cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1624
Views
22
Helpful
21
Replies

HTTP access outbound and back ...

mfsumption
Level 1
Level 1

I have a search engine spider that runs on my server that is protected by a PIX 501 with a basic configuration. The spider needs HTTP outbound access and back inbound again to spider a web site that is on the same server. I am a newbie, but I believe that somehow the firewall is blocking the inbound (re-entry so to speak) of the spider and therefore the spider is giving me errors that it cannot find the web site. Any ideas on how I could verify this and/or make a setting to allow this in a specific secure manner. Thanks.

1 Accepted Solution

Accepted Solutions

Michael,

There are a couple things that can prevent this.

1. PIX routing. Unless running 7.x and even then only with configuration changes to the default, the PIX doesn't allow routing back out an interface it received the inbound packet on. So if the web client(WebKeepAlive) on your web server is essentially making an http request to itself, it'll resolve DNS(assuming your using public) and receive it's Public IP. It will then route it's packet to it's default gateway (unless you have it specified in your web server route table) and that will probably be the PIX. The PIX will receive this and will eventually drop it due to security not allowing routing back out its source interface.

The easiest way to get around this for your scenario is to update the HOSTS file on the server with the Web Site FQDN using the Private IP and not the Public. DNS will never get invoked because the HOSTS file will resolve first. You will never hit the PIX and will be able to Spider your website for your reports or whatever.

I'm not going to discuss the other things that could block it because I'm pretty sure you ain't running 7.x on a 501 because it isn't supported. If it was 7.x you could loop the connection and then the thread could go on and on with Static commands and access-lists. Though you could technically use the DNS fixup on the static when it makes the DNS request but I would have to look that up. You could also configure routing on your web server for the Public IP but the HOSTs file is your best bet.

Please rate any helpful posts

Thanks

Fred

View solution in original post

21 Replies 21

acomiskey
Level 10
Level 10

So basically you are trying to access an internal web server from the inside using it's public ip address?

Actually, the spider is attempting to index a specific URL/site (e.g. www.abc.com) so it goes outbound to resolve the URL which comes back to the same server because that's where the web server/web site is also. Does that make more sense?

I think that's what I meant. So abc.com is inside your pix, it get's resolved to 1.1.1.1 which your inside server is trying to hit and it's not working.

Thank you, acomiskey, for your quick reply also! I will try the cmd that Vibhor mentioned and see if that does the trick. Thanks again.

vitripat
Level 7
Level 7

Hey there,

I'm not sure how your search engine works, but as you said, it needs outbound HTTP access, which I believe it has, and apart from that, it needs inbound HTTP access too. Please let me know if it needs inbound access for HTTP only, i.e, TCP (80). If this is true, and for outbound sessions, spider server is using the outside interface IP of PIX, here are some commands which you could try-

static (inside,outside) tcp interface 80 spider_ip 80

access-list 101 permit tcp any interface outside eq 80

access-group 101 in interface

** Please make sure that you dont already have a similar static command in your configuration.

** If you already have a access-group applied on the outside interface, you should add the access-list to the same access-group.

To calrify more, it would be better if you could provide outputs from following commands-

show static

show nat

show global

show access-group

show access-list

Hope this helps.

Regards,

Vibhor.

Thank you for the quick reply Vibhor. Yes, it needs inbound HTTP 80 access also. In the cmd line example, you specify, "static (inside,outside) tcp interface 80 spider_ip 80". Is "spider_ip" the internal ip address (e.g. 10.0.0.1) or the external ip address?

spider_ip is the internal IP address of spider server.

Hope that helps.

Regards,

Vibhor.

I guess I misunderstood. That will allow anyone on the outside access your server. I thought you needed your server to be uturned at the pix. You cannot uturn traffic in your 501.

Hi Vibhor, following is the response from the cmd line when I ran the 3 lines above. My public ip address may be removed. Thanks for any additional help you could provide.

Result of firewall command: "static (inside,outside) tcp interface 80 10.0.0.2 80 "

ERROR: duplicate of existing static

from inside:10.0.0.2 to outside:[my public ip address] netmask 255.255.255.255

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

Command failed

Result of firewall command: "access-list 101 permit tcp any interface outside eq 80 "

Result of firewall command: "access-group 101 in interface"

Not enough arguments.

Usage: [no] access-group in interface [per-user-override]

Command failed

access-group 101 in interface outside

post a "show static"

Thanks for updating me. As I stated earlier, this would be a problem if there are similar existing commands in configuration.

