PIX & HTTP

gary.boon · ‎12-31-2005

I have a PIX 515 that I wish to allow HTTP requests through to an internal webserver. However as much as I've tried I cannot get this to work.

I have an external WAN IP assigned by my ISP through DHCP and an internal web server at 192.168.1.150.

My config file is here - but I can't figure out what is wrong.

asdm image flash:/asdm-501.bin

no asdm history enable

: Saved

:

PIX Version 7.0(1)

names

name 192.168.1.150 INTERNALWEBSERVER

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

hostname pixfirewall

domain-name ctu.local

ftp mode passive

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any interface outside eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www INTERNALWEBSERVER www netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.50-192.168.1.149 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect pptp

!

service-policy global_policy global

Cryptochecksum:xxxxx

: end

gary.boon · ‎12-31-2005

This is the syslog output I receive when attempting to access a web site on my server - I've replaced my WAN IP with xx.xx.xx.xx:

3|Dec 31 2005 17:01:37|710003: TCP access denied by ACL from 192.168.1.50/1960 to inside:xx.xx.xx.xx/80

6|Dec 31 2005 17:01:37|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3659 to outside:xx.xx.xx.xx/1753 duration 0:00:30

6|Dec 31 2005 17:01:36|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3658 to outside:xx.xx.xx.xx/1752 duration 0:00:30

6|Dec 31 2005 17:01:36|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3657 to outside:xx.xx.xx.xx/1751 duration 0:00:30

6|Dec 31 2005 17:01:36|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3656 to outside:xx.xx.xx.xx/1750 duration 0:00:30

6|Dec 31 2005 17:01:35|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3655 to outside:xx.xx.xx.xx/1749 duration 0:00:30

6|Dec 31 2005 17:01:35|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3654 to outside:xx.xx.xx.xx/1748 duration 0:00:30

6|Dec 31 2005 17:01:35|305012: Teardown dynamic TCP translation from inside:INTERNALWEBSERVER/3653 to outside:xx.xx.xx.xx/1747 duration 0:00:30

3|Dec 31 2005 17:01:34|710003: TCP access denied by ACL from 192.168.1.50/1960 to inside:xx.xx.xx.xx/80

3|Dec 31 2005 17:01:27|710003: UDP access denied by ACL from 192.168.1.104/68 to inside:192.168.1.1/67

3|Dec 31 2005 17:01:24|710003: UDP access denied by ACL from 192.168.1.52/137 to inside:192.168.1.255/137

3|Dec 31 2005 17:01:23|710003: UDP access denied by ACL from 192.168.1.52/137 to inside:192.168.1.255/137

3|Dec 31 2005 17:01:22|710003: TCP access denied by ACL from 192.168.1.50/1959 to inside:xx.xx.xx.xx/80

3|Dec 31 2005 17:01:19|710003: UDP access denied by ACL from 192.168.1.104/68 to inside:192.168.1.1/67

3|Dec 31 2005 17:01:16|710003: TCP access denied by ACL from 192.168.1.50/1959 to inside:xx.xx.xx.xx/80

3|Dec 31 2005 17:01:15|710003: UDP access denied by ACL from 192.168.1.104/68 to inside:192.168.1.1/67

3|Dec 31 2005 17:01:15|710003: UDP access denied by ACL from INTERNALWEBSERVER/137 to inside:192.168.1.255/137

3|Dec 31 2005 17:01:14|710003: UDP access denied by ACL from INTERNALWEBSERVER/137 to inside:192.168.1.255/137

3|Dec 31 2005 17:01:13|710003: TCP access denied by ACL from 192.168.1.50/1959 to inside:xx.xx.xx.xx/80

Patrick Laidlaw · ‎12-31-2005

Gary,

From what I see everything looks to be configured right.

1)tcp nat looks right

2)your access-list looks right

Here is what I would suggest is that you first try it from an external ip address not from one of your inside machines. I'm not completly familar with 7.0 yet but with 6.3 and below you could not connect to your external interface ip address from an inside ip address.

Try that and post what the syslog server reports.

Patrick

gary.boon · ‎12-31-2005

Patrick,

I've attached the syslog file I received when trying to access externally.

Thanks

Gary

gary.boon · ‎12-31-2005

Patrick,

I tried the site externally again and it worked fine - just timed out the first time I tried it. Thanks for your help it seems 7 is the same as 6,3 and won't allow a connection from the inside to the outside interface to view a site.

Thanks

Gary

Patrick Laidlaw · ‎01-04-2006

Gary,

No problem I've had a lot of problems with that when I first started working with PIX firwalls.

The way a pix works is it won't allow a connection traversing in one interface which needs to terminate on another interface.

Patrick