PIX506E will not allow inbound http or https

admin_2 · ‎05-28-2004

I am having an issue configuring my firewall to allow inbound traffic, for everyone on port 80 or 443. This is the first time I am setting up the pix506e , this is my config, can anyone help

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xx encrypted

passwd xx encrypted

hostname imano

domain-name imano.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 193.115.188.0 imano

name 213.219.22.231 FundsR

object-group service webs tcp

port-object range 200 1400

object-group service webs2 tcp

port-object range 1 100

access-list outside_access_in permit tcp any eq www any eq www

access-list outside_access_in permit tcp any eq https any eq https

access-list outside_access_in permit tcp imano 255.255.255.0 any

access-list outside_access_in permit udp imano 255.255.255.0 any

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 213.52.208.226 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location imano 255.255.255.0 outside

pdm location internal 255.255.255.224 inside

pdm location 192.168.1.4 255.255.255.255 inside

pdm location 213.52.208.226 255.255.255.255 outside

pdm location 213.50.208.227 255.255.255.255 outside

pdm location 213.52.208.227 255.255.255.255 outside

pdm location FundsR 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 213.52.208.227 192.168.1.4 netmask 255.255.255.255 0 0

static (outside,inside) 192.168.1.4 213.50.208.227 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 213.52.208.225 1

route inside 192.168.1.4 255.255.255.255 192.168.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xx

I am sure its a simple config issue, but I just cant work out what I have done wrong...

ehirsel · ‎05-28-2004

I noted this statement: route inside 192.168.1.4 255.255.255.255 192.168.1.1 1

I think this may be the cause of the issue as it maps 192.168.1.4 back to the firewall's inside interface.

I noted this static: static (outside,inside) 192.168.1.4 213.50.208.227 netmask 255.255.255.255 0 0 - is there a reason why it is there? It is the inverse of the static (in, out) and normally that is done when connecting two networks with overlapping ip address ranges. Is that your case too?

The effects of the static (in, out) along with the route effectivly point all http and https requests to the pix firewall interface. What you need on your static (in, out) statement is the local-address of the true inside server.