Error reaching https site on port 8443

is · ‎03-23-2004

I am assuming that in order to reach the site through the pix i need to open a port or fixup. Any solutions?

jmia · ‎03-23-2004

Hi,

You'll need a ACL on the inside interface for your inside client to connect to the mentioned port, i.e.

access-list inside permit tcp host any eq 8443

access-group inside in interface inside

You'll need to save with write mem and also clear translations with clear xlate

If the connection is made back to you then you'll need a static and ACL on you PIX to allow the connection to you inside network.

Hope this helps and let me know how you get on.

Jay

is · ‎03-23-2004

I tried it and found that I could no longer reach anything from the inside to the outside.

jmia · ‎03-23-2004

Hi,

Sorry a little lost here, you say that when you applied that ACL you don't have access from inside to outside. Did you issue command clear xlate, if possible can you post your config here or direct to me if you like (please remember to change real IPs and passwords. e-mail: jmia@ohgroup.co.uk

Jay

is · ‎03-23-2004

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

names

name 10.1.1.1 int-ns1

name 10.1.1.8 int-ns2

name a.b.c.225 knet-gw

name a.b.c.227 ext-ns1

name a.b.c.228 ext-ns2

name a.b.c.229 ext-mail

name a.b.c.230 ext-rem

name a.b.c.231 ext-rtr

name 10.1.1.15 int-mail

name 10.1.1.254 int-rtr

name 10.1.1.230 int-rem

name a.b.c.232 ext-rem-2

name 10.1.1.189 int-rem-2

name a.b.c.233 ext-rem-3

name 10.1.1.125 int-rem-3

name 10.168.0.2 webserver

access-list outside permit icmp any any

access-list outside permit tcp any host ext-mail eq smtp

access-list outside permit tcp any host ext-mail eq pop3

access-list outside permit tcp any host ext-mail eq www

access-list outside permit tcp any host ext-ns1 eq domain

access-list outside permit udp any host ext-ns1 eq domain

access-list outside permit tcp any host ext-ns2 eq domain

access-list outside permit udp any host ext-ns2 eq domain

access-list outside permit tcp host knet-gw host ext-rtr eq telnet

access-list outside permit tcp any host ext-ns1 eq 3389

access-list outside permit udp any host ext-ns1 eq 3389

access-list outside permit tcp any host ext-rem eq 6000

access-list outside permit tcp any host ext-rem eq 6001

access-list outside permit tcp any host ext-rem eq pcanywhere-data

access-list outside permit tcp any host ext-rem eq 5362

access-list outside permit tcp any host ext-rem eq 5632

access-list outside permit tcp any host ext-rem-2 eq 6000

access-list outside permit tcp any host ext-rem-2 eq 6001

access-list outside permit tcp any host ext-rem-2 eq pcanywhere-data

access-list outside permit tcp any host ext-rem-2 eq 5362

access-list outside permit tcp any host ext-rem-2 eq 5632

access-list outside permit tcp any host ext-rem-3 eq 6000

access-list outside permit tcp any host ext-rem-3 eq 6001

access-list outside permit tcp any host a.b.c.234 eq www

access-list outbound-nat deny ip any host a.b.c.7

access-list outbound-nat permit ip any any

pager lines 24

logging on

logging timestamp

logging buffered debugging

logging trap debugging

logging history emergencies

logging facility 7

logging host inside 10.1.1.2

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside a.b.c.226 255.255.255.240

ip address inside 10.100.1.254 255.255.255.0

ip address dmz 10.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.1.2.1-10.1.2.254

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

arp timeout 14400

global (outside) 1 a.b.c.236

global (outside) 1 a.b.c.237

global (outside) 1 a.b.c.238

global (dmz) 1 10.168.0.10-10.168.0.20

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 10.168.0.0 255.255.255.0 0 0

static (inside,outside) ext-mail int-mail netmask 255.255.255.255 0 0

static (inside,outside) ext-ns1 int-ns1 netmask 255.255.255.255 0 0

static (inside,outside) ext-ns2 int-ns2 netmask 255.255.255.255 0 0

static (inside,outside) ext-rtr int-rtr netmask 255.255.255.255 0 0

static (inside,outside) ext-rem int-rem netmask 255.255.255.255 0 0

static (inside,outside) ext-rem-2 int-rem-2 netmask 255.255.255.255 0 0

static (inside,outside) ext-rem-3 int-rem-3 netmask 255.255.255.255 0 0

static (dmz,outside) a.b.c.234 webserver netmask 255.255.255.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 knet-gw 1

route inside 10.0.0.0 255.0.0.0 10.100.1.253 1

jmia · ‎03-23-2004

Hi,

I don't see any access-group applied for your inside ACLs (access-list outbound-nat) ? I presume your ACL outbound-nat is for the inside interface?

Can you tell me if the above asumption is correct before we go any further. If you take out the previous ACL that stopped connectivity, does evrything work ok??

Did you save with command write memory and also issued command clear xlate ??

Let me know,

Jay

is · ‎03-23-2004

You are correct in all your assumptions

jmia · ‎03-23-2004

Hi,

The procedure for changing the inside access-list to permit additional users access is as follows.

Open up a notepad session and also telnet into the PIX.

Show the configuration on the PIX, copy all the access-list inside (which I presume) is access-list outbound-nat lines into notepad. At the start of the text in notepad add an additional line stating no access-list inside, in your case no access-list outbound-nat

It should end up looking something like this

No access-list outbound-nat

access-list outbound-nat deny ip any host a.b.c.7

access-list outbound-nat permit ip any any

access-group outbound-nat in interface inside

Add the additional ACL (access-list outbound-nat permit tcp host any eq 8443) you require to the start, below the no access-list outbound-nat line. If you need to take any ACLs out simply delete the appropriate line from the text.

Back to the telnet screen, make sure your in configuration mode, paste the modified text back into the PIX, issue the write memory command and then issue command clear xlate.

The way this works is when the no access-list outbound-nat command is issued the entire list and the interface (if any are applied) statements are removed. Modifying the text in notepad and pasting it back ensures that the list is in the correct order, as the list is parsed start to finish, BUT if a match is made access-list processing stops. Therefore if you simply stick new entries at the end of the list they will be ignored because of the catch all access-list outbound-nat permit ip any any at the end of the list.

Hope this helps, Jay.

is · ‎03-23-2004

i did what you said ..

nothing different is happening.

I tried using the inside client ip as (eg.10.a.b.c)

i then tried using the inside client ip as the inside interface ip ..

still no luck

gavin

jmia · ‎03-24-2004

Gavin,

Can you enable syslog please and capture the output.

To enable syslog do:

logging on

logging buffer debug

sho log

Either post your results here or to me : jmia@ohgroup.co.uk

Thanks / Jay.