Solved

Have External People Hit Internal Web Server

Posted on 2007-04-11
23
281 Views
Last Modified: 2010-04-09
We currently have a website hosted with a hosting company, but we need WAY more space.

So I have setup some directories on a server internally that we can drop these huge files on.  Of course, we use NAT internally, so how do I allow outside people to hit my internal box?  I do have static "real" ip addresses I can assign to the internal box.  I am just curious as to how I open the PIX up that way.

Internal Server: 192.168.10.5
PIX External IP:  74.94.155.154
Proposed External IP for Internal Server: 74.94.155.152

(Note that I kind of made up those IPs!)
 
I would appreciate any help!  Cisco Docs are great, but MAN, it's like browsing about 70 years of Encyclopedias....there is just TOOOO much!

Thanks.
0
Comment
Question by:dougp23
  • 13
  • 10
23 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18891193
      Hi doug
static(inside,outside) 74.94.155.152 192.168.10.5 tcp 0 0
access-list expeoplehitin permit tcp any host 74.94.155.152 eq xxx (xxx is port number you allow)
access-group expeoplehitin in interface outside
write mem
clear xlate

Regards
0
 
LVL 1

Author Comment

by:dougp23
ID: 18891486
Mr. Husy,
when I issue this command:

static(inside,outside) 74.94.155.152 192.168.10.5 tcp 0 0

I get this

number of maximum connections should lie between 0 and 65535

What does that mean??

Does it matter ( and i think it might) that 74.94.155.152 lies in the DMZ.  I.e., I have a broadband connection with a Comcast router that has 4 ports.  So the PIX plugs into one, and 74.94.155.152 currently is nothing.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18892535
damn.... forgive me...    correct one is below
static(inside,outside) 74.94.155.152 192.168.10.5 0 0

Regards
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18892544
If it lies in dmz then correct one is as following

static(dmz,outside) 74.94.155.152 192.168.10.5 tcp 0 0
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18892550
  Sorry again, no tcp

static(dmz,outside) 74.94.155.152 192.168.10.5 0 0
0
 
LVL 1

Author Comment

by:dougp23
ID: 18897306
MrHusy,
I may have mis-stated the specifics.
My PIX has no DMZ port.
Instead, comcast comes in with a high speed link that plugs into a Comcast router with 4 ports on it.  One of those ports hits my PIX.  Then from the PIX I go right into a Cisco 3560 switch.  So I don't think these other real IPs would have any way of getting to my internal IPs....not sure.

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18897577
           Hi doug
                 What is the outside IP of your PIX? If there is another network between Comcast and PIX outside (like 192.168.10.0/24) then you may have to forward ports to an ip address in that network and static NAT this IP to internal as i mentioned above.
0
 
LVL 1

Author Comment

by:dougp23
ID: 18897692
MrHusy,

First, thanks for sticking with me on this one, lol!
OK, the outside IP of my PIX is 74.94.144.140 (I made that up).
But, with Comcast, I also have 74.94.144-141 through 74.94.144.144

So I want to take 74.94.144.141, and static route that to 192.168.10.5

Comcast says I can do this with the static route commmand.  Here is what I have tried:

access-list outside_in permit tcp any host 192.168.10.5 eq www
access-list outside_in permit tcp any host 192.168.10.5 eq https
static (inside,outside) tcp 74.94.144.141 www 192.168.10.5 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 74.94.144.141 https 192.168.10.5 https netmask 255.2
55.255.255 0 0
access-group outside_in in interface outside

If I open a broswer and try to hit 74.94.144.141, it just times out.  NOW, I am thinking, maybe it is working, but the PIX sees me as in front of the firewall (i.e. 192.168.x.y) and as such, may not allow me to go thru the firewall, only to be turned back around and come back inside.  Maybe?


0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18897756
         Hi doug
                You are welcome :). Everything is ok except acls :). Switch the ACLs as following

access-list outside_in permit tcp any host 74.94.144.141 eq www
access-list outside_in permit tcp any host 74.94.144.141 eq https
access-group outside_in in interface outside

192.168.10.5 is not in outside :)

Regards
0
 
LVL 1

Author Comment

by:dougp23
ID: 18897837
So here is what I have now:

ip address outside 74.94.144.140 255.255.255.248
ip address inside 192.168.1.253 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list outside_in permit tcp any host 74.94.144.141 eq www
access-list outside_in permit tcp any host 74.94.144.141 eq https

static (inside,outside) tcp 74.94.144.141 www 192.168.10.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.94.144.141 https 192.168.10.5 https netmask 255.255.255.255 0 0
access-group outside_in in interface outside

STILL NOT WORKING!  Do I need to NAT on the outside interface too?  My PIX hits an SMC box from Comcast before it goes to the outside world.  I can get at my other static IPs if I plug right into the ports on the SMC.  
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18897895
             *A question. Which global IP address range is reserverd for you? 74.94.144.140 to 74.94.144.145? Or is it 74.94.155.152 as you mentioned in question? If there is a pool provided to you, you should specify it as following

global (outside) 1 74.94.144.141-.74.94.144.145 netmask 255.255.255.248
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:dougp23
ID: 18898025
Should I include the PIXs outside IP in that global(outside) statement, or is it enough that the outside interface already has the real IP?

i.e. comcast gave me 74.94.144.140-145 and I gave 140 to the outside if of the PIX.
so should I do the staement you show (leaving off 140)?

