Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Web Publishing

Status
Not open for further replies.

don1907

IS-IT--Management
Dec 14, 2006
33
US
I have created a rule that should open an ip adress on the friewall to an internal server, Internally the web server works fine, externall no connect by IP.

Here is the rule

access-list acl_out permit tcp any host 66.173.204.217 eq www
static (inside,outside) 66.173.204.217 192.168.30.90 netmask 255.255.255.255 0 0

Any suggestions
 
I have attached my running config

epa515# show running-config
: Saved
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password 5AazmePNQ8pICi2X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname epa515
domain-name eastportanalytics.com
clock timezone est -5
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network EPA_www
description All servers providing to the outside
network-object host 66.173.204.213
network-object host 66.173.204.214
network-object host 66.173.204.215
network-object host 66.173.204.216
network-object host 66.173.204.217
network-object host 66.173.204.218
network-object host 66.173.204.219
network-object host 66.173.204.220
object-group network EPA_https
description All servers providing HTTPS services to the outside
network-object host 66.173.204.213
network-object host 66.173.204.214
object-group network EPA_smtp
description All servers providing SMTP services to the outside
network-object host 66.173.204.213
network-object host 66.173.204.214
network-object host 66.173.204.215
network-object host 66.173.204.218
network-object host 66.173.204.216
object-group network EPA_dns
description All servers providing DNS services to the outside
network-object host 66.173.204.216
network-object host 66.173.204.218
object-group network EPA_cavtel_dns
description Cavtel External DNS servers used for Zone Transfer
network-object host 216.220.40.243
network-object host 64.39.29.212
network-object host 216.220.40.250
network-object host 209.200.131.4
network-object host 66.225.199.10
network-object host 216.246.59.66
network-object 205.210.42.0 255.255.255.0
network-object 216.220.40.240 255.255.255.240
network-object 209.200.131.0 255.255.255.0
network-object 209.200.151.0 255.255.255.0
network-object 209.200.177.0 255.255.255.0
network-object 209.200.141.0 255.255.255.0
network-object 66.252.1.10 255.255.255.255
network-object 205.234.220.154 255.255.255.255
network-object 205.234.220.146 255.255.255.255
network-object 205.234.160.98 255.255.255.255
network-object 64.202.104.250 255.255.255.255
network-object 206.223.184.240 255.255.255.240
network-object 216.246.59.82 255.255.255.255
object-group network EPA_https_real
description All servers providing HTTPS services to the outside
network-object 192.168.30.20 255.255.255.255
network-object 192.168.30.21 255.255.255.255
object-group network EPA_dns_real
description All servers providing DNS services to the outside
network-object 172.16.250.21 255.255.255.255
network-object 172.16.250.30 255.255.255.255
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 66.173.204.214 eq https
access-list acl_out permit tcp any host 66.173.204.214 eq www
access-list acl_out permit tcp any host 66.173.204.214 eq smtp
access-list acl_out permit tcp any host 66.173.204.213 eq https
access-list acl_out permit tcp any host 66.173.204.213 eq www
access-list acl_out permit tcp any host 66.173.204.215 eq www
access-list acl_out permit tcp any host 66.173.204.216 eq www
access-list acl_out permit tcp any host 66.173.204.217 eq www
access-list acl_out permit udp any host 66.173.204.216 eq domain
access-list acl_out permit tcp any host 66.173.204.213 eq ftp
access-list acl_out permit tcp any host 66.173.204.219 eq www
access-list 88 permit ip 192.168.20.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.25.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.30.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.40.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.20.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 88 permit ip 192.168.30.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 88 permit ip 192.168.40.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list VPNAdmins_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list VPNAdmins_splitTunnelAcl permit ip 192.168.20.0 255.255.255.0 any
access-list VPNAdmins_splitTunnelAcl permit ip 192.168.30.0 255.255.255.0 any
access-list VPNAdmins_splitTunnelAcl permit ip 192.168.40.0 255.255.255.0 any
