HTTPS and Conduit commands

[malderse]

I am having some problems allowing HTTPS traffic through my PIX 515 . I have a static route binding my external address to my internal webserver . If I place HTTPS and the servers internal web browsers , I will get a response . However if I use the external address with HTTPS infront I get address unresolved , with HTTP it is fine . I have the following conduit command loaded in Config

conduit permit tcp host externalip eq 443 any.

Also I have an old IOS 4.4(5).

Any help would be much appreciated

 

[waranha]

If you want to access the internal webserver from an internal workstation using the public NAT address defined on the PIX you will need to use the alias command. The alias (inside) command will redirect traffic destined for the public (NAT) IP and send it to the private (real) IP and it will all be transparent to the user. It is really used to replace the response from a DNS name lookup and replace the resolved IP with whatever you have defined in the alias command. The (inside) part of the command applies this only to machines originating from the inside network. Hope this helps.

 

[malderse]

Waranha,
Thanks for the response , the problem though is with trusted external user connected from outside to the internal web server . The connection in from outside to the web server is fine with http , but does not with HTTPS. However the web server is acepting internal HTTP request. So I know the server is fine . The firewall would appear to be the problem and is not responding to the HTTPS commands.
Can you give me any other advise.

Many Thanks

 

[baddos]

Please all your conduits.

 

[yizhar]

HI.

Use syslog messages to see what is going on.
Use level 4 to see what the pix is blocking, or level 6 to see also the traffic that is permitted.

Check the server logs. What do you see?

It could also be a problem with the SSL implementation or configuration of the server - check this out.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[malderse]

Hi,
I have checked the syslog and nothinng appears to be happening on the firewall itself. If I access the web server from the inside network the client is asked to accept the certificate , which would say to me that it is working . I just wondered if any one else has expierenced problems the such an old version of I.O.S . As I said the config is pretty basic two staic nats and for ports open all of which work apart from 443 . The interesting thing is that when I try a fixup comand on 443 I get a message that it is not a valid protocol.

Any more thoughts

Many thanks

 

[yizhar]

HI.

> I have checked the syslog and nothinng appears to be happening on the firewall itself
If you are logging at level 4 and no error, this probably means that the problem is elsewhere, not at the pix.
It is probably a DNS or SSL issue.
Ths SSL certificate is bound to an identity (normaly FQDN or the server). This could also be related to the issue.

You can logg at level 6 to verify that the TCP session is established.

> I try a fixup comand on 443
You should not use fixup on HTTPS, because the pix cannot and should not try to inspect SSL encrypted traffic.

Check the http server logs. What do you see?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar