Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HTTP access outbound and back ...

I have a search engine spider that runs on my server that is protected by a PIX 501 with a basic configuration. The spider needs HTTP outbound access and back inbound again to spider a web site that is on the same server. I am a newbie, but I believe that somehow the firewall is blocking the inbound (re-entry so to speak) of the spider and therefore the spider is giving me errors that it cannot find the web site. Any ideas on how I could verify this and/or make a setting to allow this in a specific secure manner. Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: HTTP access outbound and back ...

Michael,

There are a couple things that can prevent this.

1. PIX routing. Unless running 7.x and even then only with configuration changes to the default, the PIX doesn't allow routing back out an interface it received the inbound packet on. So if the web client(WebKeepAlive) on your web server is essentially making an http request to itself, it'll resolve DNS(assuming your using public) and receive it's Public IP. It will then route it's packet to it's default gateway (unless you have it specified in your web server route table) and that will probably be the PIX. The PIX will receive this and will eventually drop it due to security not allowing routing back out its source interface.

The easiest way to get around this for your scenario is to update the HOSTS file on the server with the Web Site FQDN using the Private IP and not the Public. DNS will never get invoked because the HOSTS file will resolve first. You will never hit the PIX and will be able to Spider your website for your reports or whatever.

I'm not going to discuss the other things that could block it because I'm pretty sure you ain't running 7.x on a 501 because it isn't supported. If it was 7.x you could loop the connection and then the thread could go on and on with Static commands and access-lists. Though you could technically use the DNS fixup on the static when it makes the DNS request but I would have to look that up. You could also configure routing on your web server for the Public IP but the HOSTs file is your best bet.

Please rate any helpful posts

Thanks

Fred

21 REPLIES
Green

Re: HTTP access outbound and back ...

So basically you are trying to access an internal web server from the inside using it's public ip address?

New Member

Re: HTTP access outbound and back ...

Actually, the spider is attempting to index a specific URL/site (e.g. www.abc.com) so it goes outbound to resolve the URL which comes back to the same server because that's where the web server/web site is also. Does that make more sense?

Green

Re: HTTP access outbound and back ...

I think that's what I meant. So abc.com is inside your pix, it get's resolved to 1.1.1.1 which your inside server is trying to hit and it's not working.

New Member

Re: HTTP access outbound and back ...

Thank you, acomiskey, for your quick reply also! I will try the cmd that Vibhor mentioned and see if that does the trick. Thanks again.

Silver

Re: HTTP access outbound and back ...

Hey there,

I'm not sure how your search engine works, but as you said, it needs outbound HTTP access, which I believe it has, and apart from that, it needs inbound HTTP access too. Please let me know if it needs inbound access for HTTP only, i.e, TCP (80). If this is true, and for outbound sessions, spider server is using the outside interface IP of PIX, here are some commands which you could try-

static (inside,outside) tcp interface 80 spider_ip 80

access-list 101 permit tcp any interface outside eq 80

access-group 101 in interface

** Please make sure that you dont already have a similar static command in your configuration.

** If you already have a access-group applied on the outside interface, you should add the access-list to the same access-group.

To calrify more, it would be better if you could provide outputs from following commands-

show static

show nat

show global

show access-group

show access-list

Hope this helps.

Regards,

Vibhor.

New Member

Re: HTTP access outbound and back ...

Thank you for the quick reply Vibhor. Yes, it needs inbound HTTP 80 access also. In the cmd line example, you specify, "static (inside,outside) tcp interface 80 spider_ip 80". Is "spider_ip" the internal ip address (e.g. 10.0.0.1) or the external ip address?

Silver

Re: HTTP access outbound and back ...

spider_ip is the internal IP address of spider server.

Hope that helps.

Regards,

Vibhor.

Green

Re: HTTP access outbound and back ...

I guess I misunderstood. That will allow anyone on the outside access your server. I thought you needed your server to be uturned at the pix. You cannot uturn traffic in your 501.

New Member

Re: HTTP access outbound and back ...

Hi Vibhor, following is the response from the cmd line when I ran the 3 lines above. My public ip address may be removed. Thanks for any additional help you could provide.

Result of firewall command: "static (inside,outside) tcp interface 80 10.0.0.2 80 "

ERROR: duplicate of existing static

from inside:10.0.0.2 to outside:[my public ip address] netmask 255.255.255.255

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

Command failed

Result of firewall command: "access-list 101 permit tcp any interface outside eq 80 "

Result of firewall command: "access-group 101 in interface"

Not enough arguments.

Usage: [no] access-group in interface [per-user-override]

Command failed

Green

Re: HTTP access outbound and back ...

access-group 101 in interface outside

post a "show static"

Silver

Re: HTTP access outbound and back ...

