Question

Locked

Why can't I reach internal Web Server from outside?

By bk6662 ·
I have a PIX 501 connected to my home ISP providing NAT/PAT, and routing. Internal hosts can get out no problem. Have an Apache web server running internally. I can reach it from inside with no problem. But no matter what I try, I can't seem to reach it from outside.

The local address for the webserver is 192.168.1.201. From outside I'm trying to reach it by typing in the ip address of the outside interface; that's the way to get to it right? So if my public IP was 10.176.101.4, I would type http://10.176.101.4 in the browser, correct? I'm attaching a show config, show version, show interface, show route and show xlate from the PIX. Please let me know if you see where I'm going wrong. Thanks!!

-Bk


PIX2# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123XYZ encrypted
passwd 123XYZ encrypted
hostname PIX2
domain-name ecc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound permit ip any any
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside-in permit tcp any host 10.176.101.4 eq www
access-list outside-in permit tcp any host 192.168.1.201 eq www
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 22
logging host inside 192.168.1.201
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0 (note: I've also tried'nat (inside) 1 0.0.0.0 0.0.0.0 0 0')
static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group outbound in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.12 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-3des esp-md5-hmac
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 10.171.58.125
crypto map bmw 1 set transform-set toyota
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 10.171.58.125 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:123XYZ
: end


PIX2# show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a529
IP address 10.176.101.4, subnet mask 255.255.248.0
MTU 1500 bytes, BW 100000 Kbit full duplex
377294 packets input, 25432436 bytes, 0 no buffer
Received 358219 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
17515 packets output, 1928916 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/41)
output queue (curr/max blocks): hardware (0/14) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a52a
IP address 192.168.1.199, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
22937 packets input, 2050026 bytes, 0 no buffer
Received 67 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
56998 packets output, 9991631 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/14)
output queue (curr/max blocks): hardware (0/27) software (0/1)


PIX2# show ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PIX2 up 10 hours 52 mins

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000b.be94.a529, irq 9
1: ethernet1: address is 000b.be94.a52a, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.


PIX2# show route
outside 0.0.0.0 0.0.0.0 10.176.96.1 1 DHCP static
outside 10.176.96.0 255.255.248.0 10.176.101.4 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.199 1 CONNECT static


PIX2# show xlate
8 in use, 71 most used
PAT Global 10.176.101.4(7505) Local 192.168.1.201(39900)
PAT Global 10.176.101.4(7507) Local 192.168.1.201(41609)
PAT Global 10.176.101.4(7506) Local 192.168.1.201(58216)
PAT Global 10.176.101.4(7509) Local 192.168.1.201(45599)
PAT Global 10.176.101.4(750 Local 192.168.1.201(33990)
PAT Global 10.176.101.4(1031) Local 192.168.1.13(4302)
PAT Global 10.176.101.4(7510) Local 192.168.1.201(39729)
PAT Global 10.176.101.4(2991) Local 192.168.1.13(32209)

This conversation is currently closed to new comments.

42 total posts (Page 2 of 5)   Prev   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Re: More

by bk6662 In reply to More

I've done as requested - still no go. (I had cleared the xlate table several times already - just did it again). Have also changed nat (inside) 1 as you've advised.

Here is the output of "show access-lists":

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list outbound; 1 elements
access-list outbound line 1 permit ip any any (hitcnt=12382)
access-list NoNAT; 1 elements
access-list NoNAT line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=165)
access-list 101; 1 elements
access-list 101 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=52)
access-list outside-in; 2 elements
access-list outside-in line 1 permit tcp any host 70.176.101.4 eq www (hitcnt=0)
access-list outside-in line 2 permit tcp any host 192.168.1.201 eq www (hitcnt=0)

Collapse -

Another thought

by NetMan1958 In reply to Re: More

Let's try changing this:
access-list outside-in permit tcp any host 10.176.101.4 eq www
access-list outside-in permit tcp any host 192.168.1.201 eq www
to:
access-list outside-in permit tcp any interface outside eq www

Collapse -

Sorry Netman

by bk6662 In reply to Another thought

I changed the outside-in access list as you've recommended. I then cleared the xlate table, and tried connecting again. Still nothing. Somehow www traffic doesn't seem to be hitting the PIX?

Collapse -

are you sure that inbound traffic to your public address

by CG IT In reply to Sorry Netman

isn't getting to the external interface? do you have split tunneling?

If netman is trying to get in using the public address, and your PIX if configured to listen for inbound traffic on the address, there ought to be something showing on the PIX that is gets the traffic and does something with it.

Collapse -

why not try changing the port from www to 80

by CG IT In reply to Another thought

while www "should" work, never know with the PIX.

Collapse -

Good idea

by NetMan1958 In reply to why not try changing the ...

That's a good idea as I have seen the actual port number work when the acronymn didn't. The really wierd thing is that while I can't connect to his web server on port 80, if I use putty and try ssh to his outside IP address I actually get a login prompt for a linux/unix server while the config he posted doesn't show any port-forwarding or static-nat for ssh nor does his access-list permit it.
Very Strange. I'm going to have to think on this one.

Collapse -

ooh ohh you shouldn't if his access lists are right

by CG IT In reply to Good idea

.. so you used 22? wonder if that any any statement is the problem.

Collapse -

Busted!!

by bk6662 In reply to Good idea

Sorry I didn't broadcast that I currently have "ssh 0 0 outside" enabled. That's why NetMan is able to get a login prompt.

Collapse -

ssh 192.168.1.0 255.255.255.0 inside

by CG IT In reply to Good idea

that's what you have for ssh

so netman shouldn't get in from outside using the public address and port 22 if your access-lists are right because at the end of eveyr access list is the deny statement.

so port 22 traffic shouldn't match up with any allowed statements unless you have any any or tcp any any in which case http traffic ought to work.

Collapse -

RE: Busted! - SSH on outside

by NetMan1958 In reply to Good idea

Something is still not right. I'm not getting a login to your PIX, I'm getting a login prompt for a linux/unix server.
I copied this from Putty:
login as: root
Sent username "root"
root@xx.176.101.4's password:

Back to Networks Forum
42 total posts (Page 2 of 5)   Prev   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums