Solved

Help to setup web server behind PIX 501

Posted on 2004-10-28
242 Views
Last Modified: 2013-11-16
PIX 501 is configured behind a netopia router in bridged mode.  I have the gateway address, netmask, and 5 static ip addresses (world readable).

I want to give one web server a static ip address and open http port and a few others, so that folks can get through to it.  How to do this through the Cisco PIX Device Manager?

pix is setup as the gateway and uses PPPOE (b/c this is a DSL ISP).
web server would use IP address on same subnet.

Should be easy, but the Cisco Pix device manager isn't as intuitive as I though it would be!

Thanks!
0
Question by:compinfo
    10 Comments
     
    LVL 79

    Accepted Solution

    by:
    Which version of PDM are you using? I find it much easier to use the command line.

    You need two things. 1) a static port translation and 2) access-list permit inbound:

    example:
    <== do this for each port that you want to forward
       static (inside,outside) tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
       static (inside,outside) tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
     
    <== add an access-list entry for each port/server/service
       access-list outside_access_in permit tcp any host <public ip> eq http
       access-list outside_access_in permit tcp any host <public ip> eq https
     
    <== apply the access-list
        access-group outside_access_in in interface outside

    ! done !
    0
     

    Author Comment

    by:compinfo
    PDM version 3.06.

    Ok, so:

    1.  A static port translation means I actually assign the server the inside address of:  192.168.1.100
    2.  Access list allowing http and https

    Great!  If I need SSL access, what could I add?  I will try this solution tomorrow.  Thanks lrmoore!
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    > If I need SSL access, what could I add?  
    That's the second entry in each section in the example above. One entry for http, one entry for https (ssl)

    > actually assign the server the inside address of:  192.168.1.100
    You don't have to, just replace this with the private IP already assigned to the server...
    That was just an example config...

    I would counsel you to use a totally different IP address subnet on the inside of this firewall (includes all of your workstations, servers, printers, etc), as long as it is NOT 192.168.1.0, 192.168.0.0, 192.168.100.0 10.0.0.0, 10.10.10.0
    Why? If you ever intend to use the VPN cpabilities of your PIX, you will not be happy with the results if you use one of these subnets. Almost every broadband router on the market uses these as the default inside network. If yours is 192.168.1.x and a VPN user with a broadband router also has 192.168.1.x as their home LAN, then you have VPN problems. Save the headaches and set yours up so that you will never have that problem. Use something like 192.168.233.x or 172.22.22.x ..

    0
     

    Author Comment

    by:compinfo
    I tried adding all the lines in the GUI multiple command line interface like this (cut and paste):

    static inside tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
    static inside tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
    static outside tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
    static outside tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
    access-list outside_access_in permit tcp any host <public ip>eq http
    access-list outside_access_in permit tcp any host <public ip> eq https

    **
    I tried the first line, and got this error message:

    ERROR: Invalid global IP address inside
    Usage:      [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
          [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
    Command failed
    ***

    Any ideas?

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    You have to replace this "<public ip>" with the real IP address, i.e 12.34.56.7
    or the word "interface" if you don't have any other public ip's to use..
    And, you have to use the "(inside,outside)" including the parentheses

        static (inside,outside) tcp 12.34.56.7 http 192.168.1.100 http netmask 255.255.255.255
    or
        static (inside,outside) tcp interface http 192.168.1.100 http netmask 255.255.255.255
    0
     

    Author Comment

    by:compinfo
    Yes, sorry,  I did use the real public IP address instead.

    I will try again with (inside,outside) instead of breaking them apart.

    Also,  do I have to first setup the internal ip address under hosts/networks?  Is there anything I must do *before* running these commands in order for them to work?  The access control lists where created successfully, it's the 'static' lines that gave me problems.  Let me give it a quick shot...
    0
     

    Author Comment

    by:compinfo
    ok, all the commands went successfully now.  Now, how can I test my external IP address to see if it is routing to the server correctly?  
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    You'll have to have someone external to your network test.... if you want to post the ip here, i'll test for you..
    0
     

    Author Comment

    by:compinfo
    Thanks for the offer, I have an external computer here and it's working fine.  Thanks again!
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Good news!

    - Cheers!
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    The Complete Ruby on Rails Developer Course

    Ruby on Rails is one of the most popular web development frameworks, and a useful tool used by both startups and more established companies to build strong graphic user interfaces, and responsive websites and apps.

    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now