Thanks so much man.  I'd give you another 500 points if I could!
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18898103
          There are two ways doug.
              1) Leave off 140 for PAT like following
                    global (outside) 1 interface
                  And use rest for pool 141-145 like following
                    global (outside) 1 74.94.144.141-.74.94.144.145 netmask 255.255.255.248
              2) Do not define PAT and just use the following
                    global (outside) 1 74.94.144.140-.74.94.144.145 netmask 255.255.255.248

But your current config is now as following

global (outside) 1 interface
global (outside) 1 74.94.144.141-.74.94.144.145 netmask 255.255.255.248

And this config is OK. 140 is still usable and is added to PAT pool.

You are welcome :) I hope i will be helpfull and current points will be enough :)

Regards
0
 
LVL 1

Author Comment

by:dougp23
ID: 18898169
What does PAT mean??
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18898203
       Port Address Translation.
              When you have only 1 global address, you have to make PAT. So the NATed inside client IPs  will use only 1 global address. This is also defined "Many to One".
0
 
LVL 1

Author Comment

by:dougp23
ID: 18898562
I'm gonna close this.  I can't get it to work.  :-(

I already have a

global (outside) 1 interface

line in my config. When I do anything to change it, we all get bounced from the web.  I am gonna have to RTFM I guess....ugh.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18898667
           Hi doug
                  *Are you able to connect to internet with that configuration?
                 * Type sh run and post here the output please.
                 * Setup syslog for us to see logs
                 
here is another way for port forwarding

static (inside,outside) 74.94.144.141 192.168.10.5 netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any host 74.64.144.141 eq www
access-group outside_access_in in interface outside

And try to reach 74.94.144.141

Dont forget to post your config
0
 
LVL 1

Author Comment

by:dougp23
ID: 18898759
I can't test today, it brings the net down.  I will save this for tomorrow if you don't mind.  Fewer people around and I can test it then.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18898817

btw, you typed clear xlate after you made the changes didn't you? If you dont, none take effect.
0
 
LVL 1

Author Comment

by:dougp23
ID: 18900031
Arrggghh!!!  i bet that might have been it!
Hopefully later today or late tomorrow I can give it a shot.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18900097
        I wrote clear xlate in my first post :). Anyway I hope it was the only problem. And please dont forget to post your running config.
0
 
LVL 1

Author Comment

by:dougp23
ID: 18900313
Here is my SHO RUN  (I had to edit it to obscure my real IPs, so here's the scenario):

74.94.144.140 is the PIX outside interface
74.94.144.146 is the def gateway from comcast
74.94.144.141 is the one I want to point at 192.168.10.5
74.94.144.142 is an email server I have plugging into the Comcast box.

Appreciate any help sir!!!


sho run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aeszTov9WyMJMAk1 encrypted
passwd BUV1V0Qx426/.4tE encrypted
hostname DPW-Fire-515
domain-name newmarketnh.gov
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inbound permit icmp any any
access-list inbound permit tcp any host 74.94.144.140 eq 3389
access-list inbound permit tcp any host 74.94.144.140 eq telnet
access-list inbound permit tcp any host 74.94.144.142 eq pop3
access-list inbound permit tcp any host 74.94.144.142 eq smtp
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outbound permit tcp any host 74.94.144.142 eq pop3
access-list outbound permit tcp any host 74.94.144.142 eq smtp
pager lines 24
logging host inside 192.168.1.3
mtu outside 1500
mtu inside 1500
ip address outside 74.94.144.140 255.255.255.248
ip address inside 192.168.1.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.8 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.6.1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 192.168.1.254 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.94.144.141 www 192.168.10.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.94.144.141 https 192.168.10.5 https netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 74.94.144.146 1
route inside 192.168.5.0 255.255.255.0 192.168.1.254 1
route inside 192.168.6.0 255.255.255.0 192.168.1.254 1
route inside 192.168.9.0 255.255.255.0 192.168.1.254 1
route inside 192.168.10.0 255.255.255.0 192.168.1.254 1
route inside 192.168.11.0 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor n2h2 host 192.168.1.3 port 4005 timeout 10 protocol TCP
filter url except 192.168.1.89 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map newmarket 10 ipsec-isakmp dynamic dynmap
crypto map newmarket client authentication LOCAL
crypto map newmarket interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
terminal width 80
Cryptochecksum:389b14fc5b1176a34c0048baeb5a414e
: end
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 18900694
ACLs named inbound and outbound are useless at this time. And also they are not tagged to an interface with access-group command. So please delete them by typing following.

no access-list inbound permit tcp any host 74.94.144.140 eq 3389
no access-list inbound permit tcp any host 74.94.144.140 eq telnet
no access-list inbound permit tcp any host 74.94.144.142 eq pop3
no access-list inbound permit tcp any host 74.94.144.142 eq smtp
no access-list outbound permit tcp any host 74.94.144.142 eq pop3
no access-list outbound permit tcp any host 74.94.144.142 eq smtp

now add the global pool
global (outside) 1 74.94.144.141-74.94.144.145 netmask 255.255.255.248

now define static
static (inside,outside) 192.168.10.5 74.99.144.141 netmask 255.255.255.255 0 0

and define acl for it
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 74.94.144.141 eq www
access-list outside_access_in permit tcp any host 74.94.144.141 eq 3389
access-list outside_access_in permit tcp any host 74.94.144.141 eq telnet

AND TAG THE ACL TO INTERFACE
access-group outside_access_in in interface outside

Regards
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now