Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
4
Replies

PIX 501 cannot access web server

atacan2006
Level 1
Level 1

‎07-19-2007 11:30 AM - edited ‎03-11-2019 03:46 AM

Hi everbody,

I need your help! I have Server 2003 Domain Controller running Exchange and OWA. Sending and Receiving Email no problem. when I want to access OWA from outside that doesnt work. If I change the settings OWA works but clients(inside) cannot access internet. VPN Clients cannot access Server.

Here is the PIX configuration working VPN, Internet and Exchange

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname pixfirewall

domain-name cisco.com

fixup protocol <REMOVED>

names

name 192.168.1.100 SERVER

name 82.yy.yy.yy MAIL

access-list inbound permit tcp any host MAIL eq smtp

access-list inbound permit icmp any any

access-list inbound permit ip any any

access-list inbound permit tcp any any eq www

access-list inbound permit tcp any any eq https

access-list XXXXXXX_splitTunnelAcl permit ip host SERVER any

access-list inside_outbound_nat0_acl permit ip host SERVER 192.168.5.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.224

access-list XXXX_splitTunnelAcl permit ip any any

access-list XXX_splitTunnelAcl permit ip host SERVER any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool 192.168.5.1-192.168.5.30

pdm location SERVER 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) MAIL SERVER netmask 255.255.255.255 0 0

access-group inbound in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp <REMOVED>

vpngroup XXXXXXX address-pool VPNPool

<REMOVED>

vpngroup XXXX address-pool VPNPool

<REMOVED>

vpngroup XXX address-pool VPNPool

<REMOVED>

ssh timeout 5

console timeout 0

vpdn group <REMOVED>

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxxxxx

: end

If I add these lines OWA works but clients(inside) cannot access internet. VPN Clients cannot access Server that I mentioned above

access-list inbound permit tcp any host 213.xx.xx.xxx eq www

access-list inbound permit tcp any host 213.xx.xx.xxx eq https

static (inside,outside) 213.xx.xx.xxx SERVER netmask 255.255.255.255 0 0

For owA access users give that address

https://213.xx.xx.xxx/exchange

For VPN Client Access they use 213.xx.xx.xxx as Host

Thanks in advance

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎07-19-2007 11:59 AM

1. Adding those acl lines should absolutely not prevent inside users from accessing the internet. When you say inside clients cannot access the internet when those lines are in place, do you just mean they cannot access owa? From inside, users will not be able to use the public ip address 213.x.x.x. They will have to use 192.168.1.100. Same goes for vpn clients unless you change your nat exemption acl.

2. You have a line in your inbound acl "access-list inbound permit ip any any". That should not be there as it is allowing all inbound traffic.

0 Helpful

atacan2006
Level 1
Level 1
In response to acomiskey

‎07-19-2007 12:08 PM

First of all thanks for the reply.

If I add that line:

static (inside,outside) 213.xx.xx.xxx SERVER netmask 255.255.255.255

Inside users cannot access internet addresses. Only server can access. Outside users cannot make VPN connection. Remote users can access OWA.

When I remove it then OWA doesnt work. Mailing, Internet and VPN works.

0 Helpful

froggy3132000
Level 3
Level 3
In response to atacan2006

‎07-19-2007 07:06 PM

configuring inbound access to OWA should have no affect on outbound internet traffic.

If you mean that host can't be accessed. I think you are talking about dns doctoring.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

0 Helpful

atacan2006
Level 1
Level 1
In response to froggy3132000

‎07-21-2007 06:30 AM

thank u I'm working on it.

Any other Ideas would be highly appreciated too

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card