Thanks for updating me. As I stated earlier, this would be a problem if there are similar existing commands in configuration.

** Please make sure that you dont already have a similar static command in your configuration.

** If you already have a access-group applied on the outside interface, you should add the access-list to the same access-group.

Could you provide the output of following commands-

show static

show nat

show global

show access-group

show access-list

Thanks & Regards,

Vibhor.

New Member

Re: HTTP access outbound and back ...

Oh yes, sorry about that. Following are the responses. Thanks again for your help.

Result of firewall command: "show static"

static (outside,inside) 10.0.0.1 [ip addr #1] netmask 255.255.255.255 0 0

static (inside,outside) [ip addr #1] 10.0.0.1 netmask 255.255.255.255 0 0

static (outside,inside) 10.0.0.2 [ip addr #2] netmask 255.255.255.255 0 0

static (inside,outside) [ip addr #2] 10.0.0.2 netmask 255.255.255.255 0 0

static (outside,inside) 10.0.0.3 [ip addr #3] netmask 255.255.255.255 0 0

static (inside,outside) [ip addr #3] 10.0.0.3 netmask 255.255.255.255 0 0

Result of firewall command: "show nat"

The command has been sent to the firewall

Result of firewall command: "show global"

The command has been sent to the firewall

Result of firewall command: "show access-group"

access-group outside_access_in in interface outside

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list outside_access_in; 25 elements

access-list outside_access_in line 1 permit tcp any any eq ftp-data (hitcnt=0)

access-list outside_access_in line 2 permit tcp any any eq ftp (hitcnt=340)

access-list outside_access_in line 3 permit tcp any any eq ssh (hitcnt=52321)

access-list outside_access_in line 4 permit tcp any any eq 42 (hitcnt=0)

access-list outside_access_in line 5 permit udp any any eq nameserver (hitcnt=0)

access-list outside_access_in line 6 permit tcp any any eq domain (hitcnt=0)

access-list outside_access_in line 7 permit udp any any eq domain (hitcnt=8740)

access-list outside_access_in line 8 permit tcp any any eq www (hitcnt=43387)

access-list outside_access_in line 9 permit tcp any any eq pop3 (hitcnt=117)

access-list outside_access_in line 10 permit tcp any any eq https (hitcnt=2865)

access-list outside_access_in line 11 permit tcp any any eq 465 (hitcnt=0)

access-list outside_access_in line 12 permit tcp any any eq 587 (hitcnt=0)

access-list outside_access_in line 13 permit tcp any any eq 995 (hitcnt=0)

access-list outside_access_in line 14 permit tcp any any eq 3389 (hitcnt=104)

access-list outside_access_in line 15 deny tcp any any eq telnet (hitcnt=30)

access-list outside_access_in line 16 permit tcp any any eq smtp (hitcnt=310)

access-list outside_access_in line 17 deny tcp any any eq imap4 (hitcnt=53)

access-list outside_access_in line 18 deny tcp any any eq 1433 (hitcnt=2456)

access-list outside_access_in line 19 deny tcp any any eq 3306 (hitcnt=47)

access-list outside_access_in line 20 deny tcp any any eq 9080 (hitcnt=0)

access-list outside_access_in line 21 deny tcp any any eq 9090 (hitcnt=0)

access-list outside_access_in line 22 permit icmp any any echo-reply (hitcnt=0)

access-list outside_access_in line 23 permit icmp any any source-quench (hitcnt=0)

access-list outside_access_in line 24 permit icmp any any unreachable (hitcnt=128)

access-list outside_access_in line 25 permit icmp any any time-exceeded (hitcnt=3)

Silver

Re: HTTP access outbound and back ...

You dont need following static commands-

static (outside,inside) 10.0.0.1 [ip addr #1] netmask 255.255.255.255 0 0

static (outside,inside) 10.0.0.2 [ip addr #2] netmask 255.255.255.255 0 0

static (outside,inside) 10.0.0.3 [ip addr #3] netmask 255.255.255.255 0 0

Please remove them using-

no static (outside,inside) 10.0.0.1 [ip addr #1]

no static (outside,inside) 10.0.0.2 [ip addr #2]

no static (outside,inside) 10.0.0.3 [ip addr #3]

Thereafter, I believe that IP address of spider server is 10.0.0.2. Please correct me if wrong. This server is already mapped to a public IP using following command-

static (inside,outside) [ip addr #2] 10.0.0.2 netmask 255.255.255.255 0 0

Also, you have following lines in-

access-list outside_access_in line 8 permit tcp any any eq www

access-group outside_access-in

which means that return traffic on port 80 to the public IP of the server should be allowed.

