Have External People Hit Internal Web Server
We currently have a website hosted with a hosting company, but we need WAY more space.
So I have setup some directories on a server internally that we can drop these huge files on. Of course, we use NAT internally, so how do I allow outside people to hit my internal box? I do have static "real" ip addresses I can assign to the internal box. I am just curious as to how I open the PIX up that way.
Internal Server: 192.168.10.5
PIX External IP: 74.94.155.154
Proposed External IP for Internal Server: 74.94.155.152
(Note that I kind of made up those IPs!)
I would appreciate any help! Cisco Docs are great, but MAN, it's like browsing about 70 years of Encyclopedias....there is just TOOOO much!
Thanks.
So I have setup some directories on a server internally that we can drop these huge files on. Of course, we use NAT internally, so how do I allow outside people to hit my internal box? I do have static "real" ip addresses I can assign to the internal box. I am just curious as to how I open the PIX up that way.
Internal Server: 192.168.10.5
PIX External IP: 74.94.155.154
Proposed External IP for Internal Server: 74.94.155.152
(Note that I kind of made up those IPs!)
I would appreciate any help! Cisco Docs are great, but MAN, it's like browsing about 70 years of Encyclopedias....there is just TOOOO much!
Thanks.
ASKER
Mr. Husy,
when I issue this command:
static(inside,outside) 74.94.155.152 192.168.10.5 tcp 0 0
I get this
number of maximum connections should lie between 0 and 65535
What does that mean??
Does it matter ( and i think it might) that 74.94.155.152 lies in the DMZ. I.e., I have a broadband connection with a Comcast router that has 4 ports. So the PIX plugs into one, and 74.94.155.152 currently is nothing.
when I issue this command:
static(inside,outside) 74.94.155.152 192.168.10.5 tcp 0 0
I get this
number of maximum connections should lie between 0 and 65535
What does that mean??
Does it matter ( and i think it might) that 74.94.155.152 lies in the DMZ. I.e., I have a broadband connection with a Comcast router that has 4 ports. So the PIX plugs into one, and 74.94.155.152 currently is nothing.
damn.... forgive me... correct one is below
static(inside,outside) 74.94.155.152 192.168.10.5 0 0
Regards
static(inside,outside) 74.94.155.152 192.168.10.5 0 0
Regards
If it lies in dmz then correct one is as following
static(dmz,outside) 74.94.155.152 192.168.10.5 tcp 0 0
static(dmz,outside) 74.94.155.152 192.168.10.5 tcp 0 0
Sorry again, no tcp
static(dmz,outside) 74.94.155.152 192.168.10.5 0 0
static(dmz,outside) 74.94.155.152 192.168.10.5 0 0
ASKER
MrHusy,
I may have mis-stated the specifics.
My PIX has no DMZ port.
Instead, comcast comes in with a high speed link that plugs into a Comcast router with 4 ports on it. One of those ports hits my PIX. Then from the PIX I go right into a Cisco 3560 switch. So I don't think these other real IPs would have any way of getting to my internal IPs....not sure.
I may have mis-stated the specifics.
My PIX has no DMZ port.
Instead, comcast comes in with a high speed link that plugs into a Comcast router with 4 ports on it. One of those ports hits my PIX. Then from the PIX I go right into a Cisco 3560 switch. So I don't think these other real IPs would have any way of getting to my internal IPs....not sure.
Hi doug
What is the outside IP of your PIX? If there is another network between Comcast and PIX outside (like 192.168.10.0/24) then you may have to forward ports to an ip address in that network and static NAT this IP to internal as i mentioned above.
What is the outside IP of your PIX? If there is another network between Comcast and PIX outside (like 192.168.10.0/24) then you may have to forward ports to an ip address in that network and static NAT this IP to internal as i mentioned above.
ASKER
MrHusy,
First, thanks for sticking with me on this one, lol!
OK, the outside IP of my PIX is 74.94.144.140 (I made that up).
