Problem accessing internal IIS web server

l4nier · ‎02-17-2004

Please let me start by saying I am a newbie. I apologize in advance for stupid questions.

My problem is this. I have setup static and conduit statements in my pix to access an internal web server. I am using the same format as is used for other boxes (ftp and www) that are accessed from outside the network. These work fine but I can't access my new web box.

I did a little bit of troubleshooting and it looks like packets are getting past my router but timing out when it gets to the pix.

In my logs I am getting the following error:

Deny inbound (No xlate) tcp src outside:61.94.56.23/80 dst outside:216.191.146.83/2796

I wasn't sure why it was trying to come through on /2796. Also important to note here is the address 216.191.14.83 is the IP for my global (outside). It is not the IP address that I am trying to reach, which is 216.191.220.147/

Any ideas on where I can begin to troubleshoot this problem?

Thanks in advance.

Louanne

lfournier@nexterna.com

nkhawaja · ‎02-17-2004

Hi,

Please share the configs (change/hide the IP addresses).

The log message that you are referring may not be related to your issue.

Thanks

Nadeem Khawaja

l4nier · ‎02-17-2004

Ok thank you. Here it is. I hope I haven't hidden the IPs so much that you can't make sense of it. Please let me know.

Thanks.

Louanne

: Saved

: Written by enable_15 at 19:55:32.803 UTC Tue Feb 17 2004

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password encrypted

passwd encrypted

hostname

domain-name nexterna.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit ip 192.168.20.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 101 permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 102 permit ip 192.168.10.0 255.255.255.0 172.31.0.0 255.255.0.0

access-list nonat permit ip 192.168.20.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonatdmz permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list nonatdmz permit ip 192.168.10.0 255.255.255.0 172.31.0.0 255.255.0.0

access-list nonatdmz permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 100 permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list 103 permit ip 192.168.20.0 255.255.255.0 172.16.3.0 255.255.255.0

access-list 103 permit ip 192.168.10.0 255.255.255.0 172.16.3.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging console debugging

logging trap warnings

logging history warnings

logging host inside 192.168.20.3

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside xxx.xxx.xxx.xxx.82 255.255.255.248

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool burlingtonpool 192.168.50.1-192.168.50.50

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

pdm location 172.16.9.2 255.255.255.255 inside

pdm location 192.168.20.4 255.255.255.255 inside

pdm location 192.168.20.5 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 xxx.xxx.xxx.xxx netmask 255.255.255.248

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 0 access-list nonatdmz

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) xxx.xxx.xxx.xxx 192.168.10.30 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.xxx.xxx.xxx192.168.10.100 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

static (dmz,outside) xxx.xxx.xxx.xxx192.168.10.41 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.xxx192.168.20.9 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.xxx192.168.20.64 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.xxx192.168.20.12 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host xxx.xxx.xxx.xxxeq ftp any

conduit permit tcp host xxx.xxx.xxx.xxxeq www any

conduit permit tcp host xxx.xxx.xxx.xxx eq https any

conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any

conduit permit tcp host xxx.xxx.xxx.xxxeq pop3 any

conduit permit tcp host xxx.xxx.xxx.xxx eq www any

conduit permit tcp host xxx.xxx.xxx.xxxeq https any

conduit permit tcp host xxx.xxx.xxx.xxxeq www any

conduit permit udp any eq isakmp host xxx.xxx.xxx.xxx

conduit permit ah host xxx.xxx.xxx.xxx any

conduit permit esp host xxx.xxx.xxx.xxxany

conduit permit tcp host xxx.xxx.xxx.xxxeq www any

conduit permit tcp host xxx.xxx.xxx.xxx eq https any

conduit permit tcp host xxx.xxx.xxx.xxxeq www any

conduit permit tcp host xxx.xxx.xxx.xxxeq https any

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server vpnauth protocol radius

aaa-server vpnauth (inside) host 192.168.20.3 nex6818terna timeout 20

aaa-server auth protocol radius

aaa-server auth (inside) host 192.168.20.3 nex6818terna timeout 20

aaa authentication telnet console auth

http server enable

http 192.168.20.4 255.255.255.255 inside

http 192.168.20.39 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.20.35 /

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set NexternaSet esp-des

crypto ipsec transform-set burlington esp-des esp-md5-hmac

crypto ipsec transform-set norcom esp-des esp-md5-hmac

crypto dynamic-map burldynmap 20 set transform-set burlington

crypto map CanadaMap 5 ipsec-isakmp

crypto map CanadaMap 5 match address 103

crypto map CanadaMap 5 set peer 64.233.31.178

crypto map CanadaMap 5 set transform-set NexternaSet

crypto map CanadaMap 15 ipsec-isakmp

crypto map CanadaMap 15 match address 102

crypto map CanadaMap 15 set peer 12.26.74.85

crypto map CanadaMap 15 set transform-set norcom

crypto map CanadaMap 20 ipsec-isakmp dynamic burldynmap

crypto map CanadaMap client authentication vpnauth

crypto map CanadaMap interface outside

isakmp enable outside

isakmp key nexterna6818 address 12.26.74.85 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key nex6818terna address 65.112.203.34 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key burlingtonvpn address 0.0.0.0 netmask 0.0.0.0

isakmp key Nexterna6818 address 64.233.31.178 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption des

isakmp policy 5 hash md5

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

vpngroup burlington address-pool burlingtonpool

vpngroup burlington dns-server 192.168.20.3

vpngroup burlington wins-server 192.168.20.3

vpngroup burlington default-domain canada.nexterna.com

vpngroup burlington split-tunnel 100

vpngroup burlington idle-time 1800

telnet 192.168.20.0 255.255.255.0 inside

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.20.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 dmz

ssh timeout 10

console timeout 0

terminal width 80

Cryptochecksum:xxxxx

: end

nkhawaja · ‎02-17-2004

Hi,

My bet, hiding the IPs are making it more difficult to conclude, please send the config unicast to nkhawaja@cisco.com

Thanks

Nadeem

nkhawaja · ‎02-17-2004

Hi,

My bet, hiding the IPs are making it more difficult to conclude, please send the config unicast to nkhawaja@cisco.com

Thanks

Nadeem

nkhawaja · ‎02-17-2004

Hi,

My bet, hiding the IPs are making it more difficult to conclude, please send the config unicast to nkhawaja@cisco.com

Thanks

Nadeem

jackko · ‎02-17-2004

the debug doesn't indicate much, as it could be an attack from the internet.

would you mind posting the config

jackko · ‎02-17-2004

firstly there is bug with 6.3(1) regarding to nat, i would suggest you to upgrade the os

secondly do a sh xlate and check whether or not there is an entry for the new server

jackko · ‎02-17-2004

firstly there is bug with 6.3(1) regarding to nat, i would suggest you to upgrade the os

secondly do a sh xlate and check whether or not there is an entry for the new server

l4nier · ‎02-18-2004

Can you tell me what version I should be at and where I can get the files?

Thanks!

Louanne

jackko · ‎02-19-2004

6.3(3) is the one. below is the url and i believe you need a vaild cco login

http://www.cisco.com/cgi-bin/tablebuild.pl/pix