Solved

Problems opening web port in a Cisco PIX 515

Posted on 2007-03-19
9
1,716 Views
Last Modified: 2008-01-09
I am trying to open the http port (80) in a Cisco PIX 515 to enable access from the "ouside" to a DMZ, or to the "inside" (anyone would be fine,i have done it many times before and i think i know how it should be done, but this time, when i try to do it, acces from the inside to the Internet is cut, just when i insert the NAT rule the access to the Internet is lost. I checked with a syslog server and this is what i saw:

03-16-2007      10:16:34      Local4.Error      192.168.12.8      %PIX-3-305006: portmap translation creation failed for udp src inside:LH7/2696 dst outside:192.54.112.30/53

Something is going wrong and i have no idea what it is, another port is already opened and working, but i can't add this new one. Here's the NAT config trying to open it to a DMZ web server:

global (outside) 10 interface
global (linuxdmz) 10 interface
nat (inside) 0 access-list 80
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (linuxdmz) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 LH4 3389 netmask 255.255.255.255 0 0
static (linuxdmz,outside) tcp interface www 172.16.0.16 www netmask 255.255.255.255 0 0
static (inside,outside) xaoc xaoc netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside


Please, help, if the full config is needed i will post it tomorrow, i don't have access to it until then.

Thanks
0
Comment
Question by:llandajuela
  • 5
  • 3
9 Comments
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
I think you will need to post the entire config so we can see what's going on.  Specifically, I would like to see your ACL 80 and your ACL's applied to the inside and outside interfaces plus any other statics you may have.
0
 
LVL 10

Expert Comment

by:Sorenson
Comment Utility
The error you see is host LH7 on the linuxdmz trying to contact 192.54.112.30 for a dns query.  For some reason the translation is not going through.  As batry said the config would be helpful.
0
 

Author Comment

by:llandajuela
Comment Utility
OK, here's the full config. It is the config as it is right now, without th opened port. Please, tell me what do i need to add in order to open the port 80 to  an inside host. What i added was posted before (static NAT), and the result was no access to Internet from anywhere.

