Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
4
Replies

Outside to Inside WWW Server - HELP

j.hato
Level 1
Level 1

‎08-28-2003 08:35 PM - edited ‎03-09-2019 04:36 AM

Hi All,

I have a www server resides at the inside interface. A static IP have been created and access-list has been created to allow outside going to inside. But I still cannot access the web server. Below is the config

===========================================

PIX Version 6.3(2)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 202.xxx.xxx.129 gateway

access-list acl_in permit icmp any any

access-list acl_in permit tcp any host 202.xxx.xxx.135

access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq www

access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq pop3

access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq smtp

access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq https

access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq domain

access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq 161

access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq 162

access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq telnet

access-list acl_out permit tcp 192.168.10.0 255.255.255.0 any eq cmd

access-list acl_out permit udp 192.168.10.0 255.255.255.0 any eq domain

access-list acl_out permit tcp host 192.168.10.101 any eq 6667

access-list acl_out permit tcp host 192.168.10.252 any eq 6667

access-list acl_out permit tcp host 192.168.10.98 any eq 6667

access-list acl_out permit tcp host 192.168.10.252 any eq 1214

access-list acl_out permit tcp host 192.168.10.252 any eq 4899

access-list acl_out permit icmp any any

access-list acl_out permit tcp host 192.168.10.31 any eq 6667

access-list acl_out permit tcp host 192.168.10.31 any eq 6668

access-list acl_out permit tcp host 192.168.10.31 any eq 6669

access-list acl_out permit tcp host 192.168.10.31 any eq 7000

pager lines 24

logging on

logging timestamp

logging console debugging

logging buffered debugging

logging trap debugging

logging host inside 192.168.10.200

logging host inside 192.168.10.35

mtu outside 1500

mtu inside 1500

ip address outside 202.xxx.xxx.140 255.255.255.240

ip address inside 192.168.10.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit name Info info action alarm drop reset

ip audit name Attack attack action alarm drop reset

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.10.252 255.255.255.255 inside

pdm location 202.169.43.243 255.255.255.255 inside

pdm location 192.168.10.98 255.255.255.255 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 202.xxx.xxx.139

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 202.xxx.xxx.141 192.168.10.252 netmask 255.255.255.255 0

0

static (inside,outside) 202.xxx.xxx.135 192.168.10.35 netmask 255.255.255.255 0 0

access-group acl_in in interface outside

access-group acl_out in interface inside

route outside 0.0.0.0 0.0.0.0 gateway 1

timeout xlate 2:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

=====================================================

The WWW server IP is 202.xxx.xxx.135

Thanks for your quick response.

Best Regards,

HATO

Labels:
0 Helpful
4 Replies 4

tcavdar
Level 1
Level 1

‎08-28-2003 08:53 PM

I think you didnt write the access-list "acl-in" well, The access-list "access-list acl_in permit tcp any host 202.xxx.xxx.135" doesnot allow to open http connection to your HTTP server.The access-list have to be like this:

pix(config)#access-list acl_in permit tcp any host 202.xxx.xxx.135 eq www

0 Helpful

tcavdar
Level 1
Level 1
In response to tcavdar

‎08-28-2003 09:04 PM

Sorry i misunderstood your access-list iw wright no problem about it.

0 Helpful

j.hato
Level 1
Level 1
In response to tcavdar

‎08-28-2003 10:59 PM

But why I cannot access the web server. Please help

0 Helpful

j.hato
Level 1
Level 1
In response to tcavdar

‎08-29-2003 12:13 AM

Ok Solve,

The problem came from the Web Server. At the IIS properties we have to change the IP Address. Thank YOu

0 Helpful
Customers Also Viewed These Support Documents