Help to setup web server behind PIX 501

PIX 501 is configured behind a netopia router in bridged mode.  I have the gateway address, netmask, and 5 static ip addresses (world readable).

I want to give one web server a static ip address and open http port and a few others, so that folks can get through to it.  How to do this through the Cisco PIX Device Manager?

pix is setup as the gateway and uses PPPOE (b/c this is a DSL ISP).
web server would use IP address on same subnet.

Should be easy, but the Cisco Pix device manager isn't as intuitive as I though it would be!

Thanks!
compinfoAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
Which version of PDM are you using? I find it much easier to use the command line.

You need two things. 1) a static port translation and 2) access-list permit inbound:

example:
<== do this for each port that you want to forward
   static (inside,outside) tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
   static (inside,outside) tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
 
<== add an access-list entry for each port/server/service
   access-list outside_access_in permit tcp any host <public ip> eq http
   access-list outside_access_in permit tcp any host <public ip> eq https
 
<== apply the access-list
    access-group outside_access_in in interface outside

! done !
0
 
compinfoAuthor Commented:
PDM version 3.06.

Ok, so:

1.  A static port translation means I actually assign the server the inside address of:  192.168.1.100
2.  Access list allowing http and https

Great!  If I need SSL access, what could I add?  I will try this solution tomorrow.  Thanks lrmoore!
0
 
lrmooreCommented:
> If I need SSL access, what could I add?  
That's the second entry in each section in the example above. One entry for http, one entry for https (ssl)

> actually assign the server the inside address of:  192.168.1.100
You don't have to, just replace this with the private IP already assigned to the server...
That was just an example config...

I would counsel you to use a totally different IP address subnet on the inside of this firewall (includes all of your workstations, servers, printers, etc), as long as it is NOT 192.168.1.0, 192.168.0.0, 192.168.100.0 10.0.0.0, 10.10.10.0
Why? If you ever intend to use the VPN cpabilities of your PIX, you will not be happy with the results if you use one of these subnets. Almost every broadband router on the market uses these as the default inside network. If yours is 192.168.1.x and a VPN user with a broadband router also has 192.168.1.x as their home LAN, then you have VPN problems. Save the headaches and set yours up so that you will never have that problem. Use something like 192.168.233.x or 172.22.22.x ..

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
compinfoAuthor Commented:
I tried adding all the lines in the GUI multiple command line interface like this (cut and paste):

static inside tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
static inside tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
static outside tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
static outside tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
access-list outside_access_in permit tcp any host <public ip>eq http
access-list outside_access_in permit tcp any host <public ip> eq https

**
I tried the first line, and got this error message:

ERROR: Invalid global IP address inside
Usage:      [no] static [(real_ifc, mapped_ifc)]
            {<mapped_ip>|interface}
            {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
            [dns] [norandomseq] [<max_conns> [<emb_lim>]]
      [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
            {<mapped_ip>|interface} <mapped_port>
            {<real_ip> <real_port> [netmask <mask>]} |
            {access-list <acl_name>}
            [dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
***

Any ideas?

0
 
lrmooreCommented:
You have to replace this "<public ip>" with the real IP address, i.e 12.34.56.7
or the word "interface" if you don't have any other public ip's to use..
And, you have to use the "(inside,outside)" including the parentheses

    static (inside,outside) tcp 12.34.56.7 http 192.168.1.100 http netmask 255.255.255.255
or
    static (inside,outside) tcp interface http 192.168.1.100 http netmask 255.255.255.255
0
 
compinfoAuthor Commented:
Yes, sorry,  I did use the real public IP address instead.

I will try again with (inside,outside) instead of breaking them apart.

Also,  do I have to first setup the internal ip address under hosts/networks?  Is there anything I must do *before* running these commands in order for them to work?  The access control lists where created successfully, it's the 'static' lines that gave me problems.  Let me give it a quick shot...
0
 
compinfoAuthor Commented:
ok, all the commands went successfully now.  Now, how can I test my external IP address to see if it is routing to the server correctly?  
0
 
lrmooreCommented:
You'll have to have someone external to your network test.... if you want to post the ip here, i'll test for you..
0
 
compinfoAuthor Commented:
Thanks for the offer, I have an external computer here and it's working fine.  Thanks again!
0
 
lrmooreCommented:
Good news!

- Cheers!
0
All Courses

From novice to tech pro — start learning today.