I hope it's not too long, be patient:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
hostname PIX
domain-name PIX
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.12.1 F6000
name 192.168.12.2 LH6
name 217.11.104.64 Red_ICC
name 172.34.1.0 Particular
name 192.168.12.5 LH4
name 192.168.12.4 LH3
name 172.32.1.0 ESPORTS
name 172.36.1.0 PVJ
name x.x.x.x TAO
name 192.168.12.164 Device-Manager2
name 172.32.1.1 proves_esports
name 192.168.12.0 LAN_AJUNTAMENT
name 192.168.12.246 E.SANTACANA
name 212.51.63.21 TAOTS
name y.y.y.y TAOTSERVER
name 172.38.1.0 FOMENT
name 192.168.12.9 LH7
name 192.168.150.3 PIX501
name 172.25.25.0 xarxa-aoc
name 172.25.25.2 ServAOC
name 172.40.1.0 HABITATGE
name 172.37.1.0 PLAVILAJOVE
name 192.168.12.32 ESANTACANA
name 192.168.12.99 PUNTACCESINFO
name 192.168.12.135 NOMINAAPUJADO
name r.r.r.r BBERRY
name 192.168.12.12 BLACKBERRY
name t.t.t.t BLACKB
name 172.33.1.0 US
name 172.31.1.0 AGORA
name x.x.x.x NIKOPX
name x.x.x.x TAOTERMINAL
name g.g.g.g miki
name 192.168.12.110 LPADRO
name u.u.u.u.146 icc-nou
name 192.168.12.134 PCMSALT
name 192.168.12.224 UOCVIRBEN
name x.x.x.x UOC
name x.x.x.x UOCCAMPUS
name 192.168.12.83 PCIVINYES
name 192.168.12.130 PCDPAINOUS
name 192.168.12.182 PCFOLIVELLA
name 192.168.12.126 PCMOLIVERAS
name 192.168.12.211 PCACURTO
name 192.168.12.149 PCMGRAU
name f.f.f.f idCatCATCERT
name x.x.x.x idCat
name 192.168.12.157 AGRAU
name 192.168.12.178 PCJCUSCO
name 192.168.12.44 JFERRET
name 192.168.13.13 PUNACCVIVIRTUAL
name 192.168.12.93 GUILLEM
name 192.168.12.6 LH5
name 10.68.2.183 capgemini
object-group network ServidoresAD
  description
  network-object LH3 255.255.255.255
  network-object LH4 255.255.255.255
  network-object LH7 255.255.255.255
object-group network Servidores
  description
  network-object F6000 255.255.255.255
  network-object LH6 255.255.255.255
  network-object LH3 255.255.255.255
  network-object LH4 255.255.255.255
object-group network Grup_TS
  description
  network-object AGORA 255.255.255.255
  network-object Red_ICC 255.255.255.240
object-group network Delegacions
  network-object AGORA 255.255.255.0
  network-object ESPORTS 255.255.255.0
  network-object US 255.255.255.0
object-group network FTPADMIN
  network-object PCMSALT 255.255.255.255
  network-object Device-Manager2 255.255.255.255
  network-object NOMINAAPUJADO 255.255.255.255
  network-object LH3 255.255.255.255
  network-object AGRAU 255.255.255.255
  network-object LPADRO 255.255.255.255
  network-object PUNACCVIVIRTUAL 255.255.255.255
  network-object GUILLEM 255.255.255.255
  network-object LH5 255.255.255.255
object-group network OACAjuntament
  description
  network-object PCIVINYES 255.255.255.255
  network-object PCMOLIVERAS 255.255.255.255
  network-object PCDPAINOUS 255.255.255.255
  network-object PCMGRAU 255.255.255.255
  network-object PCFOLIVELLA 255.255.255.255
  network-object PCACURTO 255.255.255.255
  network-object PCMSALT 255.255.255.255
access-list inside_access_in permit tcp any any eq 3389
access-list inside_access_in permit tcp any any eq ldap
access-list inside_access_in permit udp object-group ServidoresAD any eq domain log
access-list inside_access_in permit tcp any any eq 7020
access-list inside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq pop3
access-list inside_access_in permit tcp any any eq 444
access-list inside_access_in permit tcp any any eq https log
access-list inside_access_in remark idCat
access-list inside_access_in permit tcp object-group OACAjuntament any eq 4443
access-list inside_access_in remark ftp
access-list inside_access_in permit tcp host ESANTACANA host x.x.x.x eq ftp
access-list inside_access_in remark UOC VIRBEN
access-list inside_access_in permit tcp host UOCVIRBEN host UOC eq telnet
access-list inside_access_in remark UOC CAMPUS
access-list inside_access_in permit tcp host UOCVIRBEN host UOCCAMPUS eq ftp
access-list inside_access_in permit tcp object-group FTPADMIN any eq ftp
access-list inside_access_in permit tcp any any eq telnet
access-list inside_access_in permit tcp any any eq ssh
access-list inside_access_in permit tcp any any eq www log
access-list inside_access_in permit tcp any any eq 82
access-list inside_access_in permit tcp any any eq 1193
access-list inside_access_in permit tcp any any eq 8083
access-list inside_access_in permit tcp any any eq 8081
access-list inside_access_in permit tcp any any eq 8000
access-list inside_access_in permit tcp any any eq 8886
access-list inside_access_in permit icmp LAN_AJUNTAMENT 255.255.255.0 any
access-list inside_access_in permit icmp any LAN_AJUNTAMENT 255.255.255.0
access-list inside_access_in permit tcp host PCMSALT any eq 4662
access-list inside_access_in permit ip LAN_AJUNTAMENT 255.255.255.0 host ServAOC
access-list inside_access_in remark BLACKBERRY
access-list inside_access_in permit tcp host BLACKBERRY host BLACKB eq 3101
access-list inside_access_in permit tcp any any eq 8002
access-list inside_access_in deny ip any any log
access-list 80 permit ip LAN_AJUNTAMENT 255.255.255.0 AGORA 255.255.255.0
access-list 80 permit ip AGORA 255.255.255.0 LAN_AJUNTAMENT 255.255.255.0
access-list 80 permit ip LAN_AJUNTAMENT 255.255.255.0 US 255.255.255.0
access-list 80 permit ip US 255.255.255.0 LAN_AJUNTAMENT 255.255.255.0
access-list 80 permit ip LAN_AJUNTAMENT 255.255.255.0 ESPORTS 255.255.255.0
access-list 80 permit ip ESPORTS 255.255.255.0 LAN_AJUNTAMENT 255.255.255.0
access-list 80 permit ip LAN_AJUNTAMENT 255.255.255.0 172.35.1.0 255.255.255.0
access-list 80 permit ip host 172.35.1.0 LAN_AJUNTAMENT 255.255.255.0
access-list 80 permit ip PLAVILAJOVE 255.255.255.0 LAN_AJUNTAMENT 255.255.255.0
access-list 80 permit ip LAN_AJUNTAMENT 255.255.255.0 PLAVILAJOVE 255.255.255.0
access-list 80 permit ip FOMENT 255.255.255.0 LAN_AJUNTAMENT 255.255.255.0
access-list 80 permit ip LAN_AJUNTAMENT 255.255.255.0 FOMENT 255.255.255.0
access-list 80 permit ip LAN_AJUNTAMENT 255.255.255.0 HABITATGE 255.255.255.0
access-list 80 permit ip HABITATGE 255.255.255.0 LAN_AJUNTAMENT 255.255.255.0
access-list 80 permit ip LAN_AJUNTAMENT 255.255.255.0 xarxa-aoc 255.255.255.0
access-list 80 permit ip xarxa-aoc 255.255.255.0 LAN_AJUNTAMENT 255.255.255.0
access-list 80 permit ip LAN_AJUNTAMENT 255.255.252.0 10.10.10.0 255.255.255.252
access-list 100 permit ip AGORA 255.255.255.0 LAN_AJUNTAMENT 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit ip host ServAOC host LH5
access-list outside_access_in permit udp host HABITATGE host LH7 eq 4104
access-list outside_access_in permit udp host PLAVILAJOVE host LH7 eq 4104
access-list outside_access_in permit udp host AGORA host LH7 eq 4104
access-list outside_access_in permit udp US 255.255.255.0 host LH7 eq 4104
access-list outside_access_in permit udp host ESPORTS host LH7 eq 4104
access-list outside_access_in permit tcp host HABITATGE host LH7 eq 4105
access-list outside_access_in permit tcp host PLAVILAJOVE host LH7 eq 4105
access-list outside_access_in permit tcp host AGORA host LH7 eq 4105
access-list outside_access_in permit tcp US 255.255.255.0 host LH4 eq 4105
access-list outside_access_in permit tcp host ESPORTS host LH7 eq 4105
access-list outside_access_in permit tcp host HABITATGE host LH7 eq 1318
access-list outside_access_in permit tcp host PLAVILAJOVE host LH7 eq 1318
access-list outside_access_in permit tcp host AGORA host LH7 eq 1318
access-list outside_access_in remark EPO
access-list outside_access_in permit tcp host AGORA host LH3 eq 8081
access-list outside_access_in permit tcp US 255.255.255.0 host LH4 eq 1318
access-list outside_access_in remark EPO
access-list outside_access_in permit tcp host US host LH3 eq 8081
access-list outside_access_in permit tcp host ESPORTS host LH7 eq 1318
access-list outside_access_in remark EPO
access-list outside_access_in permit tcp host ESPORTS host LH3 eq 8081
access-list outside_access_in permit tcp host HABITATGE host LH7 eq 1323
access-list outside_access_in remark EPO
access-list outside_access_in permit tcp host HABITATGE host LH3 eq 8081
access-list outside_access_in permit tcp host PLAVILAJOVE host LH7 eq 1323
access-list outside_access_in remark EPO
access-list outside_access_in permit tcp host PLAVILAJOVE host LH3 eq 8081
access-list outside_access_in permit tcp AGORA 255.255.255.0 host LH7 eq 1323
access-list outside_access_in permit tcp host US host LH7 eq 1323
access-list outside_access_in permit tcp host ESPORTS host LH7 eq 1323
access-list outside_access_in remark ITEC-HABITATGE
access-list outside_access_in permit tcp HABITATGE 255.255.255.0 host LH4 eq 45992
access-list outside_access_in remark ITEC-HABITATGE
access-list outside_access_in permit tcp HABITATGE 255.255.255.0 host LH4 eq 45993
access-list outside_access_in remark ITEC-HABITATGE
access-list outside_access_in permit tcp HABITATGE 255.255.255.0 host LH4 eq 6002
access-list outside_access_in remark ITEC-HABITATGE
access-list outside_access_in permit tcp HABITATGE 255.255.255.0 host LH4 eq 6001
access-list outside_access_in remark TAO
access-list outside_access_in deny tcp host TAOTERMINAL any eq 3389
access-list outside_access_in deny tcp host TAO any eq 1193
access-list outside_access_in deny tcp host TAO any eq 8083
access-list outside_access_in deny tcp any any
access-list Agora_splitTunnelAcl permit ip LAN_AJUNTAMENT 255.255.255.0 any
access-list Agora_splitTunnelAcl permit ip AGORA 255.255.255.0 any
access-list Esports_splitTunnelAcl permit ip LAN_AJUNTAMENT 255.255.255.0 any
access-list Esports_splitTunnelAcl permit ip ESPORTS 255.255.255.0 any
access-list US_splitTunnelAcl permit ip LAN_AJUNTAMENT 255.255.255.0 any
