Microsoft
Software
Hardware
Network
Question : Webserver on Pix 515E DMZ
I have a web server on the DMZ and I cant figure out why it cant be accessed from the outside. It was working previously and I cant see any configuration changes that may have been made. I think I need a few more eyes to look over the config to see if I am missing something.
sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failover security10
nameif ethernet3 dmz security50
enable password encrypted
passwd encrypted
hostname PIX
domain-name abcdefg
clock summer-time est recurring
fixup protocol dns
fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
no fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name X.X.79.40 abc.abc.org
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any unreachable
access-list acl_out permit tcp any host abc.abc.org eq www
access-list acl_out permit tcp any host X.X.79.30 eq smtp
access-list dmz permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging trap debugging
logging history notifications
logging facility 23
logging host inside 172.16.11.8
no logging message 111005
mtu outside 1500
mtu inside 1500
mtu failover 1500
mtu dmz 1500
ip address outside X.X.79.5 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
ip address failover 192.168.1.2 255.255.255.0
ip address dmz 10.10.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 10
failover replication http
failover ip address outside X.X.79.4
failover ip address inside 172.16.1.3
failover ip address failover 192.168.1.3
failover ip address dmz 10.10.10.3
failover link dmz
no pdm history enable
arp timeout 14400
global (outside) 1 X.X.79.221 netmask 255.255.255.0
global (dmz) 1 10.10.10.221 netmask 255.255.255.0
nat (inside) 0 access-list dmz
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,dmz) 10.10.10.40 10.10.10.40 netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.10.41 10.10.10.41 netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.10.39 10.10.10.39 netmask 255.255.255.255 0 0
static (inside,outside) X.X.79.65 172.16.11.65 netmask 255.255.255.255 0 0
static (inside,outside) X.X.79.66 172.16.11.66 netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.10.42 10.10.10.42 netmask 255.255.255.255 0 0
static (dmz,outside) abc.abc.org 10.10.10.40 netmask 255.255.255.255 0 0
static (dmz,inside) abc.abc.org 10.10.10.40 netmask 255.255.255.255 0 0
static (inside,outside) X.X.79.68 172.16.11.68 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.11.0 172.16.11.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 X.X.79.1 1
timeout xlate 3:00:00
: end
PIX#
Answer : Webserver on Pix 515E DMZ
>I have a web server on the DMZ and I cant figure out why it cant be accessed from the outside.
How are you trying to access this system from the outside?, www is the only method defined.
1) Can the system ping the default gateway?
2) Can the system ping something on the internet?
3) I assume the web server IP is 10.10.10.40?
4) Can you access the web server from a local segment?
5) Is the web server process https running on the system?
6) Try sniffing or crafting an ACL to verify that the traffic hits the outside interface, that way you know the traffic is being dropped by the firewall.
Modify your ACL as follows:
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any unreachable
access-list acl_out permit tcp any host abc.abc.org eq www log-input
access-list acl_out permit tcp any host X.X.79.30 eq smtp
access-list acl_out deny ip any any log-input
This way we can see what is being alowed on port 80 and what is denied.
harbor235 ;}
Random Solutions
Security Webcam help needed...
Track user logon/log off times
questions about WAN technologies (MPLS, App Acceleration, bandwidth)
Wonderig if I can fake a DNS query with a hosts file
DLink router MAC filtering
can't install cfeclipse
CISCO DHCP POOL AND DEVICE ISSUES
NDS to Active Directory migration
I cannot asccess any website on a certain IP address
Terminal Server. Users default printer keeps changing.
