PIX 515 Can Ping Out-to-In but not any webservices getting out-to-in

Discussion in 'Cisco' started by Johnny Davis, Jan 18, 2004.

  1. Johnny Davis

    Johnny Davis Guest

    I have a PIX 515 that I am able to go from inside to outside. Can ping, resolve
    DNS, and everything else I want to do from the inside to the outside. I can Ping
    from the outside to hosts inside, but can not get traffic from the outside to
    pull up the webservices and some other services from the outside to the inside.
    I am sure it is something small that I am missing. Could someone take a look at
    the following Config and see if it jumps out at them since it is playing hide
    and seek on me and of course I have yet to get the seeking part done.

    Thanks in advance.

    Johnny

    The IP's have been hanged to protect the innocent:

    Result of firewall command: "show config"

    : Saved
    : Written by enable_15 at 11:56:25.599 CST Sat Jan 17 2004
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security10
    enable password rwhjNVeEJenglgd/ encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname Host
    domain-name DomainName
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 10.240.1.120 Laptop
    name 12.12.12.33 Office
    name 10.240.1.105 Yoda
    name 10.240.1.102 Luke
    name 10.240.1.111 Chewy
    name 10.240.1.110 Hans
    name 10.240.1.103 Obi
    name 10.240.1.101 Leah
    access-list outside_access_in remark RAdmin
    access-list outside_access_in permit tcp any eq 4899 any
    access-list outside_access_in permit tcp any eq https any
    access-list outside_access_in permit tcp any eq www any
    access-list outside_access_in permit tcp any eq ftp any
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit udp any eq domain any
    access-list outside_access_in permit tcp any eq domain any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit icmp 10.240.1.0 255.255.255.0 any
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 220.220.220.68 255.255.255.240
    ip address inside 10.240.1.1 255.255.255.0
    ip address intf2 127.0.0.1 255.255.255.255
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool remotevpn 10.240.2.200-10.240.2.254
    pdm location Laptop 255.255.255.255 inside
    pdm location 10.240.1.0 255.255.255.0 inside
    pdm location Office 255.255.255.255 outside
    pdm location Luke 255.255.255.255 inside
    pdm location Yoda 255.255.255.255 inside
    pdm location 10.0.0.0 255.0.0.0 inside
    pdm location Chewy 255.255.255.255 inside
    pdm location Hans 255.255.255.255 inside
    pdm location Obi 255.255.255.255 inside
    pdm location ChrisB 255.255.255.255 inside
    pdm location 12.12.12.32 255.255.255.240 outside
    pdm location 220.220.220.73 255.255.255.255 outside
    pdm location 220.220.220.74 255.255.255.255 outside
    pdm location 220.220.220.75 255.255.255.255 outside
    pdm location Leah 255.255.255.255 inside
    pdm location 10.240.1.100 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    static (inside,outside) 220.220.220.73 Leah netmask 255.255.255.255 0 0
    static (inside,outside) 220.220.220.72 Luke netmask 255.255.255.255 0 0
    static (inside,outside) 220.220.220.71 Obi netmask 255.255.255.255 0 0
    static (inside,outside) 220.220.220.70 Yoda netmask 255.255.255.255 0 0
    static (inside,outside) 220.220.220.78 Laptop netmask 255.255.255.255 0 0
    static (inside,outside) 220.220.220.75 Chewy netmask 255.255.255.255 0 0
    static (inside,outside) 220.220.220.74 Hans netmask 255.255.255.255 0 0
    static (inside,outside) 220.220.220.77 ChrisB netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    rip outside passive version 1
    route outside 0.0.0.0 0.0.0.0 220.220.220.65 1
    route inside 10.240.1.1 255.255.255.255 220.220.220.65 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http Office 255.255.255.255 outside
    http 10.240.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    telnet 12.12.12.32 255.255.255.240 outside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP client configuration address local remotevpn
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn enable outside
    dhcpd address 10.240.1.200-10.240.1.254 inside
    dhcpd dns 12.12.12.36 12.12.12.35
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:61d77405e1c3b33c4eedb59178a4eea1
     
    Johnny Davis, Jan 18, 2004
    #1
    1. Advertising

  2. In article <>,
    Johnny Davis <> wrote:
    :I have a PIX 515 that I am able to go from inside to outside. Can ping, resolve
    :DNS, and everything else I want to do from the inside to the outside. I can Ping
    :from the outside to hosts inside, but can not get traffic from the outside to
    :pull up the webservices and some other services from the outside to the inside.
    :I am sure it is something small that I am missing.

