Announcement

Collapse
No announcement yet.

allowing port 443 (https) in through pix 501

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • allowing port 443 (https) in through pix 501

    Hello all.

    I've searched many places concerning this. I inherited a pix 501. Everything works except owa. I'm running sbs2003. Exchange has sp2. Static IP from the ISP.

    Email works, vpn works. everyting but OWA. I'm trying to allow port 443 in but its not working. You will notice I have an access list but still nothing. Here's my config.

    Thank you



    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password JK7eYDtO7f8oSCzz encrypted
    passwd JK7eYDtO7f8oSyyy encrypted
    hostname pixfirewall
    domain-name yyyy
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
    access-list 102 permit icmp any any
    access-list 102 permit tcp any any eq smtp
    access-list 102 permit tcp any any eq www
    access-list 102 permit tcp any any eq https
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.135.82 255.255.255.248
    ip address inside 192.168.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.20.1-192.168.20.10
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 192.168.20.0 255.255.255.0 outside
    pdm location 192.168.2.35 255.255.255.255 inside
    pdm location xxx.xxx.135.83 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp xxx.xxx.135.82 smtp 192.168.2.35 smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp xxx.xxx.135.82 https 192.168.2.35 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp xxx.xxx.135.82 www 192.168.2.35 www netmask 255.255.255.255 0 0
    conduit permit icmp any any
    conduit permit tcp host xxx.xxx.135.82 eq smtp any
    conduit permit tcp host 192.168.2.35 eq smtp any
    conduit permit tcp host 192.168.2.35 eq https any
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.135.81 1
    route inside 192.168.2.35 255.255.255.255 192.168.2.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup xxx address-pool ippool
    vpngroup xxx default-domain yyy
    vpngroup xxx split-tunnel 101
    vpngroup xxx idle-time 1800
    vpngroup xxx password ********
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 30
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 15
    management-access inside
    console timeout 0
    vpdn group verizon request dialout pppoe
    vpdn group verizon localname vze7tsd2
    vpdn group verizon ppp authentication pap
    vpdn username vze7tsd2 password *********
    username username password aPmiCKaKNeG.fGZS encrypted privilege 15
    terminal width 80
    Cryptochecksum:0633e44ce1daff0cecae90b8504cfef0
    : end
    pixfirewall#

    Any help would be greatly appreciated.
    Thank you
    scott

  • #2
    Re: allowing port 443 (https) in through pix 501

    I've just started with CCNA but i think it's the following


    In you're accesslist you see the following line:
    access-list 102 permit tcp any any eq https
    What happens if you try:
    access-list 102 permit tcp any any eq 443
    Also i see the following line which, i asume it's the OWA server:
    static (inside,outside) tcp xxx.xxx.135.82 https 192.168.2.35 https netmask 255.255.255.255 0 0
    0
    Please try this to change it to the line below:
    static (inside,outside) tcp xxx.xxx.135.82 443 192.168.2.35 443 netmask 255.255.255.255 0 0
    Can you tell what happens?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: allowing port 443 (https) in through pix 501

      Thank you for responding. I will try that sometime tomorrow and let you know.

      Thanks again
      Scott

      Comment


      • #4
        Re: allowing port 443 (https) in through pix 501

        Marcel,

        I tried what you suggested, and the pix re-added the text https, as opposed to keeping the port number 443. I'll be trying different things today. I'll post back if i get it working.

        Thanks
        Scott

        Comment


        • #5
          Re: allowing port 443 (https) in through pix 501

          if the firewall ins't busy, you also can try running a debug.
          You can show a debug with the following commands:

          Conf t
          console logging
          Debug ip packet

          if you want stop the logging do:
          conf t (if needed)
          u all or no Debug ip packet

          Check the cpu usage before using those commands with the command:
          show cpu

          If the firewall is to busy and you run those command above, you can break the cisco.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: allowing port 443 (https) in through pix 501

            I may be mistaken, but I believe the Conduit command is no longer needed if you are implementing the ACLs. I would remove it if it is truly no longer needed.

            Other than that, could you verify your access-group configurations?
            (e.g. - show access-group )

            Thanks,

            6g

            Comment


            • #7
              Re: allowing port 443 (https) in through pix 501

              I have read that conduits are no longer used. Access lists are replacing them.

              I'll be doing that tomorrow when I'm in the office. I'll let you know the results.

              Marcel-I've chosen not to run the debug. Too risky. I'm going to tweak the acl's.

              Thank you both for your input.

              Scott

              Comment


              • #8
                Re: allowing port 443 (https) in through pix 501

                I dont see an access-group applied to any of the interface , you probably need to map the access-list 102 to an interface

                Comment

                Working...
                X