12-31-2005 09:22 AM - edited 02-21-2020 12:37 AM
I have a PIX 515 that I wish to allow HTTP requests through to an internal webserver. However as much as I've tried I cannot get this to work.
I have an external WAN IP assigned by my ISP through DHCP and an internal web server at 192.168.1.150.
My config file is here - but I can't figure out what is wrong.
asdm image flash:/asdm-501.bin
no asdm history enable
: Saved
:
PIX Version 7.0(1)
names
name 192.168.1.150 INTERNALWEBSERVER
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
hostname pixfirewall
domain-name ctu.local
ftp mode passive
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www INTERNALWEBSERVER www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.50-192.168.1.149 inside
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect pptp
!
service-policy global_policy global
Cryptochecksum:xxxxx
: end
12-31-2005 09:26 AM
This is the syslog output I receive when attempting to access a web site on my server - I've replaced my WAN IP with xx.xx.xx.xx:
3|Dec 31 2005 17:01:37|710003: TCP access denied by ACL from 192.168.1.50/1960 to inside:xx.xx.xx.xx/80
6|Dec 31 2005 17:01:37|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3659 to outside:xx.xx.xx.xx/1753 duration 0:00:30
6|Dec 31 2005 17:01:36|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3658 to outside:xx.xx.xx.xx/1752 duration 0:00:30
6|Dec 31 2005 17:01:36|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3657 to outside:xx.xx.xx.xx/1751 duration 0:00:30
6|Dec 31 2005 17:01:36|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3656 to outside:xx.xx.xx.xx/1750 duration 0:00:30
6|Dec 31 2005 17:01:35|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3655 to outside:xx.xx.xx.xx/1749 duration 0:00:30
6|Dec 31 2005 17:01:35|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3654 to outside:xx.xx.xx.xx/1748 duration 0:00:30
6|Dec 31 2005 17:01:35|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3653 to outside:xx.xx.xx.xx/1747 duration 0:00:30
3|Dec 31 2005 17:01:34|710003: TCP access denied by ACL from 192.168.1.50/1960 to inside:xx.xx.xx.xx/80
3|Dec 31 2005 17:01:27|710003: UDP access denied by ACL from 192.168.1.104/68 to inside:192.168.1.1/67
3|Dec 31 2005 17:01:24|710003: UDP access denied by ACL from 192.168.1.52/137 to inside:192.168.1.255/137
3|Dec 31 2005 17:01:24|710003: UDP access denied by ACL from 192.168.1.52/137 to inside:192.168.1.255/137
3|Dec 31 2005 17:01:23|710003: UDP access denied by ACL from 192.168.1.52/137 to inside:192.168.1.255/137
3|Dec 31 2005 17:01:22|710003: TCP access denied by ACL from 192.168.1.50/1959 to inside:xx.xx.xx.xx/80
3|Dec 31 2005 17:01:19|710003: UDP access denied by ACL from 192.168.1.104/68 to inside:192.168.1.1/67
3|Dec 31 2005 17:01:16|710003: TCP access denied by ACL from 192.168.1.50/1959 to inside:xx.xx.xx.xx/80
3|Dec 31 2005 17:01:15|710003: UDP access denied by ACL from 192.168.1.104/68 to inside:192.168.1.1/67
3|Dec 31 2005 17:01:15|710003: UDP access denied by ACL from INTERNALWEBSERVER/137 to inside:192.168.1.255/137
3|Dec 31 2005 17:01:14|710003: UDP access denied by ACL from INTERNALWEBSERVER/137 to inside:192.168.1.255/137
3|Dec 31 2005 17:01:14|710003: UDP access denied by ACL from INTERNALWEBSERVER/137 to inside:192.168.1.255/137
3|Dec 31 2005 17:01:13|710003: TCP access denied by ACL from 192.168.1.50/1959 to inside:xx.xx.xx.xx/80
12-31-2005 02:33 PM
Gary,
From what I see everything looks to be configured right.
1)tcp nat looks right
2)your access-list looks right
Here is what I would suggest is that you first try it from an external ip address not from one of your inside machines. I'm not completly familar with 7.0 yet but with 6.3 and below you could not connect to your external interface ip address from an inside ip address.
Try that and post what the syslog server reports.
Patrick
12-31-2005 02:57 PM
12-31-2005 03:04 PM
Patrick,
I tried the site externally again and it worked fine - just timed out the first time I tried it. Thanks for your help it seems 7 is the same as 6,3 and won't allow a connection from the inside to the outside interface to view a site.
Thanks
Gary
01-04-2006 08:40 PM
Gary,
No problem I've had a lot of problems with that when I first started working with PIX firwalls.
The way a pix works is it won't allow a connection traversing in one interface which needs to terminate on another interface.
Patrick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: