Announcement

Collapse
No announcement yet.

PIX config issue for webserver

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX config issue for webserver

    Any help would be greatly apprciated.
    I am a newbie to pix firewall configurations, so i have inherited this firewall with the below config. We were able to change the new isp's static ip they gave us and all works fine for our hosts to connect to the internet. I recently added a server that will be a webserver. The external ip address of the webserver is aaa.aaa.aaa.27 and it's internal address is set to 192.168.1.254
    I have opend up the ssh and www ports and we can connect to it fine from the outside but from the server we can't ping anything outside for example we cna't pint google.com, if we do an nslookup it resolves the name to ip address to google.com but can't ping it..

    can anyone see if there is an issue with the below conig and what it is i need to add to allow the webserver to go to the outside.

    the firewall ip is 192.168.1.1, the webserver is solrais 10


    thanks

    Result of firewall command: "sh running-config"

    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    interface ethernet1 vlan2 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan2 DMZ security50
    enable password xxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxx encrypted
    hostname +gggggggg
    domain-name ggggggg
    clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    no fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group service mail_services tcp
    port-object eq www
    port-object eq smtp
    port-object eq https
    access-list outside_in permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list outside_in permit tcp any host xxx.xxx.xxx.26 object-group mail_services
    access-list outside_in permit tcp any host aaa.aaa.aaa.27 eq 1002
    access-list inside_nat1 permit ip 192.168.1.0 255.255.255.0 any
    access-list dyn_vpn permit ip any 10.10.10.0 255.255.255.0
    access-list vpn_nat0 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list vpn_nat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list split_tun permit ip 192.168.1.0 255.255.255.0 any
    access-list dmz_nat0 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list dmz_nat1 permit ip 192.168.2.0 255.255.255.0 any
    pager lines 24
    logging on
    logging timestamp
    logging buffered debugging
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.xxx.26 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    ip address DMZ 192.168.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpngroup 10.10.10.1-10.10.10.254
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list vpn_nat0
    nat (inside) 1 access-list inside_nat1 0 0
    nat (DMZ) 0 access-list dmz_nat0
    nat (DMZ) 1 access-list dmz_nat1 0 0
    static (inside,outside) tcp aaa.aaa.aaa.27 1002 192.168.1.254 ssh netmask 255.255.255.255 0 0
    static (inside,outside) tcp aaa.aaa.aaa.27 1003 192.168.1.254 www netmask 255.255.255.255 0 0
    access-group outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map dyn_vpn 20 match address dyn_vpn
    crypto dynamic-map dyn_vpn 20 set transform-set 3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic dyn_vpn
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400

    telnet timeout 5
    ssh timeout 5
    console timeout 20
    terminal width 80
    banner motd ****WARNING**WARNING**WARNING**WARNING**WARNING*** *
    banner motd * *
    banner motd * YOU HAVE ACCESSED A RESTRICTED DEVICE. *
    banner motd * USE OF THIS DEVICE WITHOUT AUTHORIZATION OR FOR *
    banner motd * PURPOSES FOR WHICH AUTHORIZATION HAS NOT BEEN *
    banner motd * EXTENDED IS PROHIBITED. *
    banner motd * *
    banner motd * LOG OFF IMMEDIATELY. *
    banner motd * *
    banner motd ****WARNING**WARNING**WARNING**WARNING**WARNING*** *
    Cryptochecksum:4a34b04ff1d639de5b26d894e8752769
    : end
    Last edited by chuck222_99; 7th April 2008, 22:03.

  • #2
    Re: PIX config issue for webserver

    You have to allow ICMP from the webserver to the Internet.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: PIX config issue for webserver

      do i need to issue any other commands at the firewall?
      thanks




      You have to allow ICMP from the webserver to the Internet.
      __________________
      Marcel
      Netherlands
      No matter how secure, there is always the human factor.

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: PIX config issue for webserver

        I would recommend you edit your original config on this board and remove the names here just for safety.
        vpngroup ****** address-pool vpngroup

        also possibly add this:

        access-list inside_nat1 permit icmp 192.168.1.0 255.255.255.0 any

        (the above is from a very gray memory though)
        You have an acl allowing IP out so ICMP will need to be explicitly allowed too.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: PIX config issue for webserver

          I would recommend you edit your original config on this board and remove the names here just for safety.
          vpngroup ****** address-pool vpngroup

          also possibly add this:

          access-list inside_nat1 permit icmp 192.168.1.0 255.255.255.0 any

          (the above is from a very gray memory though)
          You have an acl allowing IP out so ICMP will need to be explicitly allowed too.


          i added the above command to the firewall, and still can't ping anything from inside such as from my pc to say google.com

          request timed out. is what i get....

          how can i allow ping and recieve ping responses from an outside host...
          thanks

          Comment


          • #6
            Re: PIX config issue for webserver

            Just seen this too

            icmp deny any outside

            try icmp permit any outside

            Which is icmp permit from anywhere to outside
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: PIX config issue for webserver

              Just seen this too

              icmp deny any outside

              try icmp permit any outside

              Which is icmp permit from anywhere to outside
              __________________
              cheers
              Andy


              I entered the following commands and still can't get a ping response from yahoo.com or google.com

              no icmp deny any outside
              icmp permit any outside

              strange i thought that would've worked.... i also set my xp machine to allow for all icmp requests

              Comment


              • #8
                Re: PIX config issue for webserver

                I may be missing something quite simple here....
                Can we get some logs?
                Easy option for this would be to view the PDM
                Slightly less easy would be to setup syslog (although it would be good to have that going forward)
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment

                Working...
                X