Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1182
Views
4
Helpful
5
Replies

Can RDP into Server 2003 but cant browse http

Go to solution
Francisco Gonzalez
Level 1
Level 1

‎04-30-2012 01:42 PM - edited ‎03-11-2019 04:00 PM

I can RDP into this server 2003 on a colo network but I cant browse the internet on it.  I need it to be able to pull captcha information.  The server is a client of mine and he hosts his website on it via IIS.  The site responds fine over http.  The config for the firewall is below.  I dont know if the IP address matter but I tried to make them coded to show the different IP's.  Thanks for the help.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd encrypted

hostname koeppelpix

domain-name koeppeldirect.local

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service RDP tcp-udp

  port-object range 3389 3389

access-list outside_access_in permit tcp any host 65.99.xxx.xxx object-group RDP

access-list outside_access_in permit tcp any host 65.99.xxx.xxx eq www

access-list outside_access_in permit tcp any host 65.99.xxx.xxx eq ftp

access-list inside_access_in permit tcp any eq smtp any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 65.99.xxx.xxx 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 65.99.xxx.xxx 192.168.1.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 65.99.xxx.zzz 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 206.123.aaa.aaa 206.123.aaa.bbb

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:d446b36119af7c14f458d3936522f45f

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
syedmubarakahmed
Level 1
Level 1

‎05-01-2012 01:47 AM

Access-list inside ACCESSin permit tcp any any eq http

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-30-2012 06:00 PM

Traffic initiated FROM the server will hit:

access-list inside_access_in permit tcp any eq smtp any

which only allows smtp (mail) outbound.

I'd try adding an Access Control Entry (ACE) to that access list as follows:

access-list inside_access_in permit tcp any eq http any

...and then give it another try.

0 Helpful

Go to solution
syedmubarakahmed
Level 1
Level 1

‎05-01-2012 01:47 AM

Access-list inside ACCESSin permit tcp any any eq http

Go to solution
Francisco Gonzalez
Level 1
Level 1
In response to syedmubarakahmed

‎05-01-2012 09:19 AM

I dont know how I missed that.  You know when you are working on something for so long and you start getting tunnel vision.  I havent tried this yet but I'm 99% sure that is it.  Thank you. 

0 Helpful

Go to solution
Francisco Gonzalez
Level 1
Level 1
In response to Francisco Gonzalez

‎05-01-2012 09:41 AM

Just to close this out, yes that was the problem.  However, adding the access-list inside_access_in permit tcp any eq http any did not allow browsing.  Instead, I just removed the access-group inside_access_in in int inside and it worked right away.  I cant see any reason why that ACL exists can you guys?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Francisco Gonzalez

‎05-01-2012 09:47 AM

Glad it's working now.

At one point someone only wanted mail to be the only permissible traffic initiated from the inside.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card