Announcement

Collapse
No announcement yet.

Unable to access web server from inside network thanks to URL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unable to access web server from inside network thanks to URL

    Hi everyone,

    I'm trying to configure a PIX 515E and this is my first time. Sometimes it drives me crazy.
    The configuration is almost done but a little problem remains. Indeed I've configured two site-to-site VPN tunnels with two remote network, and port forwarding. But currently, I cannot access to the webserver thanks to the URL from the inside network whereas from the outside, it works.

    Exple: If I wish to access http://www.toto.com/mysite/ from the inside network, I had to enter http://192.168.64.10/mysite.

    192.168.64.10: it's the local ip address of our web server.

    According the several post I've read , I'm sure you can help me.

    Below, the conf. file :

    --------------------------------------------------------------

    PIX Version 8.0(2)
    !
    hostname mypix
    enable password jgoYz/q9H4sdcfHI encrypted
    names
    name 192.168.128.0 VPN_Network
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address xx.xx.xx.170 255.255.255.248
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 192.168.64.1 255.255.255.0
    !
    interface Ethernet2
    shutdown
    no nameif
    no security-level
    no ip address
    !

    passwd 2KFQsbTIdI.2KYYU encrypted

    ftp mode passive

    object-group protocol TCP_UDP
    protocol-object tcp
    protocol-object udp

    object-group service webservices tcp
    port-object eq www
    port-object eq https
    port-object eq ftp

    access-list inside_nat0_outbound extended permit ip 192.168.64.0 255.255.255.0 VPN_Network 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.64.0 255.255.255.0 10.0.1.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.64.0 255.255.255.0 VPN_Network 255.255.255.0
    access-list outside_2_cryptomap extended permit ip 192.168.64.0 255.255.255.0 10.0.1.0 255.255.255.0

    access-list outbound extended permit ip any any
    access-list outbound extended permit tcp any any object-group webservices

    access-list inbound extended permit tcp any interface outside object-group webservices
    access-list inbound extended permit object-group TCP_UDP any interface outside eq domain
    access-list inbound extended permit tcp any interface outside eq smtp
    access-list inbound extended permit tcp any interface outside eq pop3
    access-list inbound extended permit tcp any interface outside eq pptp


    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500

    no failover

    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-602.bin
    no asdm history enable
    arp timeout 14400

    global (outside) 101 interface

    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 0.0.0.0 0.0.0.0

    static (inside,outside) tcp interface www 192.168.64.20 www netmask 255.255.255.255
    static (inside,outside) tcp interface domain 192.168.64.20 domain netmask 255.255.255.255
    static (inside,outside) udp interface domain 192.168.64.20 domain netmask 255.255.255.255
    static (inside,outside) tcp interface pop3 192.168.64.20 pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface smtp 192.168.64.20 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface pptp 192.168.64.20 pptp netmask 255.255.255.255


    access-group inbound in interface outside
    access-group outbound in interface inside

    route outside 0.0.0.0 0.0.0.0 xx.xx.xx.169 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute

    dynamic-access-policy-record DfltAccessPolicy

    http server enable
    http 192.168.64.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside

    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer AAA.AA.AA.AAA
    crypto map outside_map 1 set transform-set ESP-3DES-MD5

    crypto map outside_map 2 match address outside_2_cryptomap
    crypto map outside_map 2 set peer BB.BBB.BBB.BBB
    crypto map outside_map 2 set transform-set ESP-DES-SHA

    crypto map outside_map interface outside
    crypto isakmp enable outside

    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400

    crypto isakmp policy 30
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal

    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns 192.168.64.20 69.29.158.254
    !
    dhcpd address 192.168.64.100-192.168.64.199 inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    tunnel-group AAA.AA.AA.AAA type ipsec-l2l
    tunnel-group AAA.AA.AA.AAA ipsec-attributes
    pre-shared-key *
    tunnel-group BB.BBB.BBB.BBB type ipsec-l2l
    tunnel-group BB.BBB.BBB.BBB ipsec-attributes
    pre-shared-key *
    prompt hostname context

    Cryptochecksum:a1221s2saq66c898890c3b8b5954908754
    : end
    [OK]

    -------------------------------------------------------

    AAA.AA.AA.AAA : IP Address of the first remote site
    BB.BBB.BBB.BBB : IP Address of the second site.
    xx.xx.xx.170 : IP Address of the outside interface, provided by our ISP.

    How can I allow the users from the inside network to access to the website by using the url and not the ip anymore?

    Thanks in advance for your help and for the time spent,
Working...
X