    :access-list outside_access_in remark RAdmin
    :access-list outside_access_in permit tcp any eq 4899 any
    :access-list outside_access_in permit tcp any eq https any
    :access-list outside_access_in permit tcp any eq www any
    :access-list outside_access_in permit tcp any eq ftp any
    :access-list outside_access_in permit icmp any any
    :access-list outside_access_in permit udp any eq domain any
    :access-list outside_access_in permit tcp any eq domain any

    :access-group outside_access_in in interface outside

    You have source and destination reversed throughput outside_access_in .

    For outside access, the source should be the external address and
    the destination should be the target host -as known to the outside-.

    For inside access, the source should be the inside address -as known
    to the inside- and the destination should be the external target address
    [as known to the inside.]
    --
    So you found your solution
    What will be your last contribution?
    -- Supertramp (Fool's Overture)
     
    Walter Roberson, Jan 18, 2004
    #2
    1. Advertising

  3. Johnny Davis

    JD Guest

    Ok, I think i just lost the rest of the brain cells. I am not quite
    understanding the way the statement should read. I configured it via
    PDM, so are you saying that it did them backwards?

    Thanks for the simplification. The time working on this and the rest
    of work stuff has mushed me into a simple mind.

    Johnny

    On 18 Jan 2004 21:57:53 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <>,
    >Johnny Davis <> wrote:
    >:I have a PIX 515 that I am able to go from inside to outside. Can ping, resolve
    >:DNS, and everything else I want to do from the inside to the outside. I can Ping
    >:from the outside to hosts inside, but can not get traffic from the outside to
    >:pull up the webservices and some other services from the outside to the inside.
    >:I am sure it is something small that I am missing.
    >
    >:access-list outside_access_in remark RAdmin
    >:access-list outside_access_in permit tcp any eq 4899 any
    >:access-list outside_access_in permit tcp any eq https any
    >:access-list outside_access_in permit tcp any eq www any
    >:access-list outside_access_in permit tcp any eq ftp any
    >:access-list outside_access_in permit icmp any any
    >:access-list outside_access_in permit udp any eq domain any
    >:access-list outside_access_in permit tcp any eq domain any
    >
    >:access-group outside_access_in in interface outside
    >
    >You have source and destination reversed throughput outside_access_in .
    >
    >For outside access, the source should be the external address and
    >the destination should be the target host -as known to the outside-.
    >
    >For inside access, the source should be the inside address -as known
    >to the inside- and the destination should be the external target address
    >[as known to the inside.]
     
    JD, Jan 18, 2004
    #3
  4. In article <>,
    JD <> wrote:
    :Ok, I think i just lost the rest of the brain cells. I am not quite
    :understanding the way the statement should read. I configured it via
    :pDM, so are you saying that it did them backwards?

    Yes, probably. I suggest changing the order of one of the entries
    in the live config, and then viewing the result in PDM and see how it
    shows up.
    --
    How does Usenet function without a fixed point?
     
    Walter Roberson, Jan 18, 2004
    #4
  5. Johnny Davis

    JD Guest

    Nope, that did not change anything. Also, I got to thinking after
    trying that, that if the PDM was putting them in backwards then it
    would be doing the same for the inside_access_out ACL, right?

    For some reason I am thinking the public IP's are not bound to the
    outside interface for the PIX to know it is supposed to translate them
    to the host on the inside. I am doing one to one translation for
    internal to external addresses but do not see where the PIX knows to
    translate outside address 220.220.220.73 to internal address
    10.240.1.101. Could that be something that is missing.

    Thanks for all your help. I am obviously not a PIX person at all and
    trying to learn as I go.


    On 18 Jan 2004 22:55:22 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >In article <>,
    >JD <> wrote:
    >:Ok, I think i just lost the rest of the brain cells. I am not quite
    >:understanding the way the statement should read. I configured it via
    >:pDM, so are you saying that it did them backwards?
    >
    >Yes, probably. I suggest changing the order of one of the entries
    >in the live config, and then viewing the result in PDM and see how it
    >shows up.
     
    JD, Jan 18, 2004
    #5
  6. Johnny Davis

    McLeon Guest

    Remember that you propably can't acces a host on the inside lan, directly
    from the outside.
    That's what the firewall is for !!
    If you're using PDM to configure such access rules, it alway pops up a
    dialog for entering a
    translation rule. Your inside host has to be NAT translated to a DMZ (or
    outside ) address.

