PIX 501 Help needed with simple HTTP / HTTPS config

- M
- michael
  
  Contact options for registered users
posted
18 years ago

Tue, Aug 30, 2005 9:16 PM

Here's what should be a simple config issue... We have a PIX501, and a web server behind it. I need everyone from the Outside interface to be able to view our website sitting behind the firewall at an internal address. I've done this on many other firewalls, but it's not intuitive to me how to accomplish this on the PIX 501. Can anyone tell me the easy way to accomplish this either on the command line or by adding a new access rule in PDM?

Here is my currnet config that does not work (try not to laugh):

Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XujHs/xHAoVN3ltj encrypted passwd XujHs/xHAoVN3ltj encrypted hostname XXXX domain-name XXXX.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.4.192 WEB object-group service HTTPHTTPS tcp port-object eq www port-object eq https access-list inside_outbound_nat0_acl permit ip any 192.168.4.80

255.255.255.240 access-list outside_cryptomap_dyn_20 permit ip any 192.168.4.80 255.255.255.240 access-list outside_cryptomap_dyn_40 permit ip any 192.168.4.80 255.255.255.240 access-list outside_access_in remark HTTP access-list outside_access_in permit tcp interface outside eq www host RCMSWEB eq www log pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 198.107.3.16 255.255.255.0 ip address inside 192.168.4.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNIP 192.168.4.80-192.168.4.95 pdm location 192.168.11.0 255.255.255.0 inside pdm location RCMSWEB 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (inside) 2 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) RCMSWEB RCMSWEB netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 198.107.3.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.4.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup rcmsremote address-pool VPNIP vpngroup rcmsremote idle-time 1800 vpngroup rcmsremote password ******** telnet 192.168.4.0 255.255.255.0 inside telnet 192.168.11.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.4.50-192.168.4.72 inside dhcpd dns 192.168.4.2 204.130.255.3 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain XXXX.com dhcpd auto_config outside dhcpd enable inside username ctsmc password ax5xsIDMOXb3cUhr encrypted privilege 15 terminal width 80 Cryptochecksum:e4d85167a9872b642304af17f0bf7ce2 : end [OK]

I can factory default this thing if it's easier to start from scratch. Please advise, and thanks in advance for any help!

- M
- michael
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Tue, Aug 30, 2005 9:21 PM

Here's what should be a simple config issue... We have a PIX501, and a web server behind it. I need everyone from the Outside interface to be able to view our website sitting behind the firewall at an internal address. I've done this on many other firewalls, but it's not intuitive to me how to accomplish this on the PIX 501. Can anyone tell me the easy way to accomplish this either on the command line or by adding a new access rule in PDM?

Here is my currnet config that does not work (try not to laugh):

Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XujHs/xHAoVN3ltj encrypted passwd XujHs/xHAoVN3ltj encrypted hostname XXXX domain-name XXXX.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.4.192 WEB object-group service HTTPHTTPS tcp port-object eq www port-object eq https access-list inside_outbound_nat0_acl permit ip any 192.168.4.80

255.255.255.240 access-list outside_cryptomap_dyn_20 permit ip any 192.168.4.80 255.255.255.240 access-list outside_cryptomap_dyn_40 permit ip any 192.168.4.80 255.255.255.240 access-list outside_access_in remark HTTP access-list outside_access_in permit tcp interface outside eq www host RCMSWEB eq www log pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 198.107.3.16 255.255.255.0 ip address inside 192.168.4.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNIP 192.168.4.80-192.168.4.95 pdm location 192.168.11.0 255.255.255.0 inside pdm location RCMSWEB 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (inside) 2 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) RCMSWEB RCMSWEB netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 198.107.3.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.4.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup rcmsremote address-pool VPNIP vpngroup rcmsremote idle-time 1800 vpngroup rcmsremote password ******** telnet 192.168.4.0 255.255.255.0 inside telnet 192.168.11.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.4.50-192.168.4.72 inside dhcpd dns 192.168.4.2 204.130.255.3 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain XXXX.com dhcpd auto_config outside dhcpd enable inside username ctsmc password ax5xsIDMOXb3cUhr encrypted privilege 15 terminal width 80 Cryptochecksum:e4d85167a9872b642304af17f0bf7ce2 : end [OK]

I can factory default this thing if it's easier to start from scratch. Please advise, and thanks in advance for any help!

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, Aug 31, 2005 6:32 AM

In article , wrote: :Here's what should be a simple config issue... We have a PIX501, and a :web server behind it. I need everyone from the Outside :interface to be able to view our website sitting behind the firewall at :an internal address.

:PIX Version 6.3(4)

:name 192.168.4.192 WEB :object-group service HTTPHTTPS tcp : port-object eq www : port-object eq https

:access-list inside_outbound_nat0_acl permit ip any 192.168.4.80 255.255.255.240

:access-list outside_cryptomap_dyn_20 permit ip any 192.168.4.80 255.255.255.240

:access-list outside_cryptomap_dyn_40 permit ip any 192.168.4.80 255.255.255.240

:access-list outside_access_in remark HTTP :access-list outside_access_in permit tcp interface outside eq www host RCMSWEB eq www log

That line is wrong, even if we assume that RCMSWEB is what you earlier named as WEB .

:ip address outside 198.107.3.16 255.255.255.0 :ip address inside 192.168.4.1 255.255.255.0

:ip local pool VPNIP 192.168.4.80-192.168.4.95

Your VPN pool must always be "outside" relative to your inside interface. Otherwise the return traffic will not be able to get to it. This will affect your inside_outbound_nat0_acl and outside_cryptomap_dyn_* ACLs.

