I've been trying for some time to get my PIX 515 firewall to allow HTTP
requests to pass through and go to a web server hosted on my internal
network.Unfortunately I have not managed to get this working - even after
reading numerous articles.The scenario is that the outside interface is
connected to a cable modem and the WAN IP address is assigned through DHCP
by my ISP.My PIX config is shown below, I want www requests to my dynamic IP
address to be passed through to an internal web server at 192.168.1.150?Can
anyone see what is wrong with my configuration?asdm image
flash:/asdm-501.bin
no asdm history enable
: Saved
:
PIX Version 7.0(1)
names
name 192.168.1.0 ctu
name 192.168.1.150 srv.bauer
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
hostname pixfirewall
domain-name ctu.local
ftp mode passive
dns retries 2
dns timeout 2
dns domain-lookup inside
dns name-server srv.bauer
access-list acl_out extended deny icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq
www
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp deny any echo outside
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www srv.bauer www netmask
255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http ctu 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.50-192.168.1.149 inside
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect http
: end
Thanks in advance

Easiest way to troubleshoot any configuration - look at the log. What does
it say when somebody tries to connect to your website? It will give you a
direction, where to look.

Good luck,

Mike
www.ciscoheadsetadapter.com



"Cisco Newbie" <noemail@thisaddress.com> wrote in message
newsVktf.70455$vl2.37602@fe2.news.blueyonder.co. uk...

"Cisco Newbie" <noemail@thisaddress.com> wrote in message
newsVktf.70455$vl2.37602@fe2.news.blueyonder.co. uk...
This series of commands accomplishes the task on my PIX 501. It should also
on your 515.

static (inside,outside) tcp interface 80 192.168.1.150
access-list outside_access_in permit tcp any interface outside eq 80
clear xlate
clear arp
clear local
write mem

This is what he has as well!

"MyndPhlyp" <nobody@homeright.now> wrote in message
news:G9mtf.124$ZA2.75@newsread1.news.atl.earthlink .net...

The log I get when trynig to access my web site is as follows:

6|Dec 31 2005 10:55:44|305012: Teardown dynamic TCP translation from
inside:srv.bauer/57517 to outside:xx.xx.xx.xx/5998 duration 0:00:30
6|Dec 31 2005 10:55:44|305012: Teardown dynamic TCP translation from
inside:srv.bauer/57516 to outside:xx.xx.xx.xx/5997 duration 0:00:30
6|Dec 31 2005 10:55:43|305012: Teardown dynamic TCP translation from
inside:srv.bauer/57515 to outside:xx.xx.xx.xx/5996 duration 0:00:30
6|Dec 31 2005 10:55:43|305012: Teardown dynamic TCP translation from
inside:srv.bauer/57514 to outside:xx.xx.xx.xx/5995 duration 0:00:30
6|Dec 31 2005 10:55:42|305012: Teardown dynamic TCP translation from
inside:srv.bauer/57513 to outside:xx.xx.xx.xx/5994 duration 0:00:30
3|Dec 31 2005 10:55:35|710003: TCP access denied by ACL from
192.168.1.50/2988 to inside:xx.xx.xx.xx/80
6|Dec 31 2005 10:55:33|305012: Teardown dynamic TCP translation from
inside:192.168.1.50/2984 to outside:xx.xx.xx.xx/5993 duration 0:00:30
6|Dec 31 2005 10:55:33|305012: Teardown dynamic UDP translation from
inside:srv.bauer/1031 to outside:xx.xx.xx.xx/1033 duration 0:00:30
4|Dec 31 2005 10:55:32|106023: Deny tcp src outside:64.152.4.80/80 dst
inside:xx.xx.xx.xx/5985 by access-group "outside_access_in"
6|Dec 31 2005 10:55:29|609002: Teardown local-host outside:64.233.183.99
duration 0:00:00
6|Dec 31 2005 10:55:29|302014: Teardown TCP connection 5264 for
outside:64.233.183.99/80 to inside:192.168.1.52/1423 duration 0:00:00 bytes
2272 TCP FINs
3|Dec 31 2005 10:55:29|710003: UDP access denied by ACL from
221.10.254.31/33275 to outside:xx.xx.xx.xx/1027
5|Dec 31 2005 10:55:29|304001: 192.168.1.52 Accessed URL 64.233.183.99:/
6|Dec 31 2005 10:55:29|302013: Built outbound TCP connection 5264 for
outside:64.233.183.99/80 (64.233.183.99/80) to inside:192.168.1.52/1423
(xx.xx.xx.xx/6001)
6|Dec 31 2005 10:55:29|305011: Built dynamic TCP translation from
inside:192.168.1.52/1423 to outside:xx.xx.xx.xx/6001
6|Dec 31 2005 10:55:29|609001: Built local-host outside:64.233.183.99
3|Dec 31 2005 10:55:28|710003: TCP access denied by ACL from
192.168.1.50/2988 to inside:xx.xx.xx.xx/80
3|Dec 31 2005 10:55:26|710003: TCP access denied by ACL from
192.168.1.50/2988 to inside:xx.xx.xx.xx/80

I've replaced my WAN IP with xx.xx.xx.xx

Thanks


"MyndPhlyp" <nobody@homeright.now> wrote in message
news:G9mtf.124$ZA2.75@newsread1.news.atl.earthlink .net...

In article <nRttf.70520$vl2.27121@fe2.news.blueyonder.co.uk>,
Cisco Newbie <noemail@thisaddress.com> wrote:
The PIX thinks that you are attempting to access the http service
of the PIX itself, rather than passing along the request to
the inside machine.

As I recall you are running PIX 7; I don't know much about PIX 7.
In PIX 6.3, messages such as those are artifacts: the PIX thinks the
connection has been torn down but then it sees the final packet or two
from the remote host clearing down the connection, and it logs them
as if the remote host is trying to create a new connection. This
situation was handled better in earlier PIX versions and I had hoped
it would be returned to something more sensible in PIX 7.

Hmmm, that's odd. In PIX 6, you can only get local-hosts associated
with inner interfaces, unless you happen to exchange interface names
(which the PIX warns about.) Looking at the PIX 7.0 documentation,
I see that local-host has an expanded role, but it I'm having a
bit of difficulty in working from the examples back to what the
new local-host conception is.


I would have expected those last two to be reversed, the TCP translation
built before the outbound TCP connection. Perhaps the processing order
has changed in 7.0.

If you lie to the compiler, it will get its revenge. -- Henry Spencer

Do you know how to stop the PIX thinking the request is trying to access the
internal HTTP service?

"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:dp6li1$j31$1@canopus.cc.umanitoba.ca...

* Cisco Newbie wrote:
Please test your configuration FROM OUTSIDE. You can't expext the PIX to nat
your inside address to an outside one and renat the same connection
instantanously from outside to inside.

What they're trying to say is:

Cannot come in through the same door you went out!!!

JD



"Lutz Donnerhacke" <lutz@iks-jena.de> wrote in message
news:slrndrhr2k.vi.lutz@taranis.iks-jena.de...