Help to setup web server behind PIX 501

PIX 501 is configured behind a netopia router in bridged mode.  I have the gateway address, netmask, and 5 static ip addresses (world readable).

I want to give one web server a static ip address and open http port and a few others, so that folks can get through to it.  How to do this through the Cisco PIX Device Manager?

pix is setup as the gateway and uses PPPOE (b/c this is a DSL ISP).
web server would use IP address on same subnet.

Should be easy, but the Cisco Pix device manager isn't as intuitive as I though it would be!

Thanks!
compinfoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Which version of PDM are you using? I find it much easier to use the command line.

You need two things. 1) a static port translation and 2) access-list permit inbound:

example:
<== do this for each port that you want to forward
   static (inside,outside) tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
   static (inside,outside) tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
 
<== add an access-list entry for each port/server/service
   access-list outside_access_in permit tcp any host <public ip> eq http
   access-list outside_access_in permit tcp any host <public ip> eq https
 
<== apply the access-list
    access-group outside_access_in in interface outside

! done !
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compinfoAuthor Commented:
PDM version 3.06.

Ok, so:

1.  A static port translation means I actually assign the server the inside address of:  192.168.1.100
2.  Access list allowing http and https

Great!  If I need SSL access, what could I add?  I will try this solution tomorrow.  Thanks lrmoore!
0
lrmooreCommented:
> If I need SSL access, what could I add?  
That's the second entry in each section in the example above. One entry for http, one entry for https (ssl)

> actually assign the server the inside address of:  192.168.1.100
You don't have to, just replace this with the private IP already assigned to the server...
That was just an example config...

I would counsel you to use a totally different IP address subnet on the inside of this firewall (includes all of your workstations, servers, printers, etc), as long as it is NOT 192.168.1.0, 192.168.0.0, 192.168.100.0 10.0.0.0, 10.10.10.0
Why? If you ever intend to use the VPN cpabilities of your PIX, you will not be happy with the results if you use one of these subnets. Almost every broadband router on the market uses these as the default inside network. If yours is 192.168.1.x and a VPN user with a broadband router also has 192.168.1.x as their home LAN, then you have VPN problems. Save the headaches and set yours up so that you will never have that problem. Use something like 192.168.233.x or 172.22.22.x ..

0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

compinfoAuthor Commented:
I tried adding all the lines in the GUI multiple command line interface like this (cut and paste):

static inside tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
static inside tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
static outside tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
static outside tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
access-list outside_access_in permit tcp any host <public ip>eq http
access-list outside_access_in permit tcp any host <public ip> eq https

**
I tried the first line, and got this error message:

ERROR: Invalid global IP address inside
Usage:      [no] static [(real_ifc, mapped_ifc)]
            {<mapped_ip>|interface}
            {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
            [dns] [norandomseq] [<max_conns> [<emb_lim>]]
      [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
            {<mapped_ip>|interface} <mapped_port>
            {<real_ip> <real_port> [netmask <mask>]} |
            {access-list <acl_name>}
            [dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
***

Any ideas?

0
lrmooreCommented:
You have to replace this "<public ip>" with the real IP address, i.e 12.34.56.7
or the word "interface" if you don't have any other public ip's to use..
And, you have to use the "(inside,outside)" including the parentheses

    static (inside,outside) tcp 12.34.56.7 http 192.168.1.100 http netmask 255.255.255.255
or
    static (inside,outside) tcp interface http 192.168.1.100 http netmask 255.255.255.255
0
compinfoAuthor Commented:
Yes, sorry,  I did use the real public IP address instead.

I will try again with (inside,outside) instead of breaking them apart.

Also,  do I have to first setup the internal ip address under hosts/networks?  Is there anything I must do *before* running these commands in order for them to work?  The access control lists where created successfully, it's the 'static' lines that gave me problems.  Let me give it a quick shot...
0
compinfoAuthor Commented:
ok, all the commands went successfully now.  Now, how can I test my external IP address to see if it is routing to the server correctly?  
0
lrmooreCommented:
You'll have to have someone external to your network test.... if you want to post the ip here, i'll test for you..
0
compinfoAuthor Commented:
Thanks for the offer, I have an external computer here and it's working fine.  Thanks again!
0
lrmooreCommented:
Good news!

- Cheers!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.