:pdm location 192.168.11.0 255.255.255.0 inside

That line, though not actually a functional line, is wrong, as

192.168.11.0 is not "inside" and you have no "route" statement pointing that subnet to the inside interface.

:global (outside) 1 interface

OK.

:global (inside) 2 interface

?? global (inside) would only be used in rather uncommon reverse-NAT configurations, which you are NOT using. And you don't have a nat (outside) 2 statement to match that global (inside) 2.

:nat (inside) 0 access-list inside_outbound_nat0_acl :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

:static (inside,outside) RCMSWEB RCMSWEB netmask 255.255.255.255 0 0

If RCMSWEB is what you named as WEB earlier then you are static'ing a private IP (192.168.4.192) to be translated to itself when it goes outside. That's not going to work.

:access-group outside_access_in in interface outside :route outside 0.0.0.0 0.0.0.0 198.107.3.1 1

:crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 :crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 :crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 :crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

outside_cryptomap_dyn_20 and outside_cryptomap_dyn_40 have the same contents, so those two policies duplicate each other. You probably only want one of the two.

:crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map :crypto map outside_map interface outside

:vpngroup rcmsremote address-pool VPNIP

:telnet 192.168.4.0 255.255.255.0 inside :telnet 192.168.11.0 255.255.255.0 inside

192.168.11.0 is not "inside" according to the rest of your configuration.

:I can factory default this thing if it's easier to start from scratch.

Yup. It's messed up.

name 192.168.4.192 WEB object-group service HTTPHTTPS tcp port-object eq www port-object eq https

access-list outside_access_in permit tcp any interface outside object-group HTTPHTTPS static (inside,outside) tcp interface www WEB www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https WEB https netmask 255.255.255.255 0 0

access-list outside_cryptomap_nonat permit ip any 192.168.255.80 255.255.255.240 access-list outside_cryptomap_dyn_20 permit ip any 192.168.255.80 255.255.255.240

nat (inside) 0 access-list outside_cryptomap_nonat

ip local pool VPNIP 192.168.255.80-192.168.255.95

crypto dynamic-map outside_dyn_map 20 match-address outside_cryptomap_dyn_20 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map 65535 set transform-set ESP-3DES-MD5

vpngroup rcmsremote address-pool VPNIP

- M
- michael
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, Aug 31, 2005 2:50 PM

Walter,

Thanks a million for taking the time to check my 'config'.

Are you suggesting that my config should look like this (below)? Can you predict whether I'll destroy the VPN (which is in use by 10 employees) by loading the suggested config? (I'm not asking you to take on any liability, just wondering what to prepare for if it does explode on me)...guess I could back it up first. Here's your copied suggestion:

"""Yup. It's messed up.

name 192.168.4.192 WEB object-group service HTTPHTTPS tcp port-object eq www port-object eq https

access-list outside_access_in permit tcp any interface outside object-group HTTPHTTPS static (inside,outside) tcp interface www WEB www netmask

255.255.255.255 0 0 static (inside,outside) tcp interface https WEB https netmask 255.255.255.255 0 0

access-list outside_cryptomap_nonat permit ip any 192.168.255.80

255.255.255.240 access-list outside_cryptomap_dyn_20 permit ip any 192.168.255.80 255.255.255.240

nat (inside) 0 access-list outside_cryptomap_nonat

ip local pool VPNIP 192.168.255.80-192.168.255.95

crypto dynamic-map outside_dyn_map 20 match-address outside_cryptomap_dyn_20 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map 65535 set transform-set ESP-3DES-MD5

vpngroup rcmsremote address-pool VPNIP """"

Thanks again! I really appreciate the help on this one.

Michael

snipped-for-privacy@culpeppertech.com wrote:

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Thu, Sep 1, 2005 5:06 AM

In article , wrote: :Thanks a million for taking the time to check my 'config'.

:Are you suggesting that my config should look like this (below)? Can :you predict whether I'll destroy the VPN (which is in use by 10 :employees) by loading the suggested config?

As best I can see, the VPN can't work the way you've set it up. If it -is- working, it's due to parts of the configuration that you cut out in your posting. [We know that your posting was not complete because there is no definition of RCMSWEB.]

I can't make any predictions as to what would break or not without seeing your real configuration (with passwords obscured.)

- M
- michael
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Fri, Sep 2, 2005 5:48 PM

Thanks again. The VPN is working like a charm and has been for two months now. I'm suprised myself. What happened here is my friend/Cisco expert passed away, so I'm supporting products that he suggested, but can't support now that they have arrived.

I only edited the IP schemes and domain info in my config file post, so the fact that RCMSWEB is not defined could be leftover from when I tried to define a route to it in the PDM console. I thought it would be pretty straightforward to route all HTTP/HTTPS/FTP traffic to a specific inside IP address (RCMSWEB), but it may not be. Perhaps I should state what I want to accomplish overall, then you can recommend if the config you sent to me would apply to my situation?

I need VPN for Terminal Services, inbound HTTP/HTTPS/FTP traffic routed to webserver, inbound SMTP traffic routed to Exchange server, and outbound HTTP for internal workstations. This should be easy, right? :)

I'll make sure the config file I posted is complete and repost it if not.

Thanks for your continued help on this one! If you have other sources for easy configurations on this firewall, please let me know.

MC