Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing inbound www connections through cisco pix

This is really driving me nuts - I have scoured the internet for suggestions, and actually found several people who have had the same problem and got a solution that works. Doesnt seem to work for me though! I am trying to allow any external IP address access to a web server residing behind the firewall.

Since it seems to be a fairly common thing, I will post my current configuration.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ******** encrypted

passwd ********* encrypted

hostname phoenix

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit tcp any any eq www

pager lines 24

logging on

logging timestamp

logging trap warnings

logging host inside 192.168.252.86

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 213.254.xxx.xxx 255.255.255.240

ip address inside 192.168.252.41 255.255.255.0

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.252.69 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 192.168.252.71 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.252.71 www netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 213.254.xxx.xxx 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.252.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.252.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.252.42-192.168.252.169 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxxxxxxx

Any advide would be hugely appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Allowing inbound www connections through cisco pix

These log messages mean that we never saw a SYN-ACK from the server come back to the PIX so we tore the "half-open" connection down based on your timeout settings. Suggestions:

1) Make sure the WWW daemon on your server is started and terminating TCP/80 connections. Are you able to access this server from inside the PIX?

2) Make sure the default gateway on the server is pointed to the inside IP address of the PIX.

Scott

15 REPLIES
Gold

Re: Allowing inbound www connections through cisco pix

Hi -

Have a read of the following document and see if this helps you out, let me know how you get on.

http://www.cisco.com/warp/public/707/28.html

Thanks - Jay.

New Member

Re: Allowing inbound www connections through cisco pix

That was actually one of the sites that I had uncovered in my google searches - from what I understand from that, all I should need to allow outside access to a webserver inside it the lines:

access-list outside_access_in permit tcp any any eq www

access-group outside_access_in in interface outside

Which (i think) allows tcp traffic from any untrusted source on the outside interface on port 80

static (inside,outside) tcp interface www 192.168.252.71 www netmask 255.255.255.255 0 0

Which should perform the forwarding from the outside interface to the web server (192.168.252.71)

Gold

Re: Allowing inbound www connections through cisco pix

Hello Ben,

Your static looks good but you need a ACL also to allow the outside traffic in i.e.

> static(inside,outside)tcp www 192.168.252.71 www netmask 255.255.255.255 0 0

> access-list outside permit tcp any host 192.168.252.71 eq www

> access-group outside in interface outside

Now, do command 'clear xlate' and save with command 'write memory'

Hope this helps -

New Member

Re: Allowing inbound www connections through cisco pix

I added this, but no luck... On thinking about it is that not covered by the original static anyway?

Besides - Recently discovered that the PIX is actually working the route out correctly (covered elsewhere in this conversation), however it terminates the TCP connection 2 mins and 1 second later with a SYN timeout.

New Member

Re: Allowing inbound www connections through cisco pix

Did you figure this out?? I am having the same problem!!

New Member

Re: Allowing inbound www connections through cisco pix

Not quite yet - but check your logs to see if the connection is being established at all? Looks like mine is, but then gets a SYN timeout after 2 mins before dropping the connection.

New Member

Re: Allowing inbound www connections through cisco pix

Adding this to your pix conf might solve this pblm:

route inside 192.168.252.0 255.255.255.0 192.168.x.x 1

Where 192.168.x.x is the gateway facing your FW.

If it doesn't work can you post a sample of syslog's when outside user try to reach the web server.

Mike

New Member

Re: Allowing inbound www connections through cisco pix

I tried adding this route - but apparently I already have it and its not making any difference. Interestingly on making the previous changes that have been suggested, there does seem to be some form of connection going on. The Informational syslogs show the following.

609001: Built local-host inside:192.168.252.71

305011: Built static TCP translation from inside:192.168.252.71/80 to outside:213.254.xxx.xxx/80

302013: Built inbound TCP connection 22018 for outside:69.56.xxx.xxx/51177 (69.56.xxx.xxx/51177) to inside:192.168.252.71/80 (213.254.xxx.xxx/80)

Which suggests (to me) that the connection has been made. However examining my apache logs show no sign of any connection attempt - which further suggests that I am still missing an ACL to actually allow the data through (?).

2 mins and 1 second after this I get:

302014: Teardown TCP connection 22018 for outside:69.56.xxx.xxx/51177 to inside:192.168.252.71/80 duration 0:02:01 bytes 0 SYN Timeout

... Actually I think I might have just worked it out myself! Perhaps I need to allow the ACK from 192.168.252.71 back out...

New Member

Re: Allowing inbound www connections through cisco pix

... Or maybe not. SYN/ACK is part of TCP and thats fully enabled from inside to outside due to the security level being less.

Damn.

Gold

Re: Allowing inbound www connections through cisco pix

New Member

Re: Allowing inbound www connections through cisco pix

Jay,

Thanks for your help on this! Learned a lot from your suggestions.

Re: Allowing inbound www connections through cisco pix

These log messages mean that we never saw a SYN-ACK from the server come back to the PIX so we tore the "half-open" connection down based on your timeout settings. Suggestions:

1) Make sure the WWW daemon on your server is started and terminating TCP/80 connections. Are you able to access this server from inside the PIX?

2) Make sure the default gateway on the server is pointed to the inside IP address of the PIX.

Scott

New Member

Re: Allowing inbound www connections through cisco pix

Aha! I was running the pix along side our temporary software firewall while I got it set up. So the gateway on the web server was not set to the pix, but to the software one.

Made the change, and all is well! Thanks!

New Member

Re: Allowing inbound www connections through cisco pix

Is your web server using http or https?

New Member

Re: Allowing inbound www connections through cisco pix

It has been observed on pix code 6.3.1 that after removing an existing static, and doing clear xlate clear local-host, a host on the outside is still able to access the host on the inside for which the previously removed static was for.

The Bug ID for this problem is CSCea84806

It is fixed in the new PIX 6.3.2

142
Views
0
Helpful
15
Replies