access-list VPNAdmins_splitTunnelAcl permit ip 172.16.250.0 255.255.255.0 any
access-list DMZ_outbound_nat0_acl permit ip 172.16.250.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
access-list DMZ_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
access-list VPNDmz_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list VPNDmz_splitTunnelAcl permit ip 192.168.20.0 255.255.255.0 any
access-list VPNDmz_splitTunnelAcl permit ip 192.168.30.0 255.255.255.0 any
access-list VPNDmz_splitTunnelAcl permit ip 192.168.40.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 192.168.10.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 192.168.20.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 192.168.30.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 192.168.40.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 172.16.250.0 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_60 permit ip any 192.168.5.0 255.255.255.0
access-list DMZ_inside permit tcp host 172.16.250.20 eq 20031 host 192.168.30.21 eq 20031
access-list DMZ_inside permit udp host 172.16.250.20 eq 20031 host 192.168.30.21 eq 20031
access-list DMZ_inside permit tcp host 172.16.250.30 eq 20031 host 192.168.30.21 eq 20031
access-list DMZ_inside permit udp host 172.16.250.30 eq 20031 host 192.168.30.21 eq 20031
access-list DMZ_inside permit udp host 172.16.250.20 host 192.168.30.21 range 20050 20070
access-list DMZ_inside permit udp host 172.16.250.30 host 192.168.30.21 range 20050 20070
access-list DMZ_inside permit tcp host 172.16.250.20 host 192.168.30.21 range 20031 20050
access-list DMZ_inside permit tcp host 172.16.250.30 host 192.168.30.21 range 20031 20050
access-list DMZ_inside permit tcp host 172.16.250.20 host 192.168.30.20 eq smtp
access-list DMZ_inside permit tcp host 172.16.250.20 host 192.168.30.21 eq smtp
access-list DMZ_inside permit tcp host 172.16.250.20 host 192.168.30.21 eq domain
access-list DMZ_inside permit tcp host 172.16.250.21 host 192.168.30.21 eq domain
access-list DMZ_inside permit udp host 172.16.250.21 host 192.168.30.21 eq domain
access-list DMZ_inside permit udp host 172.16.250.21 host 64.83.1.10 eq domain
access-list DMZ_inside permit udp host 172.16.250.21 host 64.83.0.10 eq domain
access-list DMZ_inside permit ip 172.16.250.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list DMZ_inside permit ip host 172.16.250.249 host 172.16.250.1
access-list DMZ_inside permit ip host 172.16.250.250 host 172.16.250.1
access-list DMZ_inside permit ip 172.16.253.0 255.255.255.248 host 172.16.250.1
access-list DMZ_inside permit ip 172.16.253.16 255.255.255.248 host 172.16.250.1
access-list DMZ_inside deny ip 172.16.253.0 255.255.255.248 192.168.10.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.253.0 255.255.255.248 192.168.20.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.253.0 255.255.255.248 192.168.30.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.253.0 255.255.255.248 192.168.40.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.253.16 255.255.255.248 192.168.10.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.253.16 255.255.255.248 192.168.20.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.253.16 255.255.255.248 192.168.30.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.253.16 255.255.255.248 192.168.40.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.250.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.250.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.250.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list DMZ_inside deny ip 172.16.250.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list DMZ_inside permit ip 172.16.253.0 255.255.255.248 any
access-list DMZ_inside permit ip 172.16.253.16 255.255.255.248 any
access-list DMZ_inside permit ip 172.16.250.0 255.255.255.0 any
access-list VPNConsult_splitTunnelAcl_1 permit ip 192.168.10.0 255.255.255.0 any
access-list VPNConsult_splitTunnelAcl_1 permit ip 192.168.20.0 255.255.255.0 any
access-list VPNConsult_splitTunnelAcl_1 permit ip 192.168.40.0 255.255.255.0 any
access-list VPNConsult_splitTunnelAcl_1 permit ip 172.16.250.0 255.255.255.0 any
access-list acl_outside permit tcp any object-group EPA_ www
access-list acl_outside permit tcp any object-group EPA_https eq https
access-list acl_outside permit tcp any object-group EPA_smtp eq smtp
access-list acl_outside permit udp any object-group EPA_dns eq domain
