Question

Locked

Why can't I reach internal Web Server from outside?

By bk6662 ·
I have a PIX 501 connected to my home ISP providing NAT/PAT, and routing. Internal hosts can get out no problem. Have an Apache web server running internally. I can reach it from inside with no problem. But no matter what I try, I can't seem to reach it from outside.

The local address for the webserver is 192.168.1.201. From outside I'm trying to reach it by typing in the ip address of the outside interface; that's the way to get to it right? So if my public IP was 10.176.101.4, I would type http://10.176.101.4 in the browser, correct? I'm attaching a show config, show version, show interface, show route and show xlate from the PIX. Please let me know if you see where I'm going wrong. Thanks!!

-Bk


PIX2# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123XYZ encrypted
passwd 123XYZ encrypted
hostname PIX2
domain-name ecc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound permit ip any any
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside-in permit tcp any host 10.176.101.4 eq www
access-list outside-in permit tcp any host 192.168.1.201 eq www
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 22
logging host inside 192.168.1.201
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0 (note: I've also tried'nat (inside) 1 0.0.0.0 0.0.0.0 0 0')
static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group outbound in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.12 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-3des esp-md5-hmac
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 10.171.58.125
crypto map bmw 1 set transform-set toyota
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 10.171.58.125 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:123XYZ
: end


PIX2# show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a529
IP address 10.176.101.4, subnet mask 255.255.248.0
MTU 1500 bytes, BW 100000 Kbit full duplex
377294 packets input, 25432436 bytes, 0 no buffer
Received 358219 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
17515 packets output, 1928916 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/41)
output queue (curr/max blocks): hardware (0/14) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a52a
IP address 192.168.1.199, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
22937 packets input, 2050026 bytes, 0 no buffer
Received 67 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
56998 packets output, 9991631 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/14)
output queue (curr/max blocks): hardware (0/27) software (0/1)


PIX2# show ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PIX2 up 10 hours 52 mins

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000b.be94.a529, irq 9
1: ethernet1: address is 000b.be94.a52a, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.


PIX2# show route
outside 0.0.0.0 0.0.0.0 10.176.96.1 1 DHCP static
outside 10.176.96.0 255.255.248.0 10.176.101.4 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.199 1 CONNECT static


PIX2# show xlate
8 in use, 71 most used
PAT Global 10.176.101.4(7505) Local 192.168.1.201(39900)
PAT Global 10.176.101.4(7507) Local 192.168.1.201(41609)
PAT Global 10.176.101.4(7506) Local 192.168.1.201(58216)
PAT Global 10.176.101.4(7509) Local 192.168.1.201(45599)
PAT Global 10.176.101.4(750 Local 192.168.1.201(33990)
PAT Global 10.176.101.4(1031) Local 192.168.1.13(4302)
PAT Global 10.176.101.4(7510) Local 192.168.1.201(39729)
PAT Global 10.176.101.4(2991) Local 192.168.1.13(32209)

This conversation is currently closed to new comments.

42 total posts (Page 4 of 5)   Prev   02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

That's it!

by bk6662 In reply to Success!

So you are able to connect via port 8880? Apparently:

- The ISP is in fact blocking port 80, and;
- My corporate office must be blocking non-standard ports. (dang don't know why I never thought about that!)

I tried the telnet connection you mentioned but didn't get a response. But then again if they're blocking that port, I guess it wouldn't matter what protocol I'm using.

I guess I will need to keep that in mind whilst testing from the office.

Once again thank you both. I greatly appreciate your assistance!

-Bk

Collapse -

Your ISP

by NetMan1958 In reply to That's it!

I determined your ISP by doing a whois lookup on your IP address and did some research. Actually they do block port 80 along with several other well-known ports. I'm going to email you a link to a web page with details.

Collapse -

.

by CG IT In reply to Access-List
Collapse -

HitCounter

by bk6662 In reply to I think the problem is in ...

Ok I just noticed my hit-counter for line-2 of the ACL (permit tcp any interface outside eq 8080) is increasing when I attempt to connect over that port. Even though it still isn't connecting. That's progress right (at least traffic is coming in)? Nothing in the XLATE table showing that port though.

Collapse -

.

by CG IT In reply to HitCounter
Collapse -

Is your "public" ip routable?

by TobiF In reply to Why can't I reach interna ...

Ehhm. If your "public" address begins with 10. then you have a problem, which may be out of your reach. The range 10.x.x.x is (just like 192.168.x.x) used for private addressing, and not routable on the internet.
I.e. You may be reaching internet via two layers of NAT, where you're only able to deal with the settings of the inner layer.

Collapse -

firewall issue

by motRocks In reply to Is your "public" ip routa ...

sounds like there maybe more than one firewall here somewhere?

if this is so then there is another to configure. This would explain the different login screen one of the posters was seeing.

example, I have two boxes before I can connect to a machine at home. One is residential router (DSL), then my WIFI box for boradcasting round the house.

Initially I had a similar problem, when connecting to port 80 I was ONLY seeing the residential box. Then when I port forwarded, I was able to see my WIFI box. This didn't fix the issue obviously (I wanted a server on the WIFI box.

A little more tweaking and port forwarding, changed some default ports for config on both boxes and presto. worked.

try login to the ssh and work out what machine you are seeing.


my network diagram

NET -> RB -> WIFI BOX -> SERVER

where:
NET=internet
RB= residential box
WIFI = WIFI
SERVER = SERVER

I couldn't understand why I had ssh and no http until I realised I was connecting to the unix config's of boxes

Collapse -

DMZ can be useful

by TobiF In reply to firewall issue

In this type of setup, I'd give the wifi router a fixed IP address in the lan segment of the residential box, and then assign this address as DMZ, so that all arriving traffic from the internet is forwarded to "my own" router.

Collapse -

And your ISP doesn't block this traffic?

by TobiF In reply to Why can't I reach interna ...

Many internet providers for residential services will, on purpose, block incoming traffic to port 80(TCP) since too many home routers or PCs publish unprotected web services on this port, without the user realizing this.

Try to put your server on a different port, say 8010 and then add the port number like this:
myvirtualserver.dyndns.org:8010/start.html

Collapse -

ISP Blocking

by bk6662 In reply to And your ISP doesn't bloc ...

Hi TechRep,

Thank you for your replies. Yes it turned out the ISP was in fact blocking port 80, as you have implied. Another user on this forum was kind enough to perform a "Whois" lookup on my ISP and confirmed this to be the case. (See subject "Your ISP" in a previous post).

Appreciate your assist.

-bk

Back to Networks Forum
42 total posts (Page 4 of 5)   Prev   02 | 03 | 04 | 05   Next

Related Discussions

Related Forums