Re: problems with pix 515 acl

bruce_wright · ‎05-20-2004

Hi,

I am have problems with acls on my pix 515 (have tried with both 6.3(1) and 6.3(3).

I type the following lines:

access-list aclesht permit tcp any host 195.105.153.150 eq www

access-group aclesht in interface esht

wri mem

I then try to connect to the web server from a machine connected with a cross over cable to the esht interface. The machine cannot connect, but the acl hit counter is incrementing.

as soon as I reload the pix and retry the connection, everything works fine. I have tried every combination of starting and stopping the web browser, web server etc that I can think of.

Any ideas what I am doing wrong?

thanks

Bruce

gfullage · ‎05-20-2004

What interface is 195.105.153.150 on? If it's a higher security interface than esht then you'll need a static command as well to allow this traffic through.

What do you mean by "as soon as I reload the pix and retry the connection, everything works fine."? When does it stop working again?

What does your syslog output show, that'll be your best bet in determining what the problem is? Can you definately get to this web server from a machine on the same subnet as it, this'll make sure the web server is configured correctly. Is the web server's default gateway pointing to the PIX interface?

bruce_wright · ‎05-21-2004

Hi,

195.105.153.150 has static commands on each of the three low security interfaces (the web server is on the inside interface).

The web server is accessible from machines on the inside network (i.e. on the same subnet)

what I mean by the"as soon as I reload...." is that I create the access list at the command line, enter the access-group command. I then try to connect to the web server from the machine on the esht subnet (I am opening internet explorer fresh each time to prevent any caching problems in the browser), the request times out on the client, but if I look at the access-list the hit counter has incremented. I then closed IE on the client machine, typed wri mem, followed by "reload" on the pix. once the pix has restarted I start the IE client and can get straight through to the web server. The web server page is a standard asp page (in fact it is the default web page produced by iis on NT 4).

I have attached the config, I know that some of the groups etc look a bit weird, but I am replacing an existing software firewall and once everything is working correctly I will tidy everything up.

thanks for your help

Bruce

kagodfrey · ‎05-24-2004

Hi Bruce

Just out of interest, when the webserver suddenly starts working after the reload, does it suddenly stop working if you try and access it from, say, the outside interface?

bruce_wright · ‎05-24-2004

Hi,

I tried to access the web server from the outside interface and got no response, the hit counter also showed no signs of any activity. I had a play with the statics and found out that they seam to be causing the problem.

The previous firewall, a cyberguard one, allows you to nat the same inside address to the same address on all interfaces. For example

inside address 192.168.0.1

outside address 195.105.153.10

interface 2 address 195.105.153.10

interface 3 address 195.105.153.10

The PIX ios (and the PDM) allows you to do the same thing with no error messages, and it worked for a short period, 7-8 days, but it appears to be the cause of the problem. I have changed the statics to addresses appropriate to each interface and it is now working.

Thanks to both of you for your help

Bruce

hornbeck · ‎05-24-2004

Shouldn't it be:

access-group aclesht in interface outside

Unless you've given the outside interface anyother name...