Question

Locked

Why can't I reach internal Web Server from outside?

By bk6662 ·
I have a PIX 501 connected to my home ISP providing NAT/PAT, and routing. Internal hosts can get out no problem. Have an Apache web server running internally. I can reach it from inside with no problem. But no matter what I try, I can't seem to reach it from outside.

The local address for the webserver is 192.168.1.201. From outside I'm trying to reach it by typing in the ip address of the outside interface; that's the way to get to it right? So if my public IP was 10.176.101.4, I would type http://10.176.101.4 in the browser, correct? I'm attaching a show config, show version, show interface, show route and show xlate from the PIX. Please let me know if you see where I'm going wrong. Thanks!!

-Bk


PIX2# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123XYZ encrypted
passwd 123XYZ encrypted
hostname PIX2
domain-name ecc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound permit ip any any
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside-in permit tcp any host 10.176.101.4 eq www
access-list outside-in permit tcp any host 192.168.1.201 eq www
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 22
logging host inside 192.168.1.201
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0 (note: I've also tried'nat (inside) 1 0.0.0.0 0.0.0.0 0 0')
static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group outbound in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.12 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-3des esp-md5-hmac
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 10.171.58.125
crypto map bmw 1 set transform-set toyota
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 10.171.58.125 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:123XYZ
: end


PIX2# show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a529
IP address 10.176.101.4, subnet mask 255.255.248.0
MTU 1500 bytes, BW 100000 Kbit full duplex
377294 packets input, 25432436 bytes, 0 no buffer
Received 358219 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
17515 packets output, 1928916 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/41)
output queue (curr/max blocks): hardware (0/14) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a52a
IP address 192.168.1.199, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
22937 packets input, 2050026 bytes, 0 no buffer
Received 67 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
56998 packets output, 9991631 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/14)
output queue (curr/max blocks): hardware (0/27) software (0/1)


PIX2# show ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

PIX2 up 10 hours 52 mins

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000b.be94.a529, irq 9
1: ethernet1: address is 000b.be94.a52a, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.


PIX2# show route
outside 0.0.0.0 0.0.0.0 10.176.96.1 1 DHCP static
outside 10.176.96.0 255.255.248.0 10.176.101.4 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.199 1 CONNECT static


PIX2# show xlate
8 in use, 71 most used
PAT Global 10.176.101.4(7505) Local 192.168.1.201(39900)
PAT Global 10.176.101.4(7507) Local 192.168.1.201(41609)
PAT Global 10.176.101.4(7506) Local 192.168.1.201(58216)
PAT Global 10.176.101.4(7509) Local 192.168.1.201(45599)
PAT Global 10.176.101.4(750 Local 192.168.1.201(33990)
PAT Global 10.176.101.4(1031) Local 192.168.1.13(4302)
PAT Global 10.176.101.4(7510) Local 192.168.1.201(39729)
PAT Global 10.176.101.4(2991) Local 192.168.1.13(32209)

This conversation is currently closed to new comments.

42 total posts (Page 5 of 5)   Prev   03 | 04 | 05
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Easy Diagonostic Way

by Master_Key In reply to Why can't I reach interna ...

1- First apart form the pix rules, just enable all ports forwarding to your local web server.
2- Check if it works (from outside your lan)
3- If it works, check each access rules on pix
4- if it didn't then might you are using windows 2008, or windows 7 ? it have special setting to allow Wan access, not only Lan ones.

Hope it guide you

Back to Networks Forum
42 total posts (Page 5 of 5)   Prev   03 | 04 | 05

Related Discussions

Related Forums