Re: PIX 501 Issue redirecting HTTP - Page 2

hufcor · ‎01-07-2010

Hello,

I am using a PIX 501 with IOS 6.3 (1) installed.

My issue is that I am attempting to configure my PIX to direct HTTP traffic to a local computer that is running a program to share files. I am able to access the program from a browser on another workstation. Therefore, the program is working.

However, when I attempt to access the program from outside the PIX – I cannot.

Here are the steps I took to set up my configuration:

Needed to configure the Interfaces

ip address outside ***.***.***.18 255.255.255.248

ip address inside 172.20.1.241 255.255.0.0

Needed to apply an access-list:

This allows Https traffic through the PIX.

access-list 101; 1 elements

access-list 101 line 1 permit tcp any interface outside eq http

Created a Static route:

This is a route that will direct traffic directly to the SSL Concentrator (172.20.1.225)

static (inside,outside) tcp interface http 172.20.1.101 http netmask 255.255.255.255 0 0

Verified the routes:

outside 0.0.0.0 0.0.0.0 ***.***.***.81 1 OTHER static

outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static

inside 172.20.0.0 255.255.0.0 172.20.1.241 1 CONNECT static

NAT

global (outside) 1 interface

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

Dileep Sivadas Padmini · ‎01-19-2010

Yes, currently I am permitting anything in an effort to get it to work
first and then tighten it down (once I can verify it works). My understanding of the PIX is that all information from the inside can go out unless it has been denied?

This is when you do not have any access-list configured on interfaces. In your case the missing part may be an access-list on inside interface that permits http traffic from your internal web server to internet.

access-list 102 permit tcp host 172.20.1.101 any eq http

access-list 102 permit tcp host 172.20.1.101 any eq https

access-group 102 in interface inside

Also make sure that you have proper DNS resolution for internet access.

Dileep

hufcor · ‎01-21-2010

Hello,

I got my PIX working…however…

After over analyzing the issue, I decided to isolate the problem and remove the PIX from my network. I plugged another node directly to the hub ports in the back of the PIX and it worked (after allowing nearly full access).

On the network, the node I was attempting to reach was not directly plugged into the hub of the PIX. But, I was able to ping the inside port of the PIX and the PIX was able to ping the node. Therefore, I did not believe that to be an issue?

Anyway, now my problem is with ACL’s. I basically had to allow anything in and out because when I applied the suggested ACL’s (the Access-list 102 suggestion) – I do not gain access.

This is what I have currently applied:

access-list 101; 1 elements

access-list 101 line 1 permit ip any any (hitcnt=1167)

access-list 102; 2 elements

access-list 102 line 1 permit tcp any any eq www (hitcnt=0)

access-list 102 line 2 permit tcp any any eq https (hitcnt=0)

Log information (Note: The public address is the assign DNS server. I transferred the application to my lab workstation which is 172.20.1.103):

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.252/53 by access-group "102"

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"

710005: UDP request discarded from 172.20.1.81/138 to inside:172.20.255.255/netbios-dgm

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.252/53 by access-group "102"

710005: UDP request discarded from 172.20.1.11/137 to inside:172.20.255.255/netb ios-ns

710005: UDP request discarded from 172.20.1.78/138 to inside:172.20.255.255/netb ios-dgm

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"

106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.252/53 by access-group "102"

What can I do to tighten my ACL’s while still allowing traffic to pass back and forth?

Dileep Sivadas Padmini · ‎01-21-2010

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full
nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password cPlBJP0wS8qSVcsh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname hufcorairwall

domain-name hufcorairwall.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

access-list 101 permit tcp any interface outside eq http
access-list 102 permit tcp 172.20.0.0 255.255.0.0 any eq http
access-list 102 permit tcp 172.20.0.0 255.255.0.0 any eq https
access-list 102 permit udp 172.20.0.0 255.255.0.0 any eq dns

pager lines 24

logging console debugging

logging buffered informational

logging trap debugging

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.84 255.255.255.248

ip address inside 172.20.1.243 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool1 192.168.221.1-192.168.221.23

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.255 0 0

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

access-group 101 in interface outside

access-group 102 in interface inside

route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac

crypto dynamic-map DynMap1 10 set transform-set TransSet1

crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1

crypto map CryptMap1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup GroupVpn1 address-pool ippool1

vpngroup GroupVpn1 idle-time 1800

vpngroup GroupVpn1 password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:1225e257808d8147151d8fd06b471c3a

: end

I have pasted your config , edited lines are highlighted

Dileep