Solved: Pix 515e cant access web server

ktherrien · ‎11-16-2013

I have a pix 151e with port fowarding internet users can access our webserver but clients on the inside cant how do i fix this so both inside and outside clients can access our webserver? i am including my confg

also outside ip is 69.x.x.x inside is 10.0.0.1 and webserver is 10.0.0.2

PIX Version 6.3(5)145

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password xxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxx encrypted

hostname quill

domain-name dyndns.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit tcp any interface outside eq www

pager lines 24

logging host inside 10.0.0.2

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside dhcp setroute

ip address inside 10.0.0.1 255.0.0.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

failover timeout 0:00:00

pdm location 10.0.0.2 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0 0

access-group 101 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.0.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:0a8dc14f551cb9dbc20157c7023d2cab

: end

jumora · ‎11-19-2013

I have another option, if you actually move the device to a DMZ interface on the PIX you can actually configure something called destination NAT(outside NAT), that way you can map the outside IP to the server, let me know your thoughts and if you need help configuring this I can help out.

Configuration:

enable

config t

nameif ethernet2 DMZ security50

ip address DMZ 172.16.1.1 255.255.255.0

no static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0 0

static (DMZ,outside) tcp interface www 172.16.1.2 www netmask 255.255.255.255 0 0

static (DMZ,inside) 69.x.x.x 172.16.1.2 netmask 255.255.255.255

global (DMZ) 1 interface

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

Everthing else should stay the same.

Value our effort and rate the assistance!

View solution in original post

ktherrien · ‎11-18-2013

I see people have viewed but know ones answered yet please i need to beable to have inside clients talk to the webserver i dont know why i cant

Jouni Forss · ‎11-19-2013

Hi,

You are running a very old software on a very old hardware.

To my understanding what you are attempting to do is connect to the public IP address directly from your LAN network.

Normally this would be done with 2 different NAT configurations and also a command that supports the traffic to enter and leave the same interface. In this case the traffic to the Web servers public IP address would go to "inside" interface and head back through the "inside" interface to the server.

The problem is that your software level (6.3) doesnt support the configuration command we need (same-security-traffic permit intra-interface) which was introduced in software 7.0(1) (essentially the next software level from yours) and therefore I don't see a way to enable what you are asking for.

To my understanding it should not work without the above mentioned command.

Then again if you want to try then this should enable you to connect to the internal server with public IP address in a bit newer software

global (inside) 1 interface

static (inside,inside) tcp 80 80 netmask 255.255.255.255

The "global" command (together with the existing "nat" command) is meant to do Dynamic PAT for the users when their connection takes an U-turn on the "inside" interface effectively PATing them to the "inside" interface IP address. This is needed for the fact that the firewall can see the whole TCP conversation. Without the source translation it would not see it.

The "static" command is meant to do Static PAT (Port Forward) so that for port TCP/80 connections from the internal network to the public IP address will be forwarded back to the internal server.

- Jouni

jumora · ‎11-19-2013

The PIX 6.3 has an option called DNS doctoring that what it does is doctor the DNS query reponse and change the external address on that response for the private, the problem is that you only have one IP address and it is obtained via DHCP and you need a static one to one NAT to do this configuration. Suggestion would be to follow Jouni suggestion and upgrade the device.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/access_filter.html

Memory Requirements

If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(X). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses.

Memory Upgrade Information for PIX 515/515E Appliances

Memory upgrades are only required for the PIX-515 and PIX-515E appliances. See this table for the part numbers you need in order to upgrade the memory on these appliances.

Note: The part number is dependent on the license installed on the PIX.

Current Appliance Configuration		Upgrade Solution
Platform License	Total Memory (before upgrade)	Part Number	Total Memory (after upgrade)
Restricted (R)	32 MB	PIX-515-MEM-32=	64 MB
Unrestricted (UR)	32 MB	PIX-515-MEM-128=	128 MB
Failover-Only (FO)	64 MB	PIX-515-MEM-128=	128 MB

Software Requirements

Version 8.0(X) requires the following:

•The minimum software version required before upgrading to PIX Version 8.0(X) is PIX Version 7.2. If you are running a PIX version earlier than Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can upgrade to PIX Version 7.2.

Value our effort and rate the assistance!

jumora · ‎11-19-2013

I thought of another way to get this working, you can modify hostfile on local DNS server or on the PCs to point to the internal IP address of the server so you don't have to configure anything on the PIX.

http://www.howtogeek.com/howto/27350/

Value our effort and rate the assistance!

jumora · ‎11-19-2013

I have another option, if you actually move the device to a DMZ interface on the PIX you can actually configure something called destination NAT(outside NAT), that way you can map the outside IP to the server, let me know your thoughts and if you need help configuring this I can help out.

Configuration:

enable

config t

nameif ethernet2 DMZ security50

ip address DMZ 172.16.1.1 255.255.255.0

no static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0 0

static (DMZ,outside) tcp interface www 172.16.1.2 www netmask 255.255.255.255 0 0

static (DMZ,inside) 69.x.x.x 172.16.1.2 netmask 255.255.255.255

global (DMZ) 1 interface

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

Everthing else should stay the same.

Value our effort and rate the assistance!

ktherrien · ‎11-19-2013

I was looking in to that but dont know how to do dmz can the clients on the inside interface access the server on the dmz and how do i give the dmz full internet access?

ktherrien · ‎11-19-2013

also if i run

static (DMZ,inside) 69.x.x.x 172.16.1.2 netmask 255.255.255.255 i get kicked out of telnet and cant get back in

i see in that command you have 69.x.x.x is that what i use? as thats our public ip

jumora · ‎11-20-2013

Yes, you need to put the public IP there, I just put that there since I don´t have your IP. Did you move the server to the DMZ????

Value our effort and rate the assistance!

jumora · ‎11-20-2013

Hey, sorry I did not see the post where you were asking how you would give access to Internet from the DMZ, actually when I sent you the configuration example it included all that.

Value our effort and rate the assistance!

ktherrien · ‎11-20-2013

What about the access-list?

ktherrien · ‎11-20-2013

It worked you were very helpful thank you. I will be upgrading to version 8 at the end of the month will this new configuration still be valid?

jumora · ‎11-20-2013

Yes the configuration will still be valid!!!

Please rate the assistance

Value our effort and rate the assistance!

jumora · ‎11-20-2013

1. Security levels allow traffic from inside to DMZ plus the PAT that I put on the configuration example:

Inside has a security level of 100 and DMZ has a security level of 50

nat (inside) 1 0.0.0.0 0.0.0.0

global (DMZ) 1 interface

2. ACLs allow traffic from outside to DMZ.

You already created an ACE applied to the outside that in conjuntion with the static PAT allows the traffic through from the outside to the DMZ.

3.Traffic from the server to the Internet is allowed based on security levels and because of the PAT command that I put in on the example.

nat (DMZ) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Please read the next document that explains how security levels work.

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1112321

Value our effort and rate the assistance!

jumora · ‎11-20-2013

Also reply to the response that Jouni gave you!

Thank you for letting us help!

Value our effort and rate the assistance!