03-21-2007 11:45 AM - edited 03-12-2019 05:49 PM
I have a search engine spider that runs on my server that is protected by a PIX 501 with a basic configuration. The spider needs HTTP outbound access and back inbound again to spider a web site that is on the same server. I am a newbie, but I believe that somehow the firewall is blocking the inbound (re-entry so to speak) of the spider and therefore the spider is giving me errors that it cannot find the web site. Any ideas on how I could verify this and/or make a setting to allow this in a specific secure manner. Thanks.
Solved! Go to Solution.
03-22-2007 02:53 PM
Michael,
There are a couple things that can prevent this.
1. PIX routing. Unless running 7.x and even then only with configuration changes to the default, the PIX doesn't allow routing back out an interface it received the inbound packet on. So if the web client(WebKeepAlive) on your web server is essentially making an http request to itself, it'll resolve DNS(assuming your using public) and receive it's Public IP. It will then route it's packet to it's default gateway (unless you have it specified in your web server route table) and that will probably be the PIX. The PIX will receive this and will eventually drop it due to security not allowing routing back out its source interface.
The easiest way to get around this for your scenario is to update the HOSTS file on the server with the Web Site FQDN using the Private IP and not the Public. DNS will never get invoked because the HOSTS file will resolve first. You will never hit the PIX and will be able to Spider your website for your reports or whatever.
I'm not going to discuss the other things that could block it because I'm pretty sure you ain't running 7.x on a 501 because it isn't supported. If it was 7.x you could loop the connection and then the thread could go on and on with Static commands and access-lists. Though you could technically use the DNS fixup on the static when it makes the DNS request but I would have to look that up. You could also configure routing on your web server for the Public IP but the HOSTs file is your best bet.
Please rate any helpful posts
Thanks
Fred
03-21-2007 11:48 AM
So basically you are trying to access an internal web server from the inside using it's public ip address?
03-21-2007 11:57 AM
Actually, the spider is attempting to index a specific URL/site (e.g. www.abc.com) so it goes outbound to resolve the URL which comes back to the same server because that's where the web server/web site is also. Does that make more sense?
03-21-2007 12:00 PM
I think that's what I meant. So abc.com is inside your pix, it get's resolved to 1.1.1.1 which your inside server is trying to hit and it's not working.
03-21-2007 12:26 PM
Thank you, acomiskey, for your quick reply also! I will try the cmd that Vibhor mentioned and see if that does the trick. Thanks again.
03-21-2007 11:50 AM
Hey there,
I'm not sure how your search engine works, but as you said, it needs outbound HTTP access, which I believe it has, and apart from that, it needs inbound HTTP access too. Please let me know if it needs inbound access for HTTP only, i.e, TCP (80). If this is true, and for outbound sessions, spider server is using the outside interface IP of PIX, here are some commands which you could try-
static (inside,outside) tcp interface 80 spider_ip 80
access-list 101 permit tcp any interface outside eq 80
access-group 101 in interface
** Please make sure that you dont already have a similar static command in your configuration.
** If you already have a access-group applied on the outside interface, you should add the access-list to the same access-group.
To calrify more, it would be better if you could provide outputs from following commands-
show static
show nat
show global
show access-group
show access-list
Hope this helps.
Regards,
Vibhor.
03-21-2007 12:19 PM
Thank you for the quick reply Vibhor. Yes, it needs inbound HTTP 80 access also. In the cmd line example, you specify, "static (inside,outside) tcp interface 80 spider_ip 80". Is "spider_ip" the internal ip address (e.g. 10.0.0.1) or the external ip address?
03-21-2007 12:23 PM
spider_ip is the internal IP address of spider server.
Hope that helps.
Regards,
Vibhor.
03-21-2007 12:23 PM
I guess I misunderstood. That will allow anyone on the outside access your server. I thought you needed your server to be uturned at the pix. You cannot uturn traffic in your 501.
03-21-2007 12:38 PM
Hi Vibhor, following is the response from the cmd line when I ran the 3 lines above. My public ip address may be removed. Thanks for any additional help you could provide.
Result of firewall command: "static (inside,outside) tcp interface 80 10.0.0.2 80 "
ERROR: duplicate of existing static
from inside:10.0.0.2 to outside:[my public ip address] netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{
{
[dns] [norandomseq] [
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{
{
{access-list
[dns] [norandomseq] [
Command failed
Result of firewall command: "access-list 101 permit tcp any interface outside eq 80 "
Result of firewall command: "access-group 101 in interface"
Not enough arguments.