    If you have e.g. :

    access-list outside_access_inside_dmz permit tcp any gt 1023 host <an
    address on the internet in your domain> eq 8006
    which permits access to port 8006 on outside host <an address on the
    internet in your domain>
    Then (in our case) you need to have
    pdm location ADHP11I 255.255.255.255 inside
    static (inside,outside) 193.172.46.39 ADHP11I netmask 255.255.255.255 0 0

    (ADHP11I is an internal UNIX server of ours)

    Regards

    McLeon


    This means you have to
    "JD" <> wrote in message
    news:...
    > Nope, that did not change anything. Also, I got to thinking after
    > trying that, that if the PDM was putting them in backwards then it
    > would be doing the same for the inside_access_out ACL, right?
    >
    > For some reason I am thinking the public IP's are not bound to the
    > outside interface for the PIX to know it is supposed to translate them
    > to the host on the inside. I am doing one to one translation for
    > internal to external addresses but do not see where the PIX knows to
    > translate outside address 220.220.220.73 to internal address
    > 10.240.1.101. Could that be something that is missing.
    >
    > Thanks for all your help. I am obviously not a PIX person at all and
    > trying to learn as I go.
    >
    >
    > On 18 Jan 2004 22:55:22 GMT, -cnrc.gc.ca (Walter
    > Roberson) wrote:
    >
    > >In article <>,
    > >JD <> wrote:
    > >:Ok, I think i just lost the rest of the brain cells. I am not quite
    > >:understanding the way the statement should read. I configured it via
    > >:pDM, so are you saying that it did them backwards?
    > >
    > >Yes, probably. I suggest changing the order of one of the entries
    > >in the live config, and then viewing the result in PDM and see how it
    > >shows up.

    >
     
    McLeon, Jan 19, 2004
    #6
  7. Johnny Davis

    Rich Myerly Guest

    I agree with Walter, the order change should clear it - you have the
    static commands in place to permit the traffic inward.

    Instead of your current rule:
    access-list outside_access_in permit tcp any eq 4899 any
    Re-arrange it to:
    access-list outside_access_in permit tcp any any eq 4899

    Your version is restricting inbound traffic to use a source port of
    4489, which is most likely invalid. I think your intent is to permit
    a destination port of 4489, which the second/rearranged rule will do
    for you. If my interpretation is incorrect, let me know and I'll try
    to help you further.

    Rich


    JD <> wrote in message news:<>...
    > Nope, that did not change anything. Also, I got to thinking after
    > trying that, that if the PDM was putting them in backwards then it
    > would be doing the same for the inside_access_out ACL, right?
    >
    > For some reason I am thinking the public IP's are not bound to the
    > outside interface for the PIX to know it is supposed to translate them
    > to the host on the inside. I am doing one to one translation for
    > internal to external addresses but do not see where the PIX knows to
    > translate outside address 220.220.220.73 to internal address
    > 10.240.1.101. Could that be something that is missing.
    >
    > Thanks for all your help. I am obviously not a PIX person at all and
    > trying to learn as I go.
    >
    >
    > On 18 Jan 2004 22:55:22 GMT, -cnrc.gc.ca (Walter
    > Roberson) wrote:
    >
    > >In article <>,
    > >JD <> wrote:
    > >:Ok, I think i just lost the rest of the brain cells. I am not quite
    > >:understanding the way the statement should read. I configured it via
    > >:pDM, so are you saying that it did them backwards?
    > >
    > >Yes, probably. I suggest changing the order of one of the entries
    > >in the live config, and then viewing the result in PDM and see how it
    > >shows up.
     
    Rich Myerly, Jan 19, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?V0pQQw==?=

    Can not ping myself, but can ping others

    =?Utf-8?B?V0pQQw==?=, Dec 25, 2004, in forum: Wireless Networking
    Replies:
    6
    Views:
    5,986
    Chuck
    Dec 26, 2004
  2. Bob Simon
    Replies:
    8
    Views:
    7,175
    John Lamar
    Jan 19, 2005
  3. Scott Townsend
    Replies:
    8
    Views:
    719
    Roman Nakhmanson
    Feb 22, 2006
  4. Networking Student
    Replies:
    4
    Views:
    1,401
    vreyesii
    Nov 16, 2006
  5. superkingkong
    Replies:
    2
    Views:
    1,831
    superkingkong
    Apr 17, 2010
Loading...

Share This Page