[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Help to setup web server behind PIX 501

Posted on 2004-10-28
10
Medium Priority
?
286 Views
Last Modified: 2013-11-16
PIX 501 is configured behind a netopia router in bridged mode.  I have the gateway address, netmask, and 5 static ip addresses (world readable).

I want to give one web server a static ip address and open http port and a few others, so that folks can get through to it.  How to do this through the Cisco PIX Device Manager?

pix is setup as the gateway and uses PPPOE (b/c this is a DSL ISP).
web server would use IP address on same subnet.

Should be easy, but the Cisco Pix device manager isn't as intuitive as I though it would be!

Thanks!
0
Comment
Question by:compinfo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12441029
Which version of PDM are you using? I find it much easier to use the command line.

You need two things. 1) a static port translation and 2) access-list permit inbound:

example:
<== do this for each port that you want to forward
   static (inside,outside) tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
   static (inside,outside) tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
 
<== add an access-list entry for each port/server/service
   access-list outside_access_in permit tcp any host <public ip> eq http
   access-list outside_access_in permit tcp any host <public ip> eq https
 
<== apply the access-list
    access-group outside_access_in in interface outside

! done !
0
 

Author Comment

by:compinfo
ID: 12443940
PDM version 3.06.

Ok, so:

1.  A static port translation means I actually assign the server the inside address of:  192.168.1.100
2.  Access list allowing http and https

Great!  If I need SSL access, what could I add?  I will try this solution tomorrow.  Thanks lrmoore!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12444091
> If I need SSL access, what could I add?  
That's the second entry in each section in the example above. One entry for http, one entry for https (ssl)

> actually assign the server the inside address of:  192.168.1.100
You don't have to, just replace this with the private IP already assigned to the server...
That was just an example config...

I would counsel you to use a totally different IP address subnet on the inside of this firewall (includes all of your workstations, servers, printers, etc), as long as it is NOT 192.168.1.0, 192.168.0.0, 192.168.100.0 10.0.0.0, 10.10.10.0
Why? If you ever intend to use the VPN cpabilities of your PIX, you will not be happy with the results if you use one of these subnets. Almost every broadband router on the market uses these as the default inside network. If yours is 192.168.1.x and a VPN user with a broadband router also has 192.168.1.x as their home LAN, then you have VPN problems. Save the headaches and set yours up so that you will never have that problem. Use something like 192.168.233.x or 172.22.22.x ..

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:compinfo
ID: 12452982
I tried adding all the lines in the GUI multiple command line interface like this (cut and paste):

static inside tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
static inside tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
static outside tcp <public ip> http 192.168.1.100 http netmask 255.255.255.255
static outside tcp <public ip> https 192.168.1.100 https netmask 255.255.255.255
access-list outside_access_in permit tcp any host <public ip>eq http
access-list outside_access_in permit tcp any host <public ip> eq https

**
I tried the first line, and got this error message:

ERROR: Invalid global IP address inside
Usage:      [no] static [(real_ifc, mapped_ifc)]
            {<mapped_ip>|interface}
            {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
            [dns] [norandomseq] [<max_conns> [<emb_lim>]]
      [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
            {<mapped_ip>|interface} <mapped_port>
            {<real_ip> <real_port> [netmask <mask>]} |
            {access-list <acl_name>}
            [dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
***

Any ideas?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12453002
You have to replace this "<public ip>" with the real IP address, i.e 12.34.56.7
or the word "interface" if you don't have any other public ip's to use..
And, you have to use the "(inside,outside)" including the parentheses

    static (inside,outside) tcp 12.34.56.7 http 192.168.1.100 http netmask 255.255.255.255
or
    static (inside,outside) tcp interface http 192.168.1.100 http netmask 255.255.255.255
0
 

Author Comment

by:compinfo
ID: 12453022
Yes, sorry,  I did use the real public IP address instead.

I will try again with (inside,outside) instead of breaking them apart.

Also,  do I have to first setup the internal ip address under hosts/networks?  Is there anything I must do *before* running these commands in order for them to work?  The access control lists where created successfully, it's the 'static' lines that gave me problems.  Let me give it a quick shot...
0
 

Author Comment

by:compinfo
ID: 12453047
ok, all the commands went successfully now.  Now, how can I test my external IP address to see if it is routing to the server correctly?  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12453099
You'll have to have someone external to your network test.... if you want to post the ip here, i'll test for you..
0
 

Author Comment

by:compinfo
ID: 12457313
Thanks for the offer, I have an external computer here and it's working fine.  Thanks again!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12457321
Good news!

- Cheers!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question