Cannot see my own website

[NTSGuru]

I have a PIX 515 set up behind a Cisco2620 router. We own the domain xyz.com. I have UUNet pointing ip address 123.123.123.123 to

http://www.xyz.com,

which from the router goes to my internal W2K IIS machine. From outside the firewall/router, anyone who goes to

http://www.xyz.com

can see the website fine. However, when I try to access it from behind the firewall/router, I get "Cannot find page".

I'm new to running firewalls/routers. can someone please help me? I'd REALLY appreciate it!

tia,
fred

 

[CMASPE]

You can't see it from your internal network? If so how do you have you firewall config setup? Post some of the config here minus of course your real IP's.

 

[NTSGuru]

here's some of it... there are obviously parts left out, and IP addresses have been changed to protect the innocent...


ip address outside 123.123.123.123 255.255.255.8
ip address inside 10.10.1.1 255.255.0.0
arp timeout 14400
global (outside) 1 123.123.123.6 netmask 255.255.255.8
nat (inside) 1 10.10.0.0 255.255.0.0 0 0
alias (inside) 10.10.5.3 123.123.123.8 255.255.255.255
static (inside,outside) 123.123.123.7 10.10.5.2 netmask 255.255.255.255 0 0
static (inside,outside) 123.123.123.4 10.10.5.4 netmask 255.255.255.255 0 0
static (inside,outside) 123.123.123.8 10.10.5.3 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 123.123.123.7 eq 139 host 123.123.123.7
conduit permit udp host 123.123.123.7 eq netbios-ns host 123.123.123.7
conduit permit udp host 123.123.123.7 eq netbios-dgm host 123.123.123.7
conduit permit tcp host 123.123.123.7 eq 135 host 123.123.123.7
conduit permit tcp host 123.123.123.7 eq smtp any
conduit permit tcp host 123.123.123.7 eq ftp any
conduit permit tcp host 123.123.123.8 eq

http://www any

established tcp 135 permitto tcp 1024-65535 permitfrom tcp 0

 

[yizhar]

HI.

This is probably a DNS issue.
Can you get to the web page using ip address?
Netbios name of the server?

Read here about the command "alias" that can fix such DNS problems:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

btw - You're allowing so many open ports, that you can not consider your network protected.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[pixboy]

Here's your overall problem:

You're trying to get to the public address of

http://www.xyz.com

from inside the firewall. The PIX does not allow you to get from inside to (in effect) outside. (I forget the exact phrase someone else has told me here, but what you're trying would, in effect, require you to go from inside to outside and back to inside. The PIX doesn't allow this.) You can test this by trying to ping the external public IP of

http://www.xyz.com

from inside the firewall. This, of course, won't work. But if you ping the internal IP address of the web site, it will work.

What you need to do is access the web site on its internal IP address. You may want to set up a DNS server on the inside zone, and have that server provide the internal IP address for

http://www.xyz.com

for internal users. (We have a similar setup here.)

 

[Guest_imported]

Hmm... I have the exact same problem with my LinkSys BEFSR41 router. Everyone else can see my sites, but I can't.. I only have port 80 open.

So are you saying there is some place in the DNS server behind the firewall that I can do translation to my router's internal ip address? I can see how that would work, but I don't know where to begin putting in that information in Windows 2000 Server's DNS.

 

[N0ktar]

This behavior is by design, you need to use "alias" command to resolve this issue. More information at

http://www.cisco.com/warp/public/110/alias.html

You allow to many ports open. Looks like you're trying to accomodate the exchange server. I advise firmware upgrade to 6.2 (use "sh ver" to verify yours), filter outbound and replace "conduits" with more specific "access-list" statements, you will than be able to receive smtp traffic with only port 25 open.