Question

Locked

Why can't I reach internal Web Server from outside?

By bk6662 ·
I have a PIX 501 connected to my home ISP providing NAT/PAT, and routing. Internal hosts can get out no problem. Have an Apache web server running internally. I can reach it from inside with no problem. But no matter what I try, I can't seem to reach it from outside.

The local address for the webserver is 192.168.1.201. From outside I'm trying to reach it by typing in the ip address of the outside interface; that's the way to get to it right? So if my public IP was 10.176.101.4, I would type http://10.176.101.4 in the browser, correct? I'm attaching a show config, show version, show interface, show route and show xlate from the PIX. Please let me know if you see where I'm going wrong. Thanks!!

-Bk


PIX2# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123XYZ encrypted
passwd 123XYZ encrypted
hostname PIX2
domain-name ecc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound permit ip any any
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside-in permit tcp any host 10.176.101.4 eq www
access-list outside-in permit tcp any host 192.168.1.201 eq www
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 22
logging host inside 192.168.1.201
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0 (note: I've also tried'nat (inside) 1 0.0.0.0 0.0.0.0 0 0')
static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group outbound in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.12 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-3des esp-md5-hmac
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 10.171.58.125
crypto map bmw 1 set transform-set toyota
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 10.171.58.125 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:123XYZ
: end


PIX2# show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a529
IP address 10.176.101.4, subnet mask 255.255.248.0
MTU 1500 bytes, BW 100000 Kbit full duplex
377294 packets input, 25432436 bytes, 0 no buffer
Received 358219 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
17515 packets output, 1928916 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/41)
output queue (curr/max blocks): hardware (0/14) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a52a
IP address 192.168.1.199, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
22937 packets input, 2050026 bytes, 0 no buffer
Received 67 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
56998 packets output, 9991631 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/14)
output queue (curr/max blocks): hardware (0/27) software (0/1)


PIX2# show ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PIX2 up 10 hours 52 mins

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000b.be94.a529, irq 9
1: ethernet1: address is 000b.be94.a52a, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.


PIX2# show route
outside 0.0.0.0 0.0.0.0 10.176.96.1 1 DHCP static
outside 10.176.96.0 255.255.248.0 10.176.101.4 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.199 1 CONNECT static


PIX2# show xlate
8 in use, 71 most used
PAT Global 10.176.101.4(7505) Local 192.168.1.201(39900)
PAT Global 10.176.101.4(7507) Local 192.168.1.201(41609)
PAT Global 10.176.101.4(7506) Local 192.168.1.201(58216)
PAT Global 10.176.101.4(7509) Local 192.168.1.201(45599)
PAT Global 10.176.101.4(750 Local 192.168.1.201(33990)
PAT Global 10.176.101.4(1031) Local 192.168.1.13(4302)
PAT Global 10.176.101.4(7510) Local 192.168.1.201(39729)
PAT Global 10.176.101.4(2991) Local 192.168.1.13(32209)

This conversation is currently closed to new comments.

42 total posts (Page 1 of 5)   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Public IP Address

by NetMan1958 In reply to Why can't I reach interna ...

10.176.101.4 isn't the actual IP address on the outside interface is it?

Collapse -

Public address

by bk6662 In reply to Public IP Address

No - I just changed it in this posting for security purposes. Let me know if you need the actual public IP. Thx!

Collapse -

Try this

by NetMan1958 In reply to Public address

If you want to PM me the actual public IP, I will test it from here. Also I'd like for you to do this:
Clear the counters on your access-lists:
"clear access-list outside-in counters"
Then verify that the counters show 0:
"sh access-list outside-in"
Then try to connect to the server from the outside. Next, recheck the access-list counters and see if they incremented.

Collapse -

Done

by bk6662 In reply to Try this

Counter cleared - public IP sent as you've requested. Please let me know if you haven't received the PM.

-Bk

Collapse -

I think I see the problem

by NetMan1958 In reply to Done

Try disabling http server on the PIX itself with this:
"no http server enable"

Then give see if you can connect to your web server from outside. If that solves the problem, I think we can use another port to access the PIX itself over http.

Collapse -

I thought you had solved it!

by bk6662 In reply to Why can't I reach interna ...

When I saw your post I thought "Of course!!!" But I removed that entry from the running config - still can't connect (error 504 Destination not responding). By the way I forgot to add I -can- connect from the remote network over VPN.

Did you see the nat (inside) 1 entry in my config? I made a change to test, based on another post I stumbled across. Do you think I should change it back to 0.0.0.0 0.0.0.0 0 0, and try again? I'm afraid I'll lose remote connectivity once I make that change, but if you think it's worth a shot I may try it....

Collapse -

Just going to jump in for a second...

by CG IT In reply to I thought you had solved ...

bottom line is:

any traffic arriving on the external interface bound for port 80 needs to be forwarded to the https server and then back to the requestor. That traffic needs inside/outside NAT to make the round trip.

Collapse -

Jump on in!!

by bk6662 In reply to Just going to jump in for ...

Trust me I can use all the help I can get!! I'm not working on https yet - sticking with port 80 for now. Since I only have a single public IP I'm using PAT. I have it set up identical to the PAT scenario in Cisco DocID 12496. I also found a forum message on Cisco Support (search for "PIX allowing inbound access, 1 external IP") where they did exactly what I'm trying to do.

Thanks!

Collapse -

sorry typo on the https meant http port 80 traffic

by CG IT In reply to Jump on in!!

do you have SDM ?

not really a PIX guy PIX to me = pita

Collapse -

More

by NetMan1958 In reply to I thought you had solved ...

Leave the PIX http server disabled and run:
"clear xlate"
Then try accessing the web server and let me know the results. Also, can you check again and make sure the access-list counters aren't incrementing since I have tried to connect from here.
You can go ahead and change your NAT back to the 0.0.0.0 0.0.0.0.

Back to Networks Forum
42 total posts (Page 1 of 5)   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums