Accessing my Webserver from the outside - Pix 515E - Page 2

PE-PatInBC · ‎03-18-2005

Previously posted in the wrong forum.

I can reach my webserver from any client through the inside interface but not from the outside. Please review my config. I have an outside interface of xxx.yyy.17.145 and I have setup this server to be accessed at xxx.yyy.17.146 which is one of the block of available IP addresses given to me by my ISP.

What logging might help me with this ? PDM Logging ?

Please let me know what I am doing wrong.

---------------------------------------------

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security4

enable password xxxxxxxx616Q encrypted

passwd xxxr616Q encrypted

hostname xxxxll1

domain-name xxxxxxxxxxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name xxx.yyy.90.0 MailNetwork

access-list outside_access_in remark

access-list outside_access_in permit tcp any host xxx.yyy.17.146 eq www

pager lines 24

logging on

logging timestamp

logging host inside 192.168.10.5

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside xxx.yyy.17.145 255.255.255.240

ip address inside 192.168.10.100 255.255.255.0

ip address DMZ 192.168.20.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.0 outside

pdm location 192.168.10.35 255.255.255.255 inside

pdm location 192.168.10.178 255.255.255.255 inside

pdm location 192.168.10.5 255.255.255.255 inside

pdm location MailNetwork 255.255.255.255 outside

pdm location 192.168.10.0 255.255.255.255 inside

pdm location 192.168.20.101 255.255.255.255 DMZ

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 200 interface

global (DMZ) 200 192.168.20.50-192.168.20.100

nat (inside) 200 192.168.10.0 255.255.255.0 0 0

static (DMZ,outside) xxx.yyy.17.146 192.168.20.101 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 255.255.255.0 xxx.yyy.17.158 1

route outside 0.0.0.0 0.0.0.0 xxx.yyy.17.158 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.10.178 c:\tftp-root

floodguard enable

telnet 192.168.10.35 255.255.255.255 inside

telnet 192.168.10.178 255.255.255.255 inside

telnet 192.168.10.5 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

mhussein · ‎03-25-2005

Hi,

The mac address is already installed:

inside 192.168.10.25 000f.1f6e.7877

000f.1f6e.7877 is probably conflicting with another host, not the PIX itself.

I suggest finishing up dhcp configs on the pix, and keeping a list or spreadsheet of statically assigned ip addresses. for example:

192.168.10.2-192.168.10.99 : desktops, dhcp

192.168.10.100 : pix inside ip address

192.168.10.101-192.168.10.254: servers/other systems, statically assigned, no dhcp

*** pix dhcp configs:

dhcpd address 192.168.10.2-192.168.10.99 inside

dhcpd dns x.x.x.x x.x.x.x

dhcpd wins y.y.y.y <----------- optional

dhcpd lease 86400 <------- one day lease

dhcpd domain something.something

dhcpd enable inside

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172794.html#wp1031649

PE-PatInBC · ‎03-25-2005

A couple things.

1) I ran a network utility that gets all of the info off of all of the devices on my 192.168.10.0 network and could only find the Dell server with that MAC address. The Dell server in question has the NICs teamed if that makes any difference.

2) You suggest finishing up the dhcp configs. Unless there is something I don't know about, I would prefer to not use the PIX for my DHCP. I have DHCP servers already on my LAN. I do keep a TCP/IP document with all related IP addresses tracked for my network. I don't have any IP conflicts that I know of ?

3) Can I just delete the DHCP related items in my config if I don't intend to use them ? They didn't clean up after removing DHCP from the PDM.

Any other suggestions on how I can track down the conflicting MAC address ?

mhussein · ‎03-26-2005

Hi,

I am not sure about Dell's NIC teaming. I don't think there would be a problem if the 2 NICs use a single virtual mac address.

I think it is safe to remove the dhcp configurations.

There are many snmp based tools to monitor mac addresses and arp tables, specially if you are using a managed switch, e.g:

http://manageengine.adventnet.com/products/oputils/index.html (commercial+free)

http://www.wtcs.org/snmp4tpc/getif.htm (free)