08-28-2003 08:35 PM - edited 03-09-2019 04:36 AM
Hi All,
I have a www server resides at the inside interface. A static IP have been created and access-list has been created to allow outside going to inside. But I still cannot access the web server. Below is the config
===========================================
PIX Version 6.3(2)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 202.xxx.xxx.129 gateway
access-list acl_in permit icmp any any
access-list acl_in permit tcp any host 202.xxx.xxx.135
access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq pop3
access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq smtp
access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq https
access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq domain
access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq 161
access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq 162
access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq telnet
access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq cmd
access-list acl_out permit udp 192.168.10.0 255.255.255.0 any eq domain
access-list acl_out permit tcp host 192.168.10.101 any eq 6667
access-list acl_out permit tcp host 192.168.10.252 any eq 6667
access-list acl_out permit tcp host 192.168.10.98 any eq 6667
access-list acl_out permit tcp host 192.168.10.252 any eq 1214
access-list acl_out permit tcp host 192.168.10.252 any eq 4899
access-list acl_out permit icmp any any
access-list acl_out permit tcp host 192.168.10.31 any eq 6667
access-list acl_out permit tcp host 192.168.10.31 any eq 6668
access-list acl_out permit tcp host 192.168.10.31 any eq 6669
access-list acl_out permit tcp host 192.168.10.31 any eq 7000
pager lines 24
logging on
logging timestamp
logging console debugging
logging buffered debugging
logging trap debugging
logging host inside 192.168.10.200
logging host inside 192.168.10.35
mtu outside 1500
mtu inside 1500
ip address outside 202.xxx.xxx.140 255.255.255.240
ip address inside 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name Info info action alarm drop reset
ip audit name Attack attack action alarm drop reset
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.10.252 255.255.255.255 inside
pdm location 202.169.43.243 255.255.255.255 inside
pdm location 192.168.10.98 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 202.xxx.xxx.139
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.xxx.xxx.141 192.168.10.252 netmask 255.255.255.255 0
0
static (inside,outside) 202.xxx.xxx.135 192.168.10.35 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
access-group acl_out in interface inside
route outside 0.0.0.0 0.0.0.0 gateway 1
timeout xlate 2:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
=====================================================
The WWW server IP is 202.xxx.xxx.135
Thanks for your quick response.
Best Regards,
HATO
08-28-2003 08:53 PM
I think you didnt write the access-list "acl-in" well, The access-list "access-list acl_in permit tcp any host 202.xxx.xxx.135" doesnot allow to open http connection to your HTTP server.The access-list have to be like this:
pix(config)#access-list acl_in permit tcp any host 202.xxx.xxx.135 eq www
08-28-2003 09:04 PM
Sorry i misunderstood your access-list iw wright no problem about it.
08-28-2003 10:59 PM
But why I cannot access the web server. Please help
08-29-2003 12:13 AM
Ok Solve,
The problem came from the Web Server. At the IIS properties we have to change the IP Address. Thank YOu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide