Can't access internal web server after PIX setup

[kdwalker32]

My company switched from a T1/cisco 1600 setup to a cable modem/PIX 501 setup.
Since installing this new connection, we can no longer access our internal web server from inside, but have no problem accessing it from outside the network. There is no problem accessing other web sites, just our internal one. Also, we cannot ping any outside IP address or FCDN. I even tried explicitly allowing ICMP full access from inside interface, but no change. We are using NAT, with static IP mappings for our internal email & web server.
I have been working with Cisco TAC, and emailed them my config, and they can't see anything wrong with it. I'm clueless. Can someone help?
Thanks,
Kevin

 

[yizhar]

HI.

About the web server - you need to check if this is a name resolution (DNS) issue or not.
Can you access it using ip address?

About ICMP - since it the pix does not work "stateful" for ICMP (only for TCP and UDP), you need to allow the return ICMP on the outside interface as well, not only from inside.

You can find more info here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kdwalker32]

Thanks, the PING problem was that ICMP was not allowed on outside interface, so no echos were coming back in. The problem that remains, is that I cannot access the internal web site from inside using the IP address or the domain name, only from outside our network. I can't even access it by using the internal IP address, ie:

http://192.168.1.76.

I notice that when I type the URL, I see the outside IP address referenced at the bottom of IE, so it seems the ip address is getting translated. Anybody have any ideas?
Thanks

 

[yizhar]

HI.

Post your config here.
Are you using the ALIAS command?
Can you ping the web server from inside?

Try to ping the web server from inside, and then type this command at the workstation DOS prompt:

arp -a

What MAC address do you get for the ip of the server? Is is the MAC address of server or pix?

Do not use the "alias" command, or if you are using it you need to disable proxy-arp on the inside interface.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kdwalker32]

Thanks for the reply. Yes, I can ping the INSIDE address from inside, but not the outside address from inside. After pinging the inside address, the arp -a command shows the following:
192.168.1.76 00-50-da-c9-xx-xx dynamic
Which I thought was strange, since the address is not dynamic, its static. But it is showing the MAC of the server, not the PIX.
Here is the config. Thanks again...

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname xxxxx
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 68.15.156.224 coxnet
access-list 101 permit udp any host 68.15.156.xxx eq 5632
access-list 101 permit tcp any host 68.15.156.xxx eq 5631
access-list 101 permit tcp any host 68.15.156.xxx eq www
access-list 101 permit tcp any host 68.15.156.xxx eq smtp
access-list 101 permit tcp any host 68.15.156.xxx eq 1677
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any
access-list webinside permit tcp any any eq www
access-list webinside permit udp any any
access-list webinside permit ip any any
access-list webinside permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply inside
icmp permit any traceroute inside
icmp permit any unreachable inside
mtu outside 1500
mtu inside 1500
ip address outside 68.15.156.xxx 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.73 255.255.255.255 inside
pdm location 192.168.1.76 255.255.255.255 inside
pdm location 192.168.1.78 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 68.15.156.xxx 192.168.1.76 netmask 255.255.255.255 0 0
static (inside,outside) 68.15.156.xxx 192.168.1.78 netmask 255.255.255.255 0 0
static (inside,outside) 68.15.156.xxx 192.168.1.73 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group webinside in interface inside
route outside 0.0.0.0 0.0.0.0 68.15.156.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 68.10.16.245 68.10.16.30
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
[OK]

 

[yizhar]

HI.

From your previous post:
> ... when I type the URL, I see the outside IP address referenced at the bottom ...

So this seems like a DNS issue.

The best option to solve it is to use internal DNS server (you should already have one if you have W2K+AD), and configure it with an entry for the web server that will point the clients to the INTERNAL ip address 192.168.1...

Other options are:
* Use HOSTS file on workstations.
* Use the alias command on the pix, with the addition of disabling proxy-arp on the "inside" interface (failing to disable proxy arp will cause you more trouble!).

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kdwalker32]

I added the following lines to my config:
alias (inside) 192.168.1.76 68.15.156.xxx 255.255.255.255
sysopt noproxyarp inside

Is this what you were refering to?
If so, it did not change anything.

Thanks.

 

[kdwalker32]

DISREGARD MY LAST POST. After inserting those two commands, it didn't seem to work. About 10 minutes later, before I was going to take out those commands, I tried the website one more time, and it worked!

yizhar, thanks for the help. Problem solved!

I just don't understand why the PIX would not be configured this way be default.

 

[SooN2bCCIE]

Always to see config changes immediately - xlate probally timed out thats why it took a while to see changes:
wr mem
clear arp
clear xlate

 

[yizhar]

HI.

> About 10 minutes later ...
This is because "alias" modifies DNS replies from external DNS server. The workstations caches DNS for a while and does not query DNS server each time.
Rebooting the workstation clears DNS cache on it.

I still suggest internal DNS server as a better solution, not only for that specific issue.
This can improve performance and stability of your network.

Try to disconnect for several minutes, one of the cables from your perimeter router or the pix, and see how workstations behave:
Can you browse the internal network?
Can you open MS Outlook if you're using it?
Does the network work slower?
Try to reboot a workstation when the Internet link is down, and answer again previous questions.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar