PIX Port Forwarding Problem

Discussion in 'Cisco' started by Cisco Newbie, Dec 31, 2005.

  1. Cisco Newbie

    Cisco Newbie Guest

    I've been trying for some time to get my PIX 515 firewall to allow HTTP
    requests to pass through and go to a web server hosted on my internal
    network.Unfortunately I have not managed to get this working - even after
    reading numerous articles.The scenario is that the outside interface is
    connected to a cable modem and the WAN IP address is assigned through DHCP
    by my ISP.My PIX config is shown below, I want www requests to my dynamic IP
    address to be passed through to an internal web server at 192.168.1.150?Can
    anyone see what is wrong with my configuration?asdm image
    flash:/asdm-501.bin
    no asdm history enable
    : Saved
    :
    PIX Version 7.0(1)
    names
    name 192.168.1.0 ctu
    name 192.168.1.150 srv.bauer
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    hostname pixfirewall
    domain-name ctu.local
    ftp mode passive
    dns retries 2
    dns timeout 2
    dns domain-lookup inside
    dns name-server srv.bauer
    access-list acl_out extended deny icmp any any
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit tcp any interface outside eq
    www
    access-list outside_access_in extended permit icmp any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    no failover
    monitor-interface outside
    monitor-interface inside
    icmp deny any echo outside
    asdm image flash:/asdm-501.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 10 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface www srv.bauer www netmask
    255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http ctu 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.50-192.168.1.149 inside
    dhcpd lease 3600
    dhcpd ping_timeout 50
    dhcpd enable inside
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect pptp
    inspect http
    : end
    Thanks in advance
     
    Cisco Newbie, Dec 31, 2005
    #1
    1. Advertisements

  2. Easiest way to troubleshoot any configuration - look at the log. What does
    it say when somebody tries to connect to your website? It will give you a
    direction, where to look.

    Good luck,

    Mike
    www.ciscoheadsetadapter.com
     
    CiscoHeadsetAdapter.com, Dec 31, 2005
    #2
    1. Advertisements

  3. Cisco Newbie

    MyndPhlyp Guest

    This series of commands accomplishes the task on my PIX 501. It should also
    on your 515.

    static (inside,outside) tcp interface 80 192.168.1.150
    access-list outside_access_in permit tcp any interface outside eq 80
    clear xlate
    clear arp
    clear local
    write mem
     
    MyndPhlyp, Dec 31, 2005
    #3
  4. This is what he has as well!

     
    Julian Dragut, Dec 31, 2005
    #4
  5. Cisco Newbie

    Cisco Newbie Guest

    The log I get when trynig to access my web site is as follows:

    6|Dec 31 2005 10:55:44|305012: Teardown dynamic TCP translation from
    inside:srv.bauer/57517 to outside:xx.xx.xx.xx/5998 duration 0:00:30
    6|Dec 31 2005 10:55:44|305012: Teardown dynamic TCP translation from
    inside:srv.bauer/57516 to outside:xx.xx.xx.xx/5997 duration 0:00:30
    6|Dec 31 2005 10:55:43|305012: Teardown dynamic TCP translation from
    inside:srv.bauer/57515 to outside:xx.xx.xx.xx/5996 duration 0:00:30
    6|Dec 31 2005 10:55:43|305012: Teardown dynamic TCP translation from
    inside:srv.bauer/57514 to outside:xx.xx.xx.xx/5995 duration 0:00:30
    6|Dec 31 2005 10:55:42|305012: Teardown dynamic TCP translation from
    inside:srv.bauer/57513 to outside:xx.xx.xx.xx/5994 duration 0:00:30
    3|Dec 31 2005 10:55:35|710003: TCP access denied by ACL from
    192.168.1.50/2988 to inside:xx.xx.xx.xx/80
    6|Dec 31 2005 10:55:33|305012: Teardown dynamic TCP translation from
    inside:192.168.1.50/2984 to outside:xx.xx.xx.xx/5993 duration 0:00:30
    6|Dec 31 2005 10:55:33|305012: Teardown dynamic UDP translation from
    inside:srv.bauer/1031 to outside:xx.xx.xx.xx/1033 duration 0:00:30
    4|Dec 31 2005 10:55:32|106023: Deny tcp src outside:64.152.4.80/80 dst
    inside:xx.xx.xx.xx/5985 by access-group "outside_access_in"
    6|Dec 31 2005 10:55:29|609002: Teardown local-host outside:64.233.183.99
    duration 0:00:00
    6|Dec 31 2005 10:55:29|302014: Teardown TCP connection 5264 for
    outside:64.233.183.99/80 to inside:192.168.1.52/1423 duration 0:00:00 bytes
    2272 TCP FINs
    3|Dec 31 2005 10:55:29|710003: UDP access denied by ACL from
    221.10.254.31/33275 to outside:xx.xx.xx.xx/1027
    5|Dec 31 2005 10:55:29|304001: 192.168.1.52 Accessed URL 64.233.183.99:/
    6|Dec 31 2005 10:55:29|302013: Built outbound TCP connection 5264 for
    outside:64.233.183.99/80 (64.233.183.99/80) to inside:192.168.1.52/1423
    (xx.xx.xx.xx/6001)
    6|Dec 31 2005 10:55:29|305011: Built dynamic TCP translation from
    inside:192.168.1.52/1423 to outside:xx.xx.xx.xx/6001
    6|Dec 31 2005 10:55:29|609001: Built local-host outside:64.233.183.99
    3|Dec 31 2005 10:55:28|710003: TCP access denied by ACL from
    192.168.1.50/2988 to inside:xx.xx.xx.xx/80
    3|Dec 31 2005 10:55:26|710003: TCP access denied by ACL from
    192.168.1.50/2988 to inside:xx.xx.xx.xx/80

    I've replaced my WAN IP with xx.xx.xx.xx

    Thanks
     
    Cisco Newbie, Dec 31, 2005
    #5
  6. The PIX thinks that you are attempting to access the http service
    of the PIX itself, rather than passing along the request to
    the inside machine.
    As I recall you are running PIX 7; I don't know much about PIX 7.
    In PIX 6.3, messages such as those are artifacts: the PIX thinks the
    connection has been torn down but then it sees the final packet or two
    from the remote host clearing down the connection, and it logs them
    as if the remote host is trying to create a new connection. This
    situation was handled better in earlier PIX versions and I had hoped
    it would be returned to something more sensible in PIX 7.
    Hmmm, that's odd. In PIX 6, you can only get local-hosts associated
    with inner interfaces, unless you happen to exchange interface names
    (which the PIX warns about.) Looking at the PIX 7.0 documentation,
    I see that local-host has an expanded role, but it I'm having a
    bit of difficulty in working from the examples back to what the
    new local-host conception is.

    I would have expected those last two to be reversed, the TCP translation
    built before the outbound TCP connection. Perhaps the processing order
    has changed in 7.0.
     
    Walter Roberson, Dec 31, 2005
    #6
  7. Cisco Newbie

    Cisco Newbie Guest

    Do you know how to stop the PIX thinking the request is trying to access the
    internal HTTP service?
     
    Cisco Newbie, Dec 31, 2005
    #7
  8. Please test your configuration FROM OUTSIDE. You can't expext the PIX to nat
    your inside address to an outside one and renat the same connection
    instantanously from outside to inside.
     
    Lutz Donnerhacke, Jan 2, 2006
    #8
  9. What they're trying to say is:

    Cannot come in through the same door you went out!!!

    JD
     
    Julian Dragut, Jan 4, 2006
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.