** Please make sure that you dont already have a similar static command in your configuration.

** If you already have a access-group applied on the outside interface, you should add the access-list to the same access-group.

Could you provide the output of following commands-

show static

show nat

show global

show access-group

show access-list

Thanks & Regards,

Vibhor.

Oh yes, sorry about that. Following are the responses. Thanks again for your help.

Result of firewall command: "show static"

static (outside,inside) 10.0.0.1 [ip addr #1] netmask 255.255.255.255 0 0

static (inside,outside) [ip addr #1] 10.0.0.1 netmask 255.255.255.255 0 0

static (outside,inside) 10.0.0.2 [ip addr #2] netmask 255.255.255.255 0 0

static (inside,outside) [ip addr #2] 10.0.0.2 netmask 255.255.255.255 0 0

static (outside,inside) 10.0.0.3 [ip addr #3] netmask 255.255.255.255 0 0

static (inside,outside) [ip addr #3] 10.0.0.3 netmask 255.255.255.255 0 0

Result of firewall command: "show nat"

The command has been sent to the firewall

Result of firewall command: "show global"

The command has been sent to the firewall

Result of firewall command: "show access-group"

access-group outside_access_in in interface outside

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list outside_access_in; 25 elements

access-list outside_access_in line 1 permit tcp any any eq ftp-data (hitcnt=0)

access-list outside_access_in line 2 permit tcp any any eq ftp (hitcnt=340)

access-list outside_access_in line 3 permit tcp any any eq ssh (hitcnt=52321)

access-list outside_access_in line 4 permit tcp any any eq 42 (hitcnt=0)

access-list outside_access_in line 5 permit udp any any eq nameserver (hitcnt=0)

access-list outside_access_in line 6 permit tcp any any eq domain (hitcnt=0)

access-list outside_access_in line 7 permit udp any any eq domain (hitcnt=8740)

access-list outside_access_in line 8 permit tcp any any eq www (hitcnt=43387)

access-list outside_access_in line 9 permit tcp any any eq pop3 (hitcnt=117)

access-list outside_access_in line 10 permit tcp any any eq https (hitcnt=2865)

access-list outside_access_in line 11 permit tcp any any eq 465 (hitcnt=0)

access-list outside_access_in line 12 permit tcp any any eq 587 (hitcnt=0)

access-list outside_access_in line 13 permit tcp any any eq 995 (hitcnt=0)

access-list outside_access_in line 14 permit tcp any any eq 3389 (hitcnt=104)

access-list outside_access_in line 15 deny tcp any any eq telnet (hitcnt=30)

access-list outside_access_in line 16 permit tcp any any eq smtp (hitcnt=310)

access-list outside_access_in line 17 deny tcp any any eq imap4 (hitcnt=53)

access-list outside_access_in line 18 deny tcp any any eq 1433 (hitcnt=2456)

access-list outside_access_in line 19 deny tcp any any eq 3306 (hitcnt=47)

access-list outside_access_in line 20 deny tcp any any eq 9080 (hitcnt=0)

access-list outside_access_in line 21 deny tcp any any eq 9090 (hitcnt=0)

access-list outside_access_in line 22 permit icmp any any echo-reply (hitcnt=0)

access-list outside_access_in line 23 permit icmp any any source-quench (hitcnt=0)

access-list outside_access_in line 24 permit icmp any any unreachable (hitcnt=128)

access-list outside_access_in line 25 permit icmp any any time-exceeded (hitcnt=3)

You dont need following static commands-

static (outside,inside) 10.0.0.1 [ip addr #1] netmask 255.255.255.255 0 0

static (outside,inside) 10.0.0.2 [ip addr #2] netmask 255.255.255.255 0 0

static (outside,inside) 10.0.0.3 [ip addr #3] netmask 255.255.255.255 0 0

Please remove them using-

no static (outside,inside) 10.0.0.1 [ip addr #1]

no static (outside,inside) 10.0.0.2 [ip addr #2]

no static (outside,inside) 10.0.0.3 [ip addr #3]

Thereafter, I believe that IP address of spider server is 10.0.0.2. Please correct me if wrong. This server is already mapped to a public IP using following command-

static (inside,outside) [ip addr #2] 10.0.0.2 netmask 255.255.255.255 0 0

Also, you have following lines in-

access-list outside_access_in line 8 permit tcp any any eq www

access-group outside_access-in

which means that return traffic on port 80 to the public IP of the server should be allowed.

Is it possible to collect logs to track down the exact behaviour of the 10.0.0.2 server ?

Regards,

Vibhor.

What was the fix?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: