Thanks a lot for your help.

I tried that. I'm wondering if I'm not missing something in the acl because from inside the network (where I am right now), I'm not able to connect to the application on this server (10.0.1.25).

Do you think the acl are correctly defined?

If you are behind the pix, using a web browser on a host 10.0.1.x and you cannot connect to your web server on your nonstandard port which you specified, check your web server config. You certainly need to get this working before anyone can be expected to access it through the firewall.

HTH

Hi,

thanks for your answer.

I'm able to connect to http:\\10.0.1.25 from a laptop behind the pix, but not to http:\\.:10300\...

Anything else I should be checking?

Sylvain

Maybe I am missing something here...but isn't this NAT on your outside interface?

Thus the ACE you would need to add would need to be on your outside ACL. Also the source port isn't going to be 80 it is going to be random I believe. The destination port is going to be in this case 10300...for normal www traffic it would be 80 of course. Thus I think that eq www statement is blocking this. Are you seeing the deny on the syslog when you test?

So thus it would be something like:

access-list outside-acl(whatever your acl is) permit tcp any host 67.104.112.163 eq 10300

Try this, hopefully it helps.

Q: How can I configure my pix to allow traffic to this application from other machines in the network?

My NT Server private IP is 10.0.1.25 and I'm able to access it from the other machines in the network, but when I connect to the

web application through the url: http:\\.:10300\xxxx , then I receive a "Server Not found error".

A: Disabled the proxyarp on your inside interface,

command: sysopt noproxyarp , hostname(config)# sysopt noproxyarp inside

To enable it, use "no sysopt noproxyarp interface_name"

In rare circumstances, you might want to disable proxy ARP for global addresses.

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface. The only way traffic can reach the hosts is if the security appliance uses proxy ARP to claim that the security appliance MAC address is assigned to destination global addresses.

Before that, pls ensure that your HTTP service via port 10300 is working fine. Otherwise, this could be the primary issue.

Q: How to allow outside/internet clients access your web server via 10300 (TC)

A: Since you're not using standard port 80-www, this might require port redirection.

Change your current static map from :

static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255

to

static (inside,outside) tcp 67.104.112.163 www 10.0.1.25 10300 netmask 255.255.255.255

Changed the ACL as well to:

access-list outside-in extended permit tcp any host 67.104.112.163 eq www

The above will allow outsiders to access your server without having to specify "10300" in their web browser. PIX/ASA will do the redirection automatically to port 10300.

Cheers!

AK

Hi, Thanks for your answer.

I ran "sysopt noproxyarp inside" but still wasn't able to connect to http:\.:10300\ from behind the pix. Connecting to http:\\10.0.1.25 is fine though.

How can I make sure that my HTTP service is working fine for port 10300?

I also ran:

access-list outside-in extended permit tcp any host 67.104.112.163 eq www

static (inside,outside) tcp 67.104.112.163 www 10.0.1.25 10300 netmask 255.255.255.255 dns

I'm not able to check immediately if access from outside is possible since I'm behind the pix, but will do later tonight.

Again, thanks a lot for taking the time to reply. Unfortunately at this point, I am still not able to access to this url...

sylvain

Hi,

Thanks for your answer. I agree I had it backward.

I tried this:

access-list outside-in extended permit tcp any host 67.104.112.163 eq 10300

and it did not make any changes.

Thanks

Sylvain

To verify your http via port 10300 is working:

a. check your http port setup on the www server or application.

b. run http test from the server itself using web browser. Try any of these:

http://10.0.1.25:10300

http://:10300

http://127.0.0.1:10300

c. from any pc in the same segment, telnet to the server's IP:

telnet 10.0.1.25 10300

OR telnet from outside firewall to the public IP natted to 10.0.1.25 (which is 67.104.112.163)

telnet 67.104.112.163 10300

Make sure you got some kindly of successful telnet reply, with http keyword...

Hope this helps.

AK

Or from Outside/internet, you can do port scan to the public IP of 67.104.112.163. Make sure the port is open or visible from outside.

YOu can download lots of free port scanning tool, i.e yaps..

Cheers!

Hi,

Thanks. I tried Yaps which gave me the following results from outside:

67.104.112.163:80 -> www-http (World Wide Web HTTP) -> HTTP/1.1 404 Not Found..

getting this resutls for port 10300 and 10500 was kind of expected, but not for port 80.

when running it for ports 10300 to 10500, it wasn't even giving me any results.

Hi,

b:

all tests gave me an error 404 Not Found.

c:

I wasn't able to telnet using 10.0.1.25 from my laptop which was 10.0.1.6.

I received the following results from outside:

C:\>telnet 67.104.112.163 10300

Connecting To 67.104.112.163...Could not open connection to the host, on port 10300: Connect failed

C:\>telnet 67.104.112.163

Connecting To 67.104.112.163...Could not open connection to the host, on port 23: Connect failed

same thing after launching the VPN Client.

If you telnet from local subnet or from a PC in same subnet with the server, and if the server port 10300 is up & running, you should be able to get some kind of reply with 'http' keyword, not the "..could not open connection to..". The error indicates service port not running/opened.

Do port scanning from local LAN and outside firewall, and compare the results.

From internal LAN, you should see port 10300 opened. Indirectly, this will also verify that the service port is running fine.

If you can't see this port, check the server itself & verify the port is really working fine.