Problem w/ Cisco PIX 506 and web server

In article , Japhar wrote: :I have a Cisco PIX 506 (v6.3)

:access-list 100 permit icmp any any echo-reply :access-list 100 permit icmp any any time-exceeded :access-list 100 permit icmp any any unreachable :access-list 100 permit tcp any host X.Y.78.211 eq smtp :access-list 100 permit tcp any host X.Y.78.211 eq pop3 :access-list 100 permit tcp any host X.Y.78.212 eq 1433 :access-list 100 permit tcp any host X.Y.78.210 eq www

Try adding

access-list 100 permit udp any eq dns host X.Y.78.210

so that returning DNS queries can be processed.

The PIX -does- automatically open up UDP channels back, but since UDP is connectionless it can't doesn't always work perfectly.

:So basically, the X.Y.78.210 is our public webserver ip, and inside it :should be 10.10.2.5. But, for some reason the webserver has no internet :access when inside. It has access to the LAN, but nothing on the :outside.

No access? No ability to ping something outside by IP ? DNS problem or default gateway problem, perhaps.

Thanks for the quick reply. I'll try adding the DNS permissions. As for the web server getting outside access, no nothing works. Even when I try to ping an outside IP (vs a domain name) it simply doesn't work. And its not the machine, because if I set a workstation to be

Its baffling, that static line somehow is responcible for not allowing any connection to the outside.

-J

Walter Robers> > :I have a Cisco PIX 506 (v6.3)

internet

In article , Japhar wrote: :As for :the web server getting outside access, no nothing works. Even when I :try to ping an outside IP (vs a domain name) it simply doesn't work. :And its not the machine, because if I set a workstation to be :10.10.2.5, and place it behind the PIX with the same config, the same :thing happens. If I remove the static entry for 10.10.2.5 and clear the :xlate, it can ping the outside.

That's a good test, and it is good that you thought to clear the xlate.

Your config was a fragment. In the part that wasn't shown, do you happen to have configured the sysopt that turns off proxy arp?

When the device is active at .210 and tries to go out, does the router have an entry for it in its arp tables?

If you debug icmp trace and try to ping outwards by IP, is the packet shown as going out? Does anything return in response?

Try this as well. In configure mode,

access-list test210 permit ip host 10.10.2.5 any access-list test210 permit ip host X.Y.7.210 any access-list test210 permit ip any host 10.10.2.5 access-list test210 permit ip any host X.Y.7.210

Then this can be done either in or out of configure mode:

capture c210in access-list test210 interface inside capture c210out access-list test210 interface outside

then try a test, then

show capture c210in show capture c210out

When you are done with the captures, you can

no capture c210in no capture c210out

My working hypothesis at the moment is that for some reason proxy arp is not working for you and that possibly the router does not know to route .210 through the PIX outside IP. (It's safer to set your router to always route the entire block through the PIX outside IP, in case proxy arp breaks.)

Thanks for the info! Ok, you're going to think I'm stupid but, we don't have a router in this setup. Right now we have the cable modem going straight to the pix, and from the pix to our switch/LAN.

As for sysopt, the only sysopt command I have is for our vpn: sysopt connection permit-ipsec

I tried adding those access-list rules, but I still couldn't get any ping to the outside, and the captures didn't make much sense to me :(

again thanks, J

In article , Japhar wrote: :Right now we have the cable modem going :straight to the pix, and from the pix to our switch/LAN.

Sometimes cable modems are routers, and sometimes they are bridges.

Either one should work, especially as I note that your 'global' IP is not the same as your interface IP -- if it works for one it should work for others in the same subnet.

:the captures didn't make much sense to me :(

If you add the word 'detail' after the "show capture" line then it will give some more information. If you post a very short selection then we can have a look. Longer selections are best done out of band (e.g., a URL). Note there is a 'copy' command to copy the traces to a tftp server: the traces can then be examined in detail with tools such as 'tcpdump'.