pix 506E inbound connection

[JEFF11]

Hi,

I spent those last days trying to setup inbound connections on my PIX 506 without success.

Here is my configuration:

ISP router: 72.73.74.78
PIX outside interface: 72.73.74.73 255.255.248
PIX inside interface: 192.168.10.207 255.255.255.0

I use the pix as a gateway for all my workstations/servers in my inside network (allowing every machines to have Internet access).

Here is the list of command I used to enable my outbound access:

nat (inside) 1 192.168.10.0 255.255.255.0
global (outside) 1 interface
route outside 0 0 72.73.74.78 1

Now what I want to achieve:

I have a web server in my inside network (192.168.10.230) which I want to be accessible from internet (2 ports needs to be accessible: 80 and 87). I want internet users to access my web server using

http://72.73.74.73

and

http://72.73.74.73:87.

72.73.74.73 is the address of my outside interface and also our public address on the Internet.

Any help will be greatly appreciated.

Regards,

Jeff.

 

[ChrisAC]

~Set up port forwarding rules to the internal server

static(inside,outside)tcp 72.73.74.73 80 192.168.10.230 80 netmask 255.255.255.255 0 0
static(inside,outside)tcp 72.73.74.73 87 192.168.10.230 87 netmask 255.255.255.255 0 0

~Allow access via the outside access list

access-list outside-in permit tcp any host 72.73.74.73 eq 80
access-list outside-in permit tcp any host 72.73.74.73 eq 87

access-group outside-in in interface outside

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************

 

[JEFF11]

Thanks for the quick reply Chris but external users still can't access my web server. I think I had tried this solution in my numerous attempts.

I there anyhting else I can provide to you ?

Many thanks

Jeff.

 

[LloydSev]

what Chris just showed you is the setup required on the PIX to allow people to access your webserver.

Please post your full config, of course minus the passwords.

Computer/Network Technician
CCNA

 

[JEFF11]

Here it is, please note that IP addresses shown bellow are the real ones. I used dummy ones in my previous posts.

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name emosparis.emos.net
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-in permit tcp any host 81.80.41.233 eq www
access-list outside-in permit tcp any host 81.80.41.233 eq 87
pager lines 24
logging on
logging console informational
logging monitor informational
logging trap informational
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 81.80.41.233 255.255.255.248
ip address inside 192.168.96.207 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.96.243 255.255.255.255 inside
pdm location 192.168.96.230 255.255.255.255 inside
pdm location 81.80.41.234 255.255.255.255 outside
pdm location 81.80.41.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.96.0 255.255.255.0 0 0
static (inside,outside) tcp 81.80.41.233

http://www 192.168.96.230

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp 81.80.41.233 87 192.168.96.230 87 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 81.80.41.238 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.96.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.96.243 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
: end

 

[ChrisAC]

Ah, as you are using the IP address of the external interface then use the keyword 'interface' instead of the IP address of that interface in the static.

As in,

static(inside,outside)tcp interface 80 192.168.10.230 80 netmask 255.255.255.255 0 0
static(inside,outside)tcp interface 87 192.168.10.230 87 netmask 255.255.255.255 0 0

Try that.

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************

 

[JEFF11]

this unfortunatly doesn't make any difference. I now have this in my setup:

static (inside,outside) tcp interface

http://www 192.168.96.230

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface 87 192.168.96.230 87 netmask 255.255.255.255 0 0

Regards

Jeff

 

[ChrisAC]

Can you see any connections on those ports being dropped in the logs? Can you see any active xlate's for inbound connections? Can you see any matches against the access list rules (sh access-list - (hitcnt=?))?

Your logging will tell you if the traffic is hitting the firewall, if the access-list has passed it and if it has dropped the connection.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[JEFF11]

Hi

I run the following commands:

debug access-list all
debug packet outside
debug route

When, from the outside world, we run a "telnet 81.80.41.233 87" I have the following output on the console:

--------- PACKET ---------

-- IP --
217.204.193.234 ==> 81.80.41.233

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x30
id = 0xecf3 flags = 0x40 frag off=0x0
ttl = 0x6d proto=0x6 chksum = 0x9e4

-- TCP --
source port = 0x44ff dest port = 0x57syn

seq = 0x1ba7388e
ack = 0x0
hlen = 0x7 window = 0xffff
checksum = 0xd2c3 urg = 0x0
tcp options:
0x2 0x4 0x5 0x94 0x1 0x1 0x4 0x2
--------- END OF PACKET ---------

I am a newbie on Cisco setup, is there any additional logging I can add to see where the problem is?

Many thanks

Jeff

 

[LloydSev]

try "sho access-list <accesslistname>"

Computer/Network Technician
CCNA

 

[ChrisAC]

Yeah, no need to do 'debugging'. Simply having logging on and looking at the logs (sh logging) and the access-list (sh access-list) will be enough.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[JEFF11]

doing the sh access-list I can see the correct access-list is hitted depending if I try to access port 80 or port 87:

access-list outside-in; 2 elements
access-list outside-in line 1 permit tcp any interface outside eq

http://www log

7 interval 60 (hitcnt=1)
access-list outside-in line 2 permit tcp any interface outside eq 87 log 7 interval 60 (hitcnt=2)

Jeff

 

[LloydSev]

and the web server has the PIX set as it's default gateway correct?

Computer/Network Technician
CCNA

 

[JEFF11]

ok guys, shame on me...
I have to apologies for having wasted your time... The gateway of my web server was left to another router...

Again many thanks for your help.

Jeff.

 

[LloydSev]

Glad we could help!

Computer/Network Technician
CCNA

 

[ChrisAC]

BWAHAHAHAHAHAHA!!!!

How many times have I seen the "gateway was wrong" thing! I always make the mistake of presuming that it must be correct.

Jeff, don't worry man! I've done it myself ;-)

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[JEFF11]

Hi,

now I am facing another issue...

The access to my web server from the outside world works fine but I am unable to access it from the inside using it's public address. Did I miss something?

Thanks

Jeff

 

[ChrisAC]

You can't use the public address from inside the Pix, would would have to use its private address.

The alternative is using the 'alias' command if you are resolving the domain name from an external DNS server. This doctors the DNS reply and replaces the external IP address with the internal address.

http://www.cisco.com/warp/public/110/alias.html

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[JEFF11]

I saw we could alias an address but unfortunatly I can't do this as not all traffic should be directed to the same server: port 80 from the public address will be directed to one web server and port 87 from the public address will be directed to another server...

Jeff

 

[ChrisAC]

In that case you would need to do a static from two different external IP's to two internal IP's and then use the 'alias' on both of them. If you don't have the addresses available then it's more difficult.

You'll just have to use the internal addresses from inside the network or set up your hosts file to resolve the two different servers internally (or use an internal DNS server).

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************