Re: PIX 501 w/ Webserver

nalleyp · ‎10-22-2003

I have a webserver setup behind my PIX firewall. It is also a mail server as well. My problem is that when I try to browse to a website I only get the first page and every subsequent page times out. I also can not receive mail. Below is my config. Can anyone point me in the right direction?

Thanks,

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inbound permit tcp any host 192.168.0.13 eq www

access-list inbound permit tcp any host 192.168.0.13 eq pop3

access-list inbound permit tcp any host 192.168.0.13 eq ftp

access-list inbound permit tcp any host 192.168.0.13 eq https

access-list inbound permit tcp any host 192.168.0.13 eq smtp

access-list inbound permit icmp any any echo-reply

access-list inbound permit icmp any any time-exceeded

access-list inbound permit icmp any any unreachable

pager lines 24

logging on

logging timestamp

logging buffered debugging

logging trap debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 192.186.1.13 255.255.255.255 inside

pdm location 192.168.1.13 255.255.255.255 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.0.13 192.168.1.13 dns netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.100 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd dns x.x.x.2 64.89.74.2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

nkhawaja · ‎10-22-2003

Hi,

Why do you have the keyword "dns", in this statement

static (inside,outside) 192.168.0.13 192.168.1.13 dns netmask 255.255.255.255 0 0

Please remove it, clear the xlat and try again. This keyword basicallty for DNS replies.

Thanks

Nadeem

nalleyp · ‎10-23-2003

I have that in the statment because I need my internal machines to be able to view the site by the DNS name.. Is that not the correct syntax for that?

nkhawaja · ‎10-23-2003

Hi,

Yes this seems to be the correct syntax for DNS resoltuion to the private address. However I dont think that the same translation will be used for the IP traffic. Try making a similar translation but without "dns".

Thanks

Nadeem