they get the first page then every subsequent page times out.

I have also setup an alias for internal users to be able to access page but the does not work either.. I have attached the config can anyone help me out?

Thank you in adavance for any help,

: Written by enable_15 at 04:46:12.946 UTC Wed Sep 24 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname

domain-name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host 209.xx.124.100 eq smtp

access-list 100 permit tcp any host 209.xx.124.100 eq ftp

access-list 100 permit tcp any host 209.xx.124.100 eq www

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 209.xx.124.101 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.2 255.255.255.255 inside

pdm location 192.168.1.13 255.255.255.255 inside

pdm location 192.168.1.101 255.255.255.255 inside

pdm location 192.168.1.100 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 209.xx.124.102-209.xx.124.108

global (outside) 1 interface

global (outside) 1 209.xx.124.109

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 209.xx.124.100 192.168.1.13 netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 209.xx.124.97 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.2 255.255.255.255 inside

telnet 192.168.1.100 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxxxxxx

gfullage · ‎10-07-2003

Difficult to say what's going on. Do you redirect the user to a https page after the initial page? If so then you'd need the following:

access-list 100 permit tcp any host 209.xx.124.100 eq https

Other than that, enable syslogging in the PIX and then recreate the problem, the syslog messages will tell you what's going on:

logging on

logging buffer debug

sho log

Also I don't see the alias command you mention. Add the dns option to your static command and it should work properly, the alias command has been deprecated.

nalleyp · ‎10-08-2003

No I do not have a redirect setup to an https:// site.

What is the syntax for the dns addition.. I have looked but all I see is the alias option...

Does the rest of the config look ok?

Thanks for your help,

jmia · ‎10-10-2003

Paul,

Please check the following URL for help on DNS syntax:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026694

Pls remember to issue command - clear xlate - after modifying any static commands or ACLs, and also save with command - write memory OR short hand - wr m

Thanks - Jay.