Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
3
Replies

Inbound Access to Lab Web server connection times out.

sbosen67
Level 1
Level 1

‎11-25-2003 12:39 PM - edited ‎03-09-2019 05:39 AM

I have a 501 running 6.2. I am trying to allow access to an internal web server. I have setup

the static, access-list, and access-group statements. when I try to connect from the outside, I get connection timed out and this page cannot be displayed in the web browser. This is just a lab setup for learning.Using the internal ip address, the web server is accessible without any problems

Does anyone have any suggestions?

Labels:
0 Helpful
3 Replies 3

nkhawaja
Cisco Employee
Cisco Employee

‎11-25-2003 08:16 PM

Hi,

what is the static, access-glist and access-group statements you have?

What does show xlat says?

Can you atleast ping this server from outside?

Thanks

Nadeem

0 Helpful

sbosen67
Level 1
Level 1
In response to nkhawaja

‎11-26-2003 07:26 AM

sh xlate does show the correct private ip of the server. sh access-list showed 14 hitcnts to it. I haven't tried to ping the server from the outside, only tried to ping outside interface's dynamically assigned ip address (no reply). Here is my sh conf:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname pixfirewall

domain-name lab.org

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit tcp any host external xxx.xxx.xxx.xxx eq www (actual ip dynamically assigned

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside

pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside

pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.25

5.255 0 0

access-group 101 in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.20-192.168.1.30 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

With a dynamically assigned outside address, I encountered problems with the access-list statement. Using the actual outside address assigned to me (as I included here) results in no connectivity. when I use the command access-list 101 permit tcp any any eq www, It takes a long time, acting like it is connecting but gives me a timeout message. The same thing goes when I set up a test ftp server. The browser would have a flashlight searching and searching until it would have a pop up window say connections timed out. Internally, I can hit either server fine. Thanks for any advice. P.S. What's the correct access-list statement for dhcp on the outside interface?

0 Helpful

sbosen67
Level 1
Level 1
In response to sbosen67

‎11-26-2003 08:42 AM

the access-list 101 permit tcp any host external xxx.xxx.xxx.xxx eq www (actual ip dynamically assigned doesn't have external in the actual conf. that's a typo.It really is

access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq www and external is part of my added comment in parentheses, none of which is in the actual conf. sorry and thanks!

0 Helpful
Customers Also Viewed These Support Documents