Usage: [no] access-group
Command failed
03-21-2007 12:41 PM
access-group 101 in interface outside
post a "show static"
03-21-2007 12:44 PM
Thanks for updating me. As I stated earlier, this would be a problem if there are similar existing commands in configuration.
** Please make sure that you dont already have a similar static command in your configuration.
** If you already have a access-group applied on the outside interface, you should add the access-list to the same access-group.
Could you provide the output of following commands-
show static
show nat
show global
show access-group
show access-list
Thanks & Regards,
Vibhor.
03-21-2007 01:00 PM
Oh yes, sorry about that. Following are the responses. Thanks again for your help.
Result of firewall command: "show static"
static (outside,inside) 10.0.0.1 [ip addr #1] netmask 255.255.255.255 0 0
static (inside,outside) [ip addr #1] 10.0.0.1 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.2 [ip addr #2] netmask 255.255.255.255 0 0
static (inside,outside) [ip addr #2] 10.0.0.2 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.3 [ip addr #3] netmask 255.255.255.255 0 0
static (inside,outside) [ip addr #3] 10.0.0.3 netmask 255.255.255.255 0 0
Result of firewall command: "show nat"
The command has been sent to the firewall
Result of firewall command: "show global"
The command has been sent to the firewall
Result of firewall command: "show access-group"
access-group outside_access_in in interface outside
Result of firewall command: "show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list outside_access_in; 25 elements
access-list outside_access_in line 1 permit tcp any any eq ftp-data (hitcnt=0)
access-list outside_access_in line 2 permit tcp any any eq ftp (hitcnt=340)
access-list outside_access_in line 3 permit tcp any any eq ssh (hitcnt=52321)
access-list outside_access_in line 4 permit tcp any any eq 42 (hitcnt=0)
access-list outside_access_in line 5 permit udp any any eq nameserver (hitcnt=0)
access-list outside_access_in line 6 permit tcp any any eq domain (hitcnt=0)
access-list outside_access_in line 7 permit udp any any eq domain (hitcnt=8740)
access-list outside_access_in line 8 permit tcp any any eq www (hitcnt=43387)
access-list outside_access_in line 9 permit tcp any any eq pop3 (hitcnt=117)
access-list outside_access_in line 10 permit tcp any any eq https (hitcnt=2865)
access-list outside_access_in line 11 permit tcp any any eq 465 (hitcnt=0)
access-list outside_access_in line 12 permit tcp any any eq 587 (hitcnt=0)
access-list outside_access_in line 13 permit tcp any any eq 995 (hitcnt=0)
access-list outside_access_in line 14 permit tcp any any eq 3389 (hitcnt=104)
access-list outside_access_in line 15 deny tcp any any eq telnet (hitcnt=30)
access-list outside_access_in line 16 permit tcp any any eq smtp (hitcnt=310)
access-list outside_access_in line 17 deny tcp any any eq imap4 (hitcnt=53)
access-list outside_access_in line 18 deny tcp any any eq 1433 (hitcnt=2456)
access-list outside_access_in line 19 deny tcp any any eq 3306 (hitcnt=47)
access-list outside_access_in line 20 deny tcp any any eq 9080 (hitcnt=0)
access-list outside_access_in line 21 deny tcp any any eq 9090 (hitcnt=0)
access-list outside_access_in line 22 permit icmp any any echo-reply (hitcnt=0)
access-list outside_access_in line 23 permit icmp any any source-quench (hitcnt=0)
access-list outside_access_in line 24 permit icmp any any unreachable (hitcnt=128)
access-list outside_access_in line 25 permit icmp any any time-exceeded (hitcnt=3)
03-21-2007 01:07 PM
You dont need following static commands-
static (outside,inside) 10.0.0.1 [ip addr #1] netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.2 [ip addr #2] netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.3 [ip addr #3] netmask 255.255.255.255 0 0
Please remove them using-
no static (outside,inside) 10.0.0.1 [ip addr #1]
no static (outside,inside) 10.0.0.2 [ip addr #2]
no static (outside,inside) 10.0.0.3 [ip addr #3]
Thereafter, I believe that IP address of spider server is 10.0.0.2. Please correct me if wrong. This server is already mapped to a public IP using following command-
static (inside,outside) [ip addr #2] 10.0.0.2 netmask 255.255.255.255 0 0
Also, you have following lines in-
access-list outside_access_in line 8 permit tcp any any eq www
access-group outside_access-in
which means that return traffic on port 80 to the public IP of the server should be allowed.
Is it possible to collect logs to track down the exact behaviour of the 10.0.0.2 server ?
Regards,
Vibhor.
03-22-2007 01:18 PM
What was the fix?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide