11-25-2003 12:39 PM - edited 03-09-2019 05:39 AM
I have a 501 running 6.2. I am trying to allow access to an internal web server. I have setup
the static, access-list, and access-group statements. when I try to connect from the outside, I get connection timed out and this page cannot be displayed in the web browser. This is just a lab setup for learning.Using the internal ip address, the web server is accessible without any problems
Does anyone have any suggestions?
11-25-2003 08:16 PM
Hi,
what is the static, access-glist and access-group statements you have?
What does show xlat
Can you atleast ping this server from outside?
Thanks
Nadeem
11-26-2003 07:26 AM
sh xlate does show the correct private ip of the server. sh access-list showed 14 hitcnts to it. I haven't tried to ping the server from the outside, only tried to ping outside interface's dynamically assigned ip address (no reply). Here is my sh conf:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pixfirewall
domain-name lab.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit tcp any host external xxx.xxx.xxx.xxx eq www (actual ip dynamically assigned
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.25
5.255 0 0
access-group 101 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.20-192.168.1.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
With a dynamically assigned outside address, I encountered problems with the access-list statement. Using the actual outside address assigned to me (as I included here) results in no connectivity. when I use the command access-list 101 permit tcp any any eq www, It takes a long time, acting like it is connecting but gives me a timeout message. The same thing goes when I set up a test ftp server. The browser would have a flashlight searching and searching until it would have a pop up window say connections timed out. Internally, I can hit either server fine. Thanks for any advice. P.S. What's the correct access-list statement for dhcp on the outside interface?
11-26-2003 08:42 AM
the access-list 101 permit tcp any host external xxx.xxx.xxx.xxx eq www (actual ip dynamically assigned doesn't have external in the actual conf. that's a typo.It really is
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq www and external is part of my added comment in parentheses, none of which is in the actual conf. sorry and thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide