Why can I reach internal Web Server from outside?

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Why can I reach internal Web Server from outside?

Post by Guest » Tue Jan 06, 2009 1:43 pm

I have a PIX 501 connected to my home ISP providing NAT/PAT, and routing. Internal hosts can get out no problem. Have an Apache web server running internally. I can reach it from inside with no problem. But no matter what I try, I can seem to reach it from outside. The local address for the webserver is 192.168.1.201. From outside Im trying to reach it by typing in the ip address of the outside interface; thats the way to get to it right? So if my public IP was 10.176.101.4 hypothetical - not my real public IP I would type http://10.176.101.4 in the browser, correct? Im attaching a show config, show version, show interface, show route and show xlate from the PIX. Please let me know if you see where Im going wrong. Thanks!! -Bk PIX2# show run: Saved:PIX Version 6.3(5)interface ethernet0 autointerface ethernet1 100fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password 123XYZ encryptedpasswd 123XYZ encryptedhostname PIX2domain-name ecc.comfixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69namesaccess-list outbound permit ip any anyaccess-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0access-list outside-in permit tcp any host 10.176.101.4 eq wwwaccess-list outside-in permit tcp any host 192.168.1.201 eq wwwpager lines 24logging onlogging timestamplogging trap informationallogging facility 22logging host inside 192.168.1.201icmp permit any outsideicmp permit any insidemtu outside 1500mtu inside 1500ip address outside dhcp setrouteip address inside 192.168.1.199 255.255.255.0ip audit info action alarmip audit attack action alarmpdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list NoNATnat (inside) 1 192.168.1.0 255.255.255.0 0 0 (note: Ive also tried
at (inside) 1 0.0.0.0 0.0.0.0 0 0)static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0access-group outside-in in interface outsideaccess-group outbound in interface insidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout sip-disconnect 0:02:00 sip-invite 0:03:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server TACACS+ max-failed-attempts 3aaa-server TACACS+ deadtime 10aaa-server RADIUS protocol radiusaaa-server RADIUS max-failed-attempts 3aaa-server RADIUS deadtime 10aaa-server LOCAL protocol localhttp server enablehttp 192.168.1.12 255.255.255.255 insideno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enablesysopt connection permit-ipseccrypto ipsec transform-set toyota esp-3des esp-md5-hmaccrypto map bmw 1 ipsec-isakmpcrypto map bmw 1 match address 101crypto map bmw 1 set peer 10.171.58.125crypto map bmw 1 set transform-set toyotacrypto map bmw interface outsideisakmp enable outsideisakmp key ******** address 10.171.58.125 netmask 255.255.255.255isakmp identity addressisakmp policy 1 authentication pre-shareisakmp policy 1 encryption 3desisakmp policy 1 hash md5isakmp policy 1 group 1isakmp policy 1 lifetime 1000telnet 0.0.0.0 0.0.0.0 insidetelnet timeout 30ssh 192.168.1.0 255.255.255.0 insidessh timeout 30management-access insideconsole timeout 0dhcpd address 192.168.1.10-192.168.1.50 insidedhcpd lease 3600dhcpd ping_timeout 750dhcpd auto_config outsidedhcpd enable insideterminal width 80Cryptochecksum:123XYZ: end  PIX2# show interfaceinterface ethernet0 "outside" is up, line protocol is upHardware is i82559 ethernet, address is 000b.be94.a529IP address 10.176.101.4, subnet mask 255.255.248.0MTU 1500 bytes, BW 100000 Kbit full duplex377294 packets input, 25432436 bytes, 0 no bufferReceived 358219 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort17515 packets output, 1928916 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 babbles, 0 late collisions, 0 deferred0 lost carrier, 0 no carrierinput queue (curr/max blocks): hardware (128/128) software (0/41)output queue (curr/max blocks): hardware (0/14) software (0/1)interface ethernet1 "inside" is up, line protocol is upHardware is i82559 ethernet, address is 000b.be94.a52aIP address 192.168.1.199, subnet mask 255.255.255.0MTU 1500 bytes, BW 100000 Kbit full duplex22937 packets input, 2050026 bytes, 0 no bufferReceived 67 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort56998 packets output, 9991631 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 babbles, 0 late collisions, 0 deferred0 lost carrier, 0 no carrierinput queue (curr/max blocks): hardware (128/128) software (0/14)output queue (curr/max blocks): hardware (0/27) software (0/1) PIX2# show ver Cisco PIX Firewall Version 6.3(5)Cisco PIX Device Manager Version 3.0(4) Compiled on Thu 04-Aug-05 21:40 by morlee PIX2 up 10 hours 52 mins Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHzFlash E28F640J3 @ 0x3000000, 8MBBIOS Flash E28F640J3 @ 0xfffd8000, 128KB 0: ethernet0: address is 000b.be94.a529, irq 91: ethernet1: address is 000b.be94.a52a, irq 10Licensed Features:Failover: DisabledVPN-DES: EnabledVPN-3DES-AES: EnabledMaximum Physical Interfaces: 2Maximum Interfaces: 2Cut-through Proxy: EnabledGuards: EnabledURL-filtering: EnabledInside Hosts: 50Throughput: UnlimitedIKE peers: 10 This PIX has a Restricted (R) license.  PIX2# show routeoutside 0.0.0.0 0.0.0.0 10.176.96.1 1 DHCP staticoutside 10.176.96.0 255.255.248.0 10.176.101.4 1 CONNECT staticinside 192.168.1.0 255.255.255.0 192.168.1.199 1 CONNECT static PIX2# show xlate8 in use, 71 most usedPAT Global 10.176.101.4(7505) Local 192.168.1.201(39900)PAT Global 10.176.101.4(7507) Local 192.168.1.201(41609)PAT Global 10.176.101.4(7506) Local 192.168.1.201(58216)PAT Global 10.176.101.4(7509) Local 192.168.1.201(45599)PAT Global 10.176.101.4(7508) Local 192.168.1.201(33990)PAT Global 10.176.101.4(1031) Local 192.168.1.13(4302)PAT Global 10.176.101.4(7510) Local 192.168.1.201(39729)PAT Global 10.176.101.4(2991) Local 192.168.1.13(32209)

