HTTP Traffic on 506 pix firewall

create an access-list entry
  access-list outside_in permit tcp any interface outside eq http
create a static port map
  static (inside,outside) tcp interface http <ip of ISA> http netmask 255.255.255.255
Apply the access-list
  access-group outside_in in interface outside

Done
 

hi there...

I beleive u are in the right hands...lrmoore is correct...

BUT moore..will it work if he has already been using the same ip for PAT?

regards
Charanjeet Singh

Given the lack of information in the initial post, I made an assumption that there is only one public IP address available, and used 'interface" for port-static xlates.
Yes, you can easily use that same IP for PAT as well as for different port statics. For example:

global (outside) 10 interface
nat (inside) 10 0 0 0
static (inside,outside) tcp interface http 192.168.100.100 http netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.100 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.111 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.100.111 pop3 netmask 255.255.255.255

access-list outside_in permit tcp any interface outside eq http
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq pop3

access-group outside_in in interface outside

I would like the question closed as I implmeneted this solution using ISA server. The above proposed changes were killing my VPN.

Please close the discussion

Anyirongo, your question asked how to implement the change on the PIX firewall. In my view lrmoore has answered your question. If you have decided to implement a different solution that works for you, thats great but does not deflect the fact that he is given you the correct answer.

I will delete the accept recommendation temporarily butI will place a 4 day wait, a 'ping', on this call to allow lrmoore an opportunity to comment. If he is happy with your request then I will put forward that recommendation. If not, I will refer it for an unbiased adjudication.

Regards

Keith

Granmod, I was going to leave this question for four days as per my comments so that lrmoore could respond if necessary. lrmoore answered correctly based on the question posted so in my view should have the points. That said, if he has no comment on the closure then the asker should explain 'how' they used ISA to control port 80 traffic arriving at the outside interface of the PIX in which case the PAQ should apply. (Personally I do not think that is possible as ISA cannot control the PIX).

If the asker cannot explain then it should be either a delete - no refund or an accept.

Regards
Keith

Thanks :)

Looks like no response Granmod; thanks for waiting.

Regards
Keith