Ok I am not sure if I am the only one seeing this. I have a Pix 501 (ver. 6.3) and I setup the web server behind my fw. I can get to my webserver using the private ip while I am inside the network. I can get to the webserver from the outside using the public IP or domain name. However I CANNOT get to the webserver using the public IP or domain from WITHIN the webserver network. It seems like I may be missing an ACL somewhere? Why would it require me to add an ACL for something like this if my is already allowing web traffic from ANY to my host IP? Thanks in advance for any help!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Web Server Behind Pix
- Thread starter sla07
- Start date
boymarty24
Technical User
Thats not supposed to work. Pix doesnt allow that.
Either setup a internal caching dnsserver or configure the pix with the alias command.
Either setup a internal caching dnsserver or configure the pix with the alias command.
- Thread starter
- #3
hhmmm ok thanks for the reply.....so i looked up some info regarding the alias command...
heres where i have gotten so far....i went ahead and aded the alias command:
alias (inside) 192.168.x.x 64.81.x.x 255.255.255.255
The 64.81.x.x is the public dns server from my provider....i tried using the global/public IP there and that didnt seem to do anything....well with the dns ip...it allows me to go to my domain through the webserver....so xxx.com for example....but...it will not let me go to ....nor will it let me go to my public ip....
so i went ahead and tried adding the second command for the static portion...but it gave me an error:
WARNING: real-address conflict with existing static
so i went ahead and removed it...so now im trying to figure out if this is a webserver issue now...since it only allows me to do xxx.com as opposed to ?...any thoughts on that?...maybe im doing something wrong here....but i am one step closer!!...
heres where i have gotten so far....i went ahead and aded the alias command:
alias (inside) 192.168.x.x 64.81.x.x 255.255.255.255
The 64.81.x.x is the public dns server from my provider....i tried using the global/public IP there and that didnt seem to do anything....well with the dns ip...it allows me to go to my domain through the webserver....so xxx.com for example....but...it will not let me go to ....nor will it let me go to my public ip....
so i went ahead and tried adding the second command for the static portion...but it gave me an error:
WARNING: real-address conflict with existing static
so i went ahead and removed it...so now im trying to figure out if this is a webserver issue now...since it only allows me to do xxx.com as opposed to ?...any thoughts on that?...maybe im doing something wrong here....but i am one step closer!!...
boymarty24
Technical User
dont use your isp dns server use the public and private ip of the webserver in the alias statement. If my memory doesnt serve me wrong
And you probably need a clear xlate afterwards.
And you probably need a clear xlate afterwards.
- Thread starter
- #5
ok i just tried that...and i cleared xlate....that just killed my internet connection completely....is that normal?...should i have waited longer?...i ended up consoling in and removing the alias line and static line...and now im back to normal...damn this is getting even more confusing to me...lol....ok so heres an excerpt of my configs..i changed a couple of items and took some out that arent necessary (ie: enable password):
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit udp any any
access-list inbound permit icmp any any
access-list inbound permit tcp any host 10.10.10.10 eq ssh
access-list inbound permit tcp any host 10.10.10.10 eq www
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging trap debugging
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.10 255.255.255.0
ip address inside 7.7.7.7 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 7.7.7.0 255.255.255.0 0 0
static (inside,outside) tcp interface ssh 7.7.7.50 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
access-group inbound in interface outside
so looking at this config...here are the commands i issued:
alias (inside) 7.7.7.50 10.10.10.10 255.255.255.255
static (inside,outside) 10.10.10.10 7.7.7.50 netmask 255.255.255.255
clear xlate
This is when i had the internet connectivity issues, when i cleared xlate....like i asked before though, is that normal?...is that something i should expect for like 5 or so minutes?...thanks again for your help!!
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit udp any any
access-list inbound permit icmp any any
access-list inbound permit tcp any host 10.10.10.10 eq ssh
access-list inbound permit tcp any host 10.10.10.10 eq www
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging trap debugging
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.10 255.255.255.0
ip address inside 7.7.7.7 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 7.7.7.0 255.255.255.0 0 0
static (inside,outside) tcp interface ssh 7.7.7.50 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
access-group inbound in interface outside
so looking at this config...here are the commands i issued:
alias (inside) 7.7.7.50 10.10.10.10 255.255.255.255
static (inside,outside) 10.10.10.10 7.7.7.50 netmask 255.255.255.255
clear xlate
This is when i had the internet connectivity issues, when i cleared xlate....like i asked before though, is that normal?...is that something i should expect for like 5 or so minutes?...thanks again for your help!!
boymarty24
Technical User
i dont think you can use the alias command when port redirection is in use. And you are using it atm.
I think thats the reason the pix breaks the connection.
Been some time since i used the alias command ( sucked bigtime imo ) but i am gonna check some old configs i have.
I think thats the reason the pix breaks the connection.
Been some time since i used the alias command ( sucked bigtime imo ) but i am gonna check some old configs i have.
- Thread starter
- #7
boymarty24
Technical User
I assume that you changed the range for your outside pool If you only have one IP address to play with then you need to setup a internal dnsserver to make the name resolution.
But if you have more ip numbers use the static with another ip then the interface address. And use a default static then.
But if you have more ip numbers use the static with another ip then the interface address. And use a default static then.
boymarty24
Technical User
btw if you use static and global with the outside ip your static need to have port redirection. Static has higher priority then global command.
- Thread starter
- #10
ahah...yea i only have one IP to play with...looking at all the info i have received from you guys and what i have researched...it looks like i may have to setup a dns server internally...ive never configured a dns server so that will be fun :0) ....nah this is for my home network so its nothing critical....thank you for the great help!!
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question