access-list acl_outside permit tcp object-group EPA_cavtel_dns object-group EPA_dns eq domain
access-list acl_outside permit udp object-group EPA_cavtel_dns object-group EPA_dns eq domain
access-list acl_outside permit tcp any host 66.173.204.213 eq ftp
access-list acl_outside permit tcp any host 66.173.204.214 eq https
access-list acl_outside permit tcp any host 66.173.204.214 eq 993
access-list acl_outside permit tcp any host 66.173.204.214 eq imap4
access-list acl_outside permit tcp any host 66.173.204.219 eq www
access-list acl_outside permit tcp any host 66.173.204.217 eq www
access-list 109 permit tcp any object-group EPA_dns eq domain
access-list 109 permit udp any object-group EPA_dns eq domain
pager lines 24
logging on
logging timestamp
logging standby
logging console critical
logging monitor debugging
logging buffered debugging
logging trap informational
logging history informational
logging queue 3000
icmp deny any outside
icmp permit any DMZ
mtu outside 1800
mtu inside 1800
mtu DMZ 1500
ip address outside 66.173.204.210 255.255.255.240
ip address inside 192.168.30.1 255.255.255.0
ip address DMZ 172.16.250.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool EPANatPool 192.168.5.10-192.168.5.254
ip local pool EPAPPTP 192.168.6.10-192.168.6.254
pdm location 192.168.20.254 255.255.255.255 inside
pdm location 192.168.20.0 255.255.255.0 inside
pdm location 192.168.40.0 255.255.255.0 inside
pdm location 192.168.30.20 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.10.11.100 255.255.255.255 outside
pdm location 172.16.250.20 255.255.255.255 DMZ
pdm location 24.53.142.70 255.255.255.255 outside
pdm location 192.168.25.0 255.255.255.0 inside
pdm location 192.168.30.0 255.255.255.0 inside
pdm location 192.168.40.19 255.255.255.255 inside
pdm location 192.168.25.20 255.255.255.255 inside
pdm location 192.168.30.21 255.255.255.255 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 172.16.250.21 255.255.255.255 DMZ
pdm location 172.16.250.22 255.255.255.255 DMZ
pdm location 192.168.5.0 255.255.255.0 inside
pdm location 207.196.42.0 255.255.255.0 outside
pdm location 207.196.62.0 255.255.255.0 outside
pdm location 192.168.40.18 255.255.255.255 inside
pdm location 172.16.250.30 255.255.255.255 DMZ
pdm location 172.16.250.31 255.255.255.255 DMZ
pdm location 172.16.250.32 255.255.255.255 DMZ
pdm location 172.16.250.249 255.255.255.255 DMZ
pdm location 172.16.250.250 255.255.255.255 DMZ
pdm location 172.16.253.0 255.255.255.248 DMZ
pdm location 172.16.253.16 255.255.255.248 DMZ
pdm location 64.39.29.212 255.255.255.255 outside
pdm location 216.220.40.243 255.255.255.255 outside
pdm location 216.220.40.250 255.255.255.255 outside
pdm location 209.200.131.4 255.255.255.255 outside
pdm location 192.168.30.23 255.255.255.255 inside
pdm location 64.202.104.250 255.255.255.255 outside
pdm location 66.225.199.10 255.255.255.255 outside
pdm location 66.252.1.10 255.255.255.255 outside
pdm location 205.210.42.0 255.255.255.0 outside
pdm location 205.234.160.98 255.255.255.255 outside
pdm location 205.234.220.146 255.255.255.255 outside
pdm location 205.234.220.154 255.255.255.255 outside
pdm location 206.223.184.240 255.255.255.240 outside
pdm location 209.200.131.0 255.255.255.0 outside
pdm location 209.200.141.0 255.255.255.0 outside
pdm location 209.200.151.0 255.255.255.0 outside
pdm location 209.200.177.0 255.255.255.0 outside
pdm location 216.220.40.240 255.255.255.240 outside
pdm location 216.246.59.66 255.255.255.255 outside
pdm location 216.246.59.82 255.255.255.255 outside
pdm group EPA_https_real inside
pdm group EPA_dns_real DMZ
pdm group EPA_https outside reference EPA_https_real
pdm group EPA_dns outside reference EPA_dns_real
pdm group EPA_cavtel_dns outside
pdm history enable
arp timeout 14400
global (outside) 1 66.173.204.211 netmask 255.255.255.240
global (outside) 2 66.173.204.212 netmask 255.255.255.240
nat (inside) 0 access-list 88
nat (inside) 2 192.168.10.0 255.255.255.0 0 0
nat (inside) 2 192.168.20.0 255.255.255.0 0 0
nat (inside) 2 192.168.30.0 255.255.255.0 0 0
nat (inside) 1 192.168.40.0 255.255.255.0 0 0
nat (DMZ) 0 access-list DMZ_outbound_nat0_acl
nat (DMZ) 1 172.16.250.0 255.255.255.0 0 0
static (DMZ,outside) tcp 66.173.204.215 smtp 172.16.250.20 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.173.204.215 8090 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.173.204.219 8080 netmask 255.255.255.255 0 0
static (inside,outside) 66.173.204.213 192.168.30.20 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.40.0 192.168.40.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 192.168.30.0 192.168.30.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 172.16.250.0 172.16.250.0 netmask 255.255.255.0 0 0
static (DMZ,outside) 66.173.204.216 172.16.250.21 netmask 255.255.255.255 0 0
static (DMZ,outside) 66.173.204.218 172.16.250.30 netmask 255.255.255.255 0 0
static (inside,outside) 66.173.204.214 192.168.30.21 netmask 255.255.255.255 0 0
static (inside,outside) 66.173.204.215 192.168.30.23 netmask 255.255.255.255 0 0
static (inside,outside) 66.173.204.217 192.168.30.90 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group DMZ_inside in interface DMZ
route outside 0.0.0.0 0.0.0.0 66.173.204.209 1
route inside 192.168.0.0 255.255.0.0 172.16.251.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 3:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server EPA-RADIUS protocol radius
aaa-server EPA-RADIUS (inside) host 192.168.30.21 p1xrad1u5 timeout 10
aaa authentication ssh console LOCAL
http server enable
http 24.53.142.70 255.255.255.255 outside
http 207.196.42.0 255.255.255.0 outside
http 207.196.62.0 255.255.255.0 outside
http 192.168.40.19 255.255.255.255 inside
http 192.168.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.40.19 /cisco/pix/
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map DMZ_dyn_map 20 match address DMZ_cryptomap_dyn_20
crypto dynamic-map DMZ_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication EPA-RADIUS
crypto map outside_map interface outside
crypto map DMZ_map 65535 ipsec-isakmp dynamic DMZ_dyn_map
crypto map DMZ_map client authentication EPA-RADIUS
crypto map DMZ_map interface DMZ
crypto map ouside_map client configuration address initiate
crypto map ouside_map client configuration address respond
isakmp enable outside
isakmp enable DMZ
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNAdmins address-pool EPANatPool
vpngroup VPNAdmins dns-server 192.168.30.21 192.168.30.26
vpngroup VPNAdmins default-domain eastportanalytics.com
vpngroup VPNAdmins split-tunnel VPNAdmins_splitTunnelAcl
vpngroup VPNAdmins pfs
vpngroup VPNAdmins idle-time 1800
vpngroup VPNAdmins password ********
vpngroup VPNUsers address-pool EPANatPool
vpngroup VPNUsers dns-server 192.168.30.21 192.168.30.26
vpngroup VPNUsers default-domain eastportanalytics.com
vpngroup VPNUsers split-tunnel VPNUsers_splitTunnelAcl_1
vpngroup VPNUsers idle-time 1800
vpngroup VPNUsers password ********
vpngroup VPNDmz address-pool EPANatPool
vpngroup VPNDmz dns-server 192.168.30.21 192.168.30.26
vpngroup VPNDmz default-domain eastportanalytics.com
vpngroup VPNDmz split-tunnel VPNDmz_splitTunnelAcl
vpngroup VPNDmz idle-time 1800
vpngroup VPNDmz password ********
vpngroup VPNConsult address-pool EPANatPool
vpngroup VPNConsult dns-server 192.168.30.21 192.168.30.26
vpngroup VPNConsult default-domain eastportanalytics.com
vpngroup VPNConsult split-tunnel VPNConsult_splitTunnelAcl_1
vpngroup VPNConsult idle-time 1800
vpngroup VPNConsult password ********
telnet timeout 5
ssh 24.53.142.70 255.255.255.255 outside
ssh 207.196.42.0 255.255.255.0 outside
ssh 207.196.62.0 255.255.255.0 outside
ssh 192.168.40.19 255.255.255.255 inside
ssh 192.168.40.18 255.255.255.255 inside
ssh 192.168.30.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local EPAPPTP
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.30.20 192.168.30.21
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.30.20 192.168.30.21
vpdn group PPTP-VPDN-GROUP client authentication aaa EPA-RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn username krislocal password *********
vpdn username mark password *********
vpdn enable outside
username pwherry password yMrlb7CTm2FgGo/c encrypted privilege 15
username emmettk password sAL0w4P0sIQYI/Vu encrypted privilege 15
username dhammond password MlcQgCHOwjYegMdh encrypted privilege 15
terminal width 80
Cryptochecksum:d9bc4e93297cf95184035013978373ff
: end
epa515(config)#
 
I have a tomcat site on the same server with iis. IIS uses a .20 IP and goes externally to .213

The tomcat site uses .30 and externally goes to .219

the rule is:
static (inside,outside) tcp 66.173.204.219 8080 netmask 255.255.255.255 0 0

It fails to open using which resolves to .219

I can ping the .30 and internally resolves to eastportlabs on .30

What am I missing
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top