Re: why I dont get my webpage....???

tauseef · ‎03-19-2002

Hi there,

sorry if IM bugging U in UR valuable time , just was thinking if U could help me on this one at a glance .....

I have a firewall pix 515 R and its working fine , I have just added a webserver on my LAN though I know this is not recomended by cisco I just wanted it to work on the LAN without investing in the

DMZ.

I can ping the webserver from outside but Am not able to access the web page , when accessing the web page it waits for hell long time and says time out R server down , the same server if I put it on a live

IP and bypass the pix and connect it to the ethernet of the Router directly , the web pages comes up immediately , leaving me to stare at the firewall in anger ....

Here is the config which I have tried , both Access list and Conduits , but it is the same in both ways , just Pings but no web page display , Please

do let me know if theres anything I need to check R do for this to

work fine.....

Thanx in advance ...

Tauseef

tauseef@cadgulf.com

for PIX with ACCESS LIST

mideastPIX# sh conf

: Saved

:

PIX Version 5.2(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname mideastPIX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any eq www

access-list acl_in permit tcp any any eq smtp

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host 213.42.63.50 eq www

access-list acl_out permit tcp any host 213.42.63.50 eq ftp

pager lines 24

no logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 213.42.63.52 255.255.255.240

ip address inside 199.5.82.225 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 213.42.63.53-213.42.63.55

global (outside) 1 213.42.63.56

nat (inside) 1 199.5.82.0 255.255.255.0 0 0

alias (inside) 199.5.82.201 213.42.63.50 255.255.255.255

static (inside,outside) 213.42.63.50 199.5.82.201 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 213.42.63.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet 199.5.82.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:76e92f3081af4e131c1044c3ddc652a3

mideastPIX#

for PIX WITH CONDUIT

mideastPIX# sh conf

: Saved

:

PIX Version 5.2(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname mideastPIX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

name 199.5.82.201 webserver

pager lines 24

no logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 213.42.63.52 255.255.255.240

ip address inside 199.5.82.225 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 213.42.63.53-213.42.63.55

global (outside) 1 213.42.63.56

nat (inside) 1 199.5.82.0 255.255.255.0 0 0

alias (inside) webserver 213.42.63.50 255.255.255.255

static (inside,outside) 213.42.63.50 webserver netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host webserver eq www any

route outside 0.0.0.0 0.0.0.0 213.42.63.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet 199.5.82.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:56ae5ececade66ec79a82856968f0b8f

mideastPIX# wr

usage: write erase|floppy|mem|terminal|standby

write net [<tftp_ip>]:<filename>

mideastPIX# wr mem

Building configuration...

Cryptochecksum: 56ae5ece cade66ec 79a82856 968f0b8f

[OK]

mideastPIX#

v-pandey · ‎03-21-2002

Hi ,

The configurations seems to be o.k . Just check the duplex settings of outside and inside interface . I suggest to keep 10 or 100 MBPS ( Full / half )but not in auto .U can check the errors or collissions in the interface .

alex.dodds · ‎03-22-2002

Hi Tauseef,

I agree with the above ,but also check out the following link http://www.cisco.com/warp/public/110/2.html

Alex

mhussein · ‎03-22-2002

Can you afford to disable the "alias" statement?

Since you are already using a "nat" statement to hide your internal ip's, you can statically translate the webserver's ip (199.5.82.201) to global addresses (213.42.63.50) and open the www port on it:

static (inside,outside) 213.42.63.50 199.5.82.201 netmask 255.255.255.255 0 0

conduit permit tcp host 213.42.63.50 eq www any

If you have to use "alias" statement, can you explain what are you trying to achieve ...

Regards,

Mustafa