Solved

ENABLE HTTP SERVER IN A FW PIX

Posted on 2004-08-18
10
3,899 Views
Last Modified: 2008-02-01
How can I do it?

Thank you
0
Comment
Question by:txangu2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
10 Comments
 
LVL 7

Expert Comment

by:gnegrota
ID: 11829731
static+conduit permit  for a os ver <6.0

static (inside,outside) [outside_public_ip] [inside_http_ip]
conduit permit tcp host [outside_public_ip] 255.255.255.255 eq http any

or  static+access-list for OS ver>=6.0

0
 
LVL 7

Expert Comment

by:gnegrota
ID: 11829808
Example for ver>6.0

static (inside,outside) 72.118.125.12 10.0.0.1 0 0
access-list 101 permit tcp any host 72.118.125.12 eq www
access-group 101 in interface outside


where 10.0.0.1 is your http server on inside interface and 72.118.125.12 is the public IP.Sure, you must change this values...
0
 

Author Comment

by:txangu2
ID: 11839443
Sorry. The http server is the pix firewall, I need to configure this firewall by http

There is a command "http server enable" in the pix. I need another command to configure pix as a http server? This command is enable in the Pix and the connection is no successfull (in the browser http:\ip_ethernet_pix)

 thank you
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:gnegrota
ID: 11839755
:-) A, ok .
The command enable the pix administration by using a web interface but is not recomanded to enable it. Yes, the command is 'http server enable' and nothing more.
Anyway, if you decide to enable it, add
http 10.1.1.10  to enable the access only for ip '10.1.1.10' . By default, all have access, so take care. The sintax is:
http <ip> [<mask>] [<interface>]
where:
default <mask> is 255.255.255.255
default <interface> is 'inside'

0
 

Author Comment

by:txangu2
ID: 11840287
I have this configuration, but the connection is no successfull. What is the problem. I do not understand!!!
0
 
LVL 7

Accepted Solution

by:
gnegrota earned 25 total points
ID: 11840748
Try this:

#conf t
http server enable
http 0 0 inside
access-list 117 permit tcp any host IP_PIX_Inside eq http
access-group 117 in interface inside
quit
write running-config
clear xlate

.... and try to access the pix from inside with a browser.
( btw, your IOS version ?)
Warning: this will enable http access for all.If success, rewrite the access-list and 'http 0 0 inside' in the proper maner !
0
 

Expert Comment

by:chrisdixon
ID: 11843684
If you are trying to configure the PIX using the web-based PIX Device Manager (AKA 'PDM'), you need to point your browser at the
PIX using HTTPS/SSL:

https://<PIX inside IP address>

You will be prompted for a username/password. If you have not added any local usernames in the PIX config, just enter the 'enable' password (no username needed).

There are a few pre-requisites for PDM to work:
- Your PIX must have a PDM image stored in flash - the 'sh ver' command will tell you whether you have PDM.
The latest version of PDM is 3.01 (for most smaller PIXes), which works with PIX OS version 6.33. (I say this because older PIXes did not have PDM)
- The PIX needs to have at least a single-DES encryption license (newer PIXes will have this by default)
- As well as the 'http server enable' and 'http X.X.X.X Y.Y.Y.Y inside' commands, the PIX needs a domain name (which it uses to generate the internal SSL certificate). The quickest way to configure this is to enter the 'setup' command while in 'config' mode. You will be asked a few questions which will add all the commands needed for PDM.


0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question