access-list US_splitTunnelAcl permit ip US 255.255.255.0 any
access-list PART_splitTunnelAcl permit ip LAN_AJUNTAMENT 255.255.255.0 any
access-list PART_splitTunnelAcl permit ip Particular 255.255.255.0 any
access-list ESCORXADOR_splitTunnelAcl permit ip LAN_AJUNTAMENT 255.255.255.0 any
access-list ESCORXADOR_splitTunnelAcl permit ip 172.35.1.0 255.255.255.0 any
access-list PLAVJOVE_splitTunnelAcl permit ip LAN_AJUNTAMENT 255.255.255.0 any
access-list PLAVJOVE_splitTunnelAcl permit ip PLAVILAJOVE 255.255.255.0 any
access-list FASSINA_splitTunnelAcl permit ip LAN_AJUNTAMENT 255.255.255.0 any
access-list FASSINA_splitTunnelAcl permit ip FOMENT 255.255.255.0 any
access-list HABITATGE_splitTunnelAcl permit ip LAN_AJUNTAMENT 255.255.255.0 any
access-list HABITATGE_splitTunnelAcl permit ip HABITATGE 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any 10.10.10.0 255.255.255.252
pager lines 24
logging trap debugging
logging host inside LH4
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 192.168.150.2 255.255.255.0
ip address inside 192.168.12.8 255.255.252.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool Pool_172.31.1 172.31.1.1-172.31.1.254
ip local pool Esports proves_esports-172.32.1.254
ip local pool US 172.33.1.1-172.33.1.254
ip local pool PART 172.34.1.1-172.34.1.254
ip local pool PLAVJOVE 172.37.1.1-172.37.1.254
ip local pool ESCORXADOR 172.35.1.1-172.35.1.254
ip local pool FASSINA 172.38.1.1-172.38.1.254
ip local pool HABITATGE 172.40.1.1-172.40.1.254
ip local pool remotepool 10.10.10.1-10.10.10.2
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location
...
pdm group ServidoresAD inside
pdm group Servidores inside
pdm group Grup_TS outside
pdm group Delegacions inside
pdm group FTPADMIN inside
pdm group OACAjuntament inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 80
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 LH4 3389 netmask 255.255.255.255 0 0
static (inside,outside) xarxa-aoc xarxa-aoc netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.150.1 1
route outside xarxa-aoc 255.255.255.0 PIX501 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host HOSTNAME xxxx timeout 10
aaa-server LOCAL protocol local
http server enable
http ...
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Agora address-pool Pool_172.31.1
vpngroup Agora dns-server LH4 LH3
vpngroup Agora wins-server LH4 LH3
vpngroup Agora default-domain drac.intern
vpngroup Agora split-tunnel Agora_splitTunnelAcl
vpngroup Agora idle-time 43200
vpngroup Agora password ********
vpngroup US address-pool US
vpngroup US dns-server LH4 LH3
vpngroup US wins-server LH4 LH3
vpngroup US default-domain drac.intern
vpngroup US split-tunnel US_splitTunnelAcl
vpngroup US idle-time 43000
vpngroup US password ********
vpngroup Esports address-pool Esports
vpngroup Esports dns-server LH4 LH3
vpngroup Esports wins-server LH3 LH4
vpngroup Esports default-domain drac.intern
vpngroup Esports split-tunnel Esports_splitTunnelAcl
vpngroup Esports idle-time 43500
vpngroup Esports password ********
vpngroup PART address-pool PART
vpngroup PART dns-server LH4 LH3
vpngroup PART wins-server LH4 LH3
vpngroup PART default-domain drac.intern
vpngroup PART split-tunnel PART_splitTunnelAcl
vpngroup PART idle-time 43500
vpngroup PART password ********
vpngroup ESCORXADOR address-pool ESCORXADOR
vpngroup ESCORXADOR dns-server LH4 LH3
vpngroup ESCORXADOR wins-server LH4 LH3
vpngroup ESCORXADOR default-domain drac.intern
vpngroup ESCORXADOR split-tunnel ESCORXADOR_splitTunnelAcl
vpngroup ESCORXADOR idle-time 43500
vpngroup ESCORXADOR password ********
vpngroup PLAVJOVE address-pool PLAVJOVE
vpngroup PLAVJOVE dns-server LH7 LH4
vpngroup PLAVJOVE wins-server LH7 LH4
vpngroup PLAVJOVE default-domain drac.intern
vpngroup PLAVJOVE split-tunnel PLAVJOVE_splitTunnelAcl
vpngroup PLAVJOVE idle-time 43500
vpngroup PLAVJOVE password ********
vpngroup FASSINA address-pool FASSINA
vpngroup FASSINA dns-server LH4 LH3
vpngroup FASSINA wins-server LH3 LH4
vpngroup FASSINA default-domain drac.intern
vpngroup FASSINA split-tunnel FASSINA_splitTunnelAcl
vpngroup FASSINA idle-time 43500
vpngroup FASSINA password ********
vpngroup HABITATGE address-pool HABITATGE
vpngroup HABITATGE dns-server LH7 LH4
vpngroup HABITATGE wins-server LH7 LH4
vpngroup HABITATGE default-domain drac.intern
vpngroup HABITATGE split-tunnel HABITATGE_splitTunnelAcl
vpngroup HABITATGE idle-time 43500
vpngroup HABITATGE password ********
vpngroup remoteVPN address-pool remotepool
vpngroup remoteVPN dns-server LH7
vpngroup remoteVPN idle-time 1800
vpngroup remoteVPN password ********
telnet LH3 255.255.255.255 inside
telnet LH4 255.255.255.255 inside
telnet PCMSALT 255.255.255.255 inside
telnet timeout 5
ssh LH4 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:6c96c3251a7176ffa147b091f0c6214c


