11-16-2013 03:45 PM - edited 03-11-2019 08:06 PM
I have a pix 151e with port fowarding internet users can access our webserver but clients on the inside cant how do i fix this so both inside and outside clients can access our webserver? i am including my confg
also outside ip is 69.x.x.x inside is 10.0.0.1 and webserver is 10.0.0.2
PIX Version 6.3(5)145
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname quill
domain-name dyndns.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any interface outside eq www
pager lines 24
logging host inside 10.0.0.2
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute
ip address inside 10.0.0.1 255.0.0.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
failover timeout 0:00:00
pdm location 10.0.0.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0 0
access-group 101 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:0a8dc14f551cb9dbc20157c7023d2cab
: end
Solved! Go to Solution.
11-19-2013 02:59 PM
I have another option, if you actually move the device to a DMZ interface on the PIX you can actually configure something called destination NAT(outside NAT), that way you can map the outside IP to the server, let me know your thoughts and if you need help configuring this I can help out.
Configuration:
enable
config t
nameif ethernet2 DMZ security50
ip address DMZ 172.16.1.1 255.255.255.0
no static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface www 172.16.1.2 www netmask 255.255.255.255 0 0
static (DMZ,inside) 69.x.x.x 172.16.1.2 netmask 255.255.255.255
global (DMZ) 1 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
Everthing else should stay the same.
11-18-2013 11:16 PM
I see people have viewed but know ones answered yet please i need to beable to have inside clients talk to the webserver i dont know why i cant
11-19-2013 12:28 AM
Hi,
You are running a very old software on a very old hardware.
To my understanding what you are attempting to do is connect to the public IP address directly from your LAN network.
Normally this would be done with 2 different NAT configurations and also a command that supports the traffic to enter and leave the same interface. In this case the traffic to the Web servers public IP address would go to "inside" interface and head back through the "inside" interface to the server.
The problem is that your software level (6.3) doesnt support the configuration command we need (same-security-traffic permit intra-interface) which was introduced in software 7.0(1) (essentially the next software level from yours) and therefore I don't see a way to enable what you are asking for.
To my understanding it should not work without the above mentioned command.
Then again if you want to try then this should enable you to connect to the internal server with public IP address in a bit newer software
global (inside) 1 interface
static (inside,inside) tcp
The "global" command (together with the existing "nat" command) is meant to do Dynamic PAT for the users when their connection takes an U-turn on the "inside" interface effectively PATing them to the "inside" interface IP address. This is needed for the fact that the firewall can see the whole TCP conversation. Without the source translation it would not see it.
The "static" command is meant to do Static PAT (Port Forward) so that for port TCP/80 connections from the internal network to the public IP address will be forwarded back to the internal server.
- Jouni
11-19-2013 08:26 AM
The PIX 6.3 has an option called DNS doctoring that what it does is doctor the DNS query reponse and change the external address on that response for the private, the problem is that you only have one IP address and it is obtained via DHCP and you need a static one to one NAT to do this configuration. Suggestion would be to follow Jouni suggestion and upgrade the device.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/access_filter.html
Memory Requirements
If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(X). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses.
Memory Upgrade Information for PIX 515/515E Appliances
Memory upgrades are only required for the PIX-515 and PIX-515E appliances. See this table for the part numbers you need in order to upgrade the memory on these appliances.
Note: The part number is dependent on the license installed on the PIX.
Current Appliance Configuration | Upgrade Solution | ||
Platform License | Total Memory (before upgrade) | Part Number | Total Memory (after upgrade) |
Restricted (R) | 32 MB | PIX-515-MEM-32= | 64 MB |
Unrestricted (UR) | 32 MB | PIX-515-MEM-128= | 128 MB |
Failover-Only (FO) | 64 MB | PIX-515-MEM-128= | 128 MB |
Version 8.0(X) requires the following:
•The minimum software version required before upgrading to PIX Version 8.0(X) is PIX Version 7.2. If you are running a PIX version earlier than Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can upgrade to PIX Version 7.2.
11-19-2013 12:48 PM
I thought of another way to get this working, you can modify hostfile on local DNS server or on the PCs to point to the internal IP address of the server so you don't have to configure anything on the PIX.
http://www.howtogeek.com/howto/27350/
11-19-2013 02:59 PM
I have another option, if you actually move the device to a DMZ interface on the PIX you can actually configure something called destination NAT(outside NAT), that way you can map the outside IP to the server, let me know your thoughts and if you need help configuring this I can help out.
Configuration:
enable
config t
nameif ethernet2 DMZ security50
ip address DMZ 172.16.1.1 255.255.255.0
no static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface www 172.16.1.2 www netmask 255.255.255.255 0 0
static (DMZ,inside) 69.x.x.x 172.16.1.2 netmask 255.255.255.255
global (DMZ) 1 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
Everthing else should stay the same.
11-19-2013 06:25 PM
I was looking in to that but dont know how to do dmz can the clients on the inside interface access the server on the dmz and how do i give the dmz full internet access?
11-19-2013 06:36 PM
also if i run
static (DMZ,inside) 69.x.x.x 172.16.1.2 netmask 255.255.255.255 i get kicked out of telnet and cant get back in
i see in that command you have 69.x.x.x is that what i use? as thats our public ip
11-20-2013 07:00 AM
Yes, you need to put the public IP there, I just put that there since I don´t have your IP. Did you move the server to the DMZ????
11-20-2013 08:57 AM
Hey, sorry I did not see the post where you were asking how you would give access to Internet from the DMZ, actually when I sent you the configuration example it included all that.
11-20-2013 11:15 AM
What about the access-list?
11-20-2013 11:27 AM
It worked you were very helpful thank you. I will be upgrading to version 8 at the end of the month will this new configuration still be valid?
11-20-2013 11:32 AM
Yes the configuration will still be valid!!!
Please rate the assistance
11-20-2013 11:31 AM
1. Security levels allow traffic from inside to DMZ plus the PAT that I put on the configuration example:
Inside has a security level of 100 and DMZ has a security level of 50
nat (inside) 1 0.0.0.0 0.0.0.0
global (DMZ) 1 interface
2. ACLs allow traffic from outside to DMZ.
You already created an ACE applied to the outside that in conjuntion with the static PAT allows the traffic through from the outside to the DMZ.
3.Traffic from the server to the Internet is allowed based on security levels and because of the PAT command that I put in on the example.
nat (DMZ) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
Please read the next document that explains how security levels work.
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1112321
11-20-2013 11:33 AM
Also reply to the response that Jouni gave you!
Thank you for letting us help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide