Help to setup web server behind PIX 501

Posted on 2004-10-28
Last Modified: 2013-11-16
PIX 501 is configured behind a netopia router in bridged mode.  I have the gateway address, netmask, and 5 static ip addresses (world readable).

I want to give one web server a static ip address and open http port and a few others, so that folks can get through to it.  How to do this through the Cisco PIX Device Manager?

pix is setup as the gateway and uses PPPOE (b/c this is a DSL ISP).
web server would use IP address on same subnet.

Should be easy, but the Cisco Pix device manager isn't as intuitive as I though it would be!

Question by:compinfo
    LVL 79

    Accepted Solution

    Which version of PDM are you using? I find it much easier to use the command line.

    You need two things. 1) a static port translation and 2) access-list permit inbound:

    <== do this for each port that you want to forward
       static (inside,outside) tcp <public ip> http http netmask
       static (inside,outside) tcp <public ip> https https netmask
    <== add an access-list entry for each port/server/service
       access-list outside_access_in permit tcp any host <public ip> eq http
       access-list outside_access_in permit tcp any host <public ip> eq https
    <== apply the access-list
        access-group outside_access_in in interface outside

    ! done !

    Author Comment

    PDM version 3.06.

    Ok, so:

    1.  A static port translation means I actually assign the server the inside address of:
    2.  Access list allowing http and https

    Great!  If I need SSL access, what could I add?  I will try this solution tomorrow.  Thanks lrmoore!
    LVL 79

    Expert Comment

    > If I need SSL access, what could I add?  
    That's the second entry in each section in the example above. One entry for http, one entry for https (ssl)

    > actually assign the server the inside address of:
    You don't have to, just replace this with the private IP already assigned to the server...
    That was just an example config...

    I would counsel you to use a totally different IP address subnet on the inside of this firewall (includes all of your workstations, servers, printers, etc), as long as it is NOT,,,
    Why? If you ever intend to use the VPN cpabilities of your PIX, you will not be happy with the results if you use one of these subnets. Almost every broadband router on the market uses these as the default inside network. If yours is 192.168.1.x and a VPN user with a broadband router also has 192.168.1.x as their home LAN, then you have VPN problems. Save the headaches and set yours up so that you will never have that problem. Use something like 192.168.233.x or 172.22.22.x ..


    Author Comment

    I tried adding all the lines in the GUI multiple command line interface like this (cut and paste):

    static inside tcp <public ip> http http netmask
    static inside tcp <public ip> https https netmask
    static outside tcp <public ip> http http netmask
    static outside tcp <public ip> https https netmask
    access-list outside_access_in permit tcp any host <public ip>eq http
    access-list outside_access_in permit tcp any host <public ip> eq https

    I tried the first line, and got this error message:

    ERROR: Invalid global IP address inside
    Usage:      [no] static [(real_ifc, mapped_ifc)]
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
          [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
    Command failed

    Any ideas?

    LVL 79

    Expert Comment

    You have to replace this "<public ip>" with the real IP address, i.e
    or the word "interface" if you don't have any other public ip's to use..
    And, you have to use the "(inside,outside)" including the parentheses

        static (inside,outside) tcp http http netmask
        static (inside,outside) tcp interface http http netmask

    Author Comment

    Yes, sorry,  I did use the real public IP address instead.

    I will try again with (inside,outside) instead of breaking them apart.

    Also,  do I have to first setup the internal ip address under hosts/networks?  Is there anything I must do *before* running these commands in order for them to work?  The access control lists where created successfully, it's the 'static' lines that gave me problems.  Let me give it a quick shot...

    Author Comment

    ok, all the commands went successfully now.  Now, how can I test my external IP address to see if it is routing to the server correctly?  
    LVL 79

    Expert Comment

    You'll have to have someone external to your network test.... if you want to post the ip here, i'll test for you..

    Author Comment

    Thanks for the offer, I have an external computer here and it's working fine.  Thanks again!
    LVL 79

    Expert Comment

    Good news!

    - Cheers!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    The Complete Ruby on Rails Developer Course

    Ruby on Rails is one of the most popular web development frameworks, and a useful tool used by both startups and more established companies to build strong graphic user interfaces, and responsive websites and apps.

    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now