03-19-2002 05:41 AM - edited 03-08-2019 10:06 PM
Hi there,
sorry if IM bugging U in UR valuable time , just was thinking if U could help me on this one at a glance .....
I have a firewall pix 515 R and its working fine , I have just added a webserver on my LAN though I know this is not recomended by cisco I just wanted it to work on the LAN without investing in the
DMZ.
I can ping the webserver from outside but Am not able to access the web page , when accessing the web page it waits for hell long time and says time out R server down , the same server if I put it on a live
IP and bypass the pix and connect it to the ethernet of the Router directly , the web pages comes up immediately , leaving me to stare at the firewall in anger ....
Here is the config which I have tried , both Access list and Conduits , but it is the same in both ways , just Pings but no web page display , Please
do let me know if theres anything I need to check R do for this to
work fine.....
Thanx in advance ...
Tauseef
for PIX with ACCESS LIST
mideastPIX# sh conf
: Saved
:
PIX Version 5.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mideastPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list acl_in permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq smtp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 213.42.63.50 eq www
access-list acl_out permit tcp any host 213.42.63.50 eq ftp
pager lines 24
no logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 213.42.63.52 255.255.255.240
ip address inside 199.5.82.225 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 213.42.63.53-213.42.63.55
global (outside) 1 213.42.63.56
nat (inside) 1 199.5.82.0 255.255.255.0 0 0
alias (inside) 199.5.82.201 213.42.63.50 255.255.255.255
static (inside,outside) 213.42.63.50 199.5.82.201 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 213.42.63.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 199.5.82.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:76e92f3081af4e131c1044c3ddc652a3
mideastPIX#
for PIX WITH CONDUIT
mideastPIX# sh conf
: Saved
:
PIX Version 5.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mideastPIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
name 199.5.82.201 webserver
pager lines 24
no logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 213.42.63.52 255.255.255.240
ip address inside 199.5.82.225 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 213.42.63.53-213.42.63.55
global (outside) 1 213.42.63.56
nat (inside) 1 199.5.82.0 255.255.255.0 0 0
alias (inside) webserver 213.42.63.50 255.255.255.255
static (inside,outside) 213.42.63.50 webserver netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host webserver eq www any
route outside 0.0.0.0 0.0.0.0 213.42.63.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 199.5.82.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:56ae5ececade66ec79a82856968f0b8f
mideastPIX# wr
usage: write erase|floppy|mem|terminal|standby
write net [<tftp_ip>]:<filename>
mideastPIX# wr mem
Building configuration...
Cryptochecksum: 56ae5ece cade66ec 79a82856 968f0b8f
[OK]
mideastPIX#
03-21-2002 06:08 AM
Hi ,
The configurations seems to be o.k . Just check the duplex settings of outside and inside interface . I suggest to keep 10 or 100 MBPS ( Full / half )but not in auto .U can check the errors or collissions in the interface .
03-22-2002 01:53 AM
Hi Tauseef,
I agree with the above ,but also check out the following link http://www.cisco.com/warp/public/110/2.html
Alex
03-22-2002 06:31 PM
Can you afford to disable the "alias" statement?
Since you are already using a "nat" statement to hide your internal ip's, you can statically translate the webserver's ip (199.5.82.201) to global addresses (213.42.63.50) and open the www port on it:
static (inside,outside) 213.42.63.50 199.5.82.201 netmask 255.255.255.255 0 0
conduit permit tcp host 213.42.63.50 eq www any
If you have to use "alias" statement, can you explain what are you trying to achieve ...
Regards,
Mustafa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide