pix allows 21,25,110 but not port 80

Discussion in 'Cisco' started by Patrick, Feb 19, 2004.

  1. Patrick

    Patrick Guest

    I have a strange problem: a Cisco PIX 515e with access-lists and
    conduits will allow ports 21, 25, and 110, but for the life of me I
    cannot get port 80 traffic to pass. I port scan the pix and only
    21,25, and 110 show as open.

    The webserver is windows 2000, ip 10.34.2.21, netmask 255.255.255.0,
    gateway 10.34.2.22 (the PIX inside).

    Here's my config. I am completely stumped on this one. Cisco looked
    at it and said "it should work". I have even turned off Apache and
    tried IIS with same results. show access-list shows the www counter
    incrementing when I request port 80.

    Any ideas?

    Thanks, -Patrick Price

    PIX Version 6.3(1)
    interface ethernet0 10full
    interface ethernet1 10full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pix
    domain-name foobar
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list inside_outbound_nat0_acl permit ip any 10.34.2.192
    255.255.255.224
    access-list outside_cryptomap_dyn_20 permit ip any 10.34.2.192
    255.255.255.224
    access-list outside permit tcp any host 42.29.36.15 eq 8003
    access-list outside permit tcp any host 42.29.36.15 eq smtp
    access-list outside permit tcp any host 42.29.36.15 eq pop3
    access-list outside permit tcp any host 42.29.36.15 eq www
    access-list outside permit tcp any host 42.29.36.15 eq ftp
    access-list outside_cryptomap_dyn_40 permit ip any 10.34.2.192
    255.255.255.224
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside 42.29.36.15 255.255.255.252
    ip address inside 10.34.2.22 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn 10.34.2.200-10.34.2.220
    pdm logging notifications 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 8003 10.34.2.3 8003 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface smtp 10.34.2.21 smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface pop3 10.34.2.21 pop3 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface ftp 10.34.2.21 ftp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface www 10.34.2.21 www netmask
    255.255.255.255 0 0
    access-group outside in interface outside
    route outside 0.0.0.0 0.0.0.0 24.49.36.13 1 (this is the gateway for
    the pix)
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address
    outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup ssi address-pool vpn
    vpngroup ssi dns-server 10.34.2.2 129.72.1.1
    vpngroup ssi default-domain foobar
    vpngroup ssi idle-time 1800
    vpngroup ssi password ********
    telnet timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:8e59c0763cd03538c687c6f5a7
    : end
    [OK]

    Again, Cisco TAC said "It should work. Must be a problem with your
    web server." It is not.
     
    Patrick, Feb 19, 2004
    #1
    1. Advertisements

  2. Hello, Patrick!
    You wrote on 18 Feb 2004 16:42:58 -0800:

    P> PIX Version 6.3(1)

    You really want to upgrade. My wild guess is that you are dealing with
    CSCea84861. Version 6.3(2) should work.

    With best regards,
    Andrey.
     
    Andrey Tarasov, Feb 19, 2004
    #2
    1. Advertisements

  3. Patrick

    Rik Bain Guest


    6.3.2 is deferred, I wouldnt recommend it.
     
    Rik Bain, Feb 19, 2004
    #3
  4. Patrick

    MyndPhlyp Guest

    v6.3(3) is the current release.
     
    MyndPhlyp, Feb 19, 2004
    #4
  5. Hello, Rik!
    You wrote to "Andrey Tarasov" <> on Thu, 19 Feb 2004
    10:49:46 -0600:

    RB> 6.3.2 is deferred, I wouldnt recommend it.

    Oh, well... 6.3(3) than. Funny that Cisco didn't remove 6.3(1) though.

    With best regards,
    Andrey.
     
    Andrey Tarasov, Feb 19, 2004
    #5
  6. Patrick

    Julie Guest

    Your config shows "http server enable" try shutting it down. It may be your
    pix is intercepting the port 80 for itself instead of forwarding it. Let us
    know if this works.


     
    Julie, Feb 19, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.