Is it possible to collect logs to track down the exact behaviour of the 10.0.0.2 server ?

Regards,

Vibhor.

Green

Re: HTTP access outbound and back ...

What was the fix?

New Member

Re: HTTP access outbound and back ...

No fix yet unfortunately. If the http traffic is open both ways then why can't the spider connect? I had the exact same problem with another utility called WebKeepAlive, which was installed on the same server, and all it does is make an http request to the sites on that same server, only I was getting a similar message stating that it couldn't connect. So there's got to be something blocking, and I guess I have to setup logging per Vibhor's suggestion. I don't think logging is turned on, so I have to figure out how to turn it on and try to simulate the spider activity to log something. You mentioned in your prior post that the PIX can't do "uturns" but I'm not exactly sure what you mean. The spider and the WebKeepAlive programs are just making an http request from the server to a URL that resolves to a web site on that very same server. That's the issue in the nutshell. Thanks for any additional suggestions.

Green

Re: HTTP access outbound and back ...

Exactly...

Ok, for instance, lets say the inside web server is 192.168.1.1. You access this (abc.com) from the outside with something like...

static (inside,outside) 209.1.1.1 192.168.1.1 netmask 255.255.255.255

access-list outside_in permit tcp any host 209.1.1.1 eq 80

Let say the website is abc.com. This resolves to to it's public address 209.1.1.1. Does the spider server resolve abc.com to 209.1.1.1 or it's inside address 192.168.1.1?

My point is that if it resolves to 209.1.1.1, this will not work as it is currently configured. If it resolves to 192.168.1.1, then all should work fine. What does the spider server use for DNS? If you put yourself on the same network as the spider server and use the same dns, can you access abc.com?

Silver

Re: HTTP access outbound and back ...

Hi all .. here is what I believe the way spider server is working.

Spider does a lookup for a website http://abc.com, now this website is actually hosted on the same (spider) server .. is this correct ?

In this scenario, the nslookup will result in the public IP of the spider server itself, and then spider server will try to access itself using the public IP ?? If this is the case, then this will not work due to U-Turning, which is not allowed on PIX-501.

However, you can try using DNS doctoring. I'm assuming that the internal IP address of the spider server is 10.0.0.2. In this case, try using following commands-

no static (inside,outside) [ip addr #2] 10.0.0.2

static (inside,outside) [ip addr #2] 10.0.0.2 dns

clear xlate

Now do "ipconfig /flushdns" on the spider server and all the internal hosts also.

Check now if things work.

Regards,

Vibhor.

Re: HTTP access outbound and back ...

Michael,

There are a couple things that can prevent this.

1. PIX routing. Unless running 7.x and even then only with configuration changes to the default, the PIX doesn't allow routing back out an interface it received the inbound packet on. So if the web client(WebKeepAlive) on your web server is essentially making an http request to itself, it'll resolve DNS(assuming your using public) and receive it's Public IP. It will then route it's packet to it's default gateway (unless you have it specified in your web server route table) and that will probably be the PIX. The PIX will receive this and will eventually drop it due to security not allowing routing back out its source interface.

The easiest way to get around this for your scenario is to update the HOSTS file on the server with the Web Site FQDN using the Private IP and not the Public. DNS will never get invoked because the HOSTS file will resolve first. You will never hit the PIX and will be able to Spider your website for your reports or whatever.

I'm not going to discuss the other things that could block it because I'm pretty sure you ain't running 7.x on a 501 because it isn't supported. If it was 7.x you could loop the connection and then the thread could go on and on with Static commands and access-lists. Though you could technically use the DNS fixup on the static when it makes the DNS request but I would have to look that up. You could also configure routing on your web server for the Public IP but the HOSTs file is your best bet.

Please rate any helpful posts

Thanks

Fred

Green

Re: HTTP access outbound and back ...

Correct, or do dns rewrite/doctoring. Looks like I was right yesterday after all....

New Member

Re: HTTP access outbound and back ...

Fred, thank you for joining this "conversation." The HOSTS file solution appeared to be the simplest as compared to the "DNS doctoring" so I tried it, and the good news is ... it worked! Thanks again!

Michael

New Member

Re: HTTP access outbound and back ...

Fred, Vibhor, and acomiskey: I must say that this is the finest, most prompt, and most helpful forum I have ever visited. I am a software developer now, though I used to be a network guy a long time ago, so I really appreciate all your help, and I will be happy to vote you all "high" 5's. Thanks again!

179
Views
22
Helpful
21
Replies
CreatePlease login to create content