Guest

Re:Why can I reach internal Web Server from outside?

Post by Guest » Tue Jan 06, 2009 2:58 pm

Hello, Can you please try the following: no access-list outside-in permit tcp any host 10.176.101.4 eq wwwno access-list outside-in permit tcp any host 192.168.1.201 eq wwwaccess-list outside-in permit tcp any interface outside eq www In the older version of the code, using the interface IP for the outside access-list was not completely supported. You had to use interface keyword. Hope this helps. Regards, NT

Guest

Re:Why can I reach internal Web Server from outside?

Post by Guest » Tue Jan 06, 2009 3:10 pm

Hi NT, Actually Ive made the change you recommended, cleared the xlate table and tried again.  I still can get through; the access list isn showing any hits either. Thank you!-bk

Guest

Re:Why can I reach internal Web Server from outside?

Post by Guest » Tue Jan 06, 2009 3:22 pm

Hello, Then I guess you need to work with your ISP to see if they are blockinganything at their end. Let us try this: no static (inside,outside) tcp interface www 192.168.1.201 www netmask255.255.255.255 static (inside,outside) tcp interface 8880 192.168.1.201 www netmask255.255.255.255 access-list outside-in permit tcp any interface outside eq 8880 Then try to access the web server on port 8880 from outside: http://:8880 This will let us know if the ISP is blocking port 80. Hope this helps. Regards, NT

Guest

Re:Why can I reach internal Web Server from outside?

Post by Guest » Tue Jan 06, 2009 3:32 pm

I was really hopeful when I saw your reply - thought it was quite likely that was exactly what is happening (ISP blocking port 80 incoming).  But I made the change as you recommended - still nothing    Heres my current config entry changes - please let me know if you see that I missed something: access-list outside-in permit tcp any interface outside eq wwwaccess-list outside-in permit tcp any interface outside eq 8880nat (inside) 1 0.0.0.0 0.0.0.0 0 0static (inside,outside) tcp interface 8880 192.168.1.201 www netmask 255.255.255.255 0 0access-group outside-in in interface outsideaccess-group outbound in interface insideAccess list stats:access-list outside-in; 2 elementsaccess-list outside-in line 1 permit tcp any interface outside eq www (hitcnt=0)access-list outside-in line 2 permit tcp any interface outside eq 8880 (hitcnt=0) And the URL Im trying to reach:http://70.176.101.4:8880/  Thank you!-Bk

Post Reply