0
 
LVL 10

Expert Comment

by:Sorenson
Comment Utility
I am not sure I understand what you are trying to do.  In the first config sample you reference a linuxdmz, and a dmz with a server, 172.16.0.16,  that you want to enable external access on port 80 (www) to.

On the config you posted, there is no 172.16.0.x subnet, and there is no linuxdmz, and you say you want access from the inside to port 80 on the dmz from the inside.

Now that you have posted the config, can you restate your question?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:llandajuela
Comment Utility
OK, sorry about my explanation, i agree it can be confusing.

Initially, I had the config i that i have postedin my last comment. I enabled an interface (int3) with 172.16.0.1 IP, and tried to open the port 80 to the host 172.16.0.16. The result was that the LAN could not access internet, so i had to reboot the PIX.

I tried to do it then opening the port to an inside host, but the result was the same.

Then, i rebooted the PIX again, and got back to the initial config, which is the one i have posted.

I now ask for the config needed to open a port to an inside host (any host, 192.168.12.150 for example). If i see the config that you propose, i think i will be able to translate to redirect the port to a host in a DMZ.

I hope this clarifies something, please, tell me if any more explanations are needed.

Thanks
0
 

Author Comment

by:llandajuela
Comment Utility
Or you can post your answer as if the int3 was already enabled and configured with 172.16.0.1 IP. Whatever you want is fine with me. I just need help, and someone else to look and the configuration.

Thanks again
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
Comment Utility
The DMZ will be trickier, as you will need to add from the internet to it, as well as to the internal networks.

To allow access from the outside to an web sever on inside host (192.168.12.150):
static (inside,outside) tcp interface www 192.168.12.150 www netmask 255.255.255.255 0 0
no outside_access_in deny tcp any any
access-list  outside_access_in permit tcp any 192.168.12.150 eq 80
outside_access_in deny tcp any any
clear xlate

to do it to a dmz...
!add dmz
interface ethernet 3 auto
nameif ethernet3 linuxdmz security 6
ip address 172.16.0.1 255.255.255.0
! add static for internet access
static (linuxdmz,outside) tcp interface www 172.16.0.16 www netmask 255.255.255.255 0 0
clear xlate
! add static for inside access to dmz
static (inside,linuxdmz) 172.16.0.16 172.16.0.16 netmask 255.255.255.255
clear xlate
! add access from outside to dmz
no outside_access_in deny tcp any any
access-list  outside_access_in permit tcp any 192.168.12.150 eq 80
outside_access_in deny tcp any any
! you current inside_access_in already allows port 80 outbound, so no need to modify it

Hope that helps.




0
 

Author Comment

by:llandajuela
Comment Utility
OK, sorenson, thank you very much for such a fast answer.

But before i try it, don't you think the NAT config that i posted in first place is the same that you propose?


0
 

Author Comment

by:llandajuela
Comment Utility
Thanks, sorenson

your commands worked just fine!. The thing is that i think that they do the exact same thing i was trying to do by the PDM interface. This time i tried it directly from the console and it worked, and the result is seen identical in the PDM...

But anyway, it works, thanks a lot, a great help,  as usual
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now