But, with Comcast, I also have 74.94.144-141 through 74.94.144.144
So I want to take 74.94.144.141, and static route that to 192.168.10.5
Comcast says I can do this with the static route commmand. Here is what I have tried:
access-list outside_in permit tcp any host 192.168.10.5 eq www
access-list outside_in permit tcp any host 192.168.10.5 eq https
static (inside,outside) tcp 74.94.144.141 www 192.168.10.5 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 74.94.144.141 https 192.168.10.5 https netmask 255.2
55.255.255 0 0
access-group outside_in in interface outside
If I open a broswer and try to hit 74.94.144.141, it just times out. NOW, I am thinking, maybe it is working, but the PIX sees me as in front of the firewall (i.e. 192.168.x.y) and as such, may not allow me to go thru the firewall, only to be turned back around and come back inside. Maybe?
First, thanks for sticking with me on this one, lol!
OK, the outside IP of my PIX is 74.94.144.140 (I made that up).
But, with Comcast, I also have 74.94.144-141 through 74.94.144.144
So I want to take 74.94.144.141, and static route that to 192.168.10.5
Comcast says I can do this with the static route commmand. Here is what I have tried:
access-list outside_in permit tcp any host 192.168.10.5 eq www
access-list outside_in permit tcp any host 192.168.10.5 eq https
static (inside,outside) tcp 74.94.144.141 www 192.168.10.5 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 74.94.144.141 https 192.168.10.5 https netmask 255.2
55.255.255 0 0
access-group outside_in in interface outside
If I open a broswer and try to hit 74.94.144.141, it just times out. NOW, I am thinking, maybe it is working, but the PIX sees me as in front of the firewall (i.e. 192.168.x.y) and as such, may not allow me to go thru the firewall, only to be turned back around and come back inside. Maybe?
Hi doug
You are welcome :). Everything is ok except acls :). Switch the ACLs as following
access-list outside_in permit tcp any host 74.94.144.141 eq www
access-list outside_in permit tcp any host 74.94.144.141 eq https
access-group outside_in in interface outside
192.168.10.5 is not in outside :)
Regards
You are welcome :). Everything is ok except acls :). Switch the ACLs as following
access-list outside_in permit tcp any host 74.94.144.141 eq www
access-list outside_in permit tcp any host 74.94.144.141 eq https
access-group outside_in in interface outside
192.168.10.5 is not in outside :)
Regards
ASKER
So here is what I have now:
ip address outside 74.94.144.140 255.255.255.248
ip address inside 192.168.1.253 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list outside_in permit tcp any host 74.94.144.141 eq www
access-list outside_in permit tcp any host 74.94.144.141 eq https
static (inside,outside) tcp 74.94.144.141 www 192.168.10.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.94.144.141 https 192.168.10.5 https netmask 255.255.255.255 0 0
access-group outside_in in interface outside
STILL NOT WORKING! Do I need to NAT on the outside interface too? My PIX hits an SMC box from Comcast before it goes to the outside world. I can get at my other static IPs if I plug right into the ports on the SMC.
ip address outside 74.94.144.140 255.255.255.248
ip address inside 192.168.1.253 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list outside_in permit tcp any host 74.94.144.141 eq www
access-list outside_in permit tcp any host 74.94.144.141 eq https
static (inside,outside) tcp 74.94.144.141 www 192.168.10.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.94.144.141 https 192.168.10.5 https netmask 255.255.255.255 0 0
access-group outside_in in interface outside
STILL NOT WORKING! Do I need to NAT on the outside interface too? My PIX hits an SMC box from Comcast before it goes to the outside world. I can get at my other static IPs if I plug right into the ports on the SMC.
*A question. Which global IP address range is reserverd for you? 74.94.144.140 to 74.94.144.145? Or is it 74.94.155.152 as you mentioned in question? If there is a pool provided to you, you should specify it as following
global (outside) 1 74.94.144.141-.74.94.144.1
global (outside) 1 74.94.144.141-.74.94.144.1
ASKER
Should I include the PIXs outside IP in that global(outside) statement, or is it enough that the outside interface already has the real IP?
i.e. comcast gave me 74.94.144.140-145 and I gave 140 to the outside if of the PIX.
so should I do the staement you show (leaving off 140)?
Thanks so much man. I'd give you another 500 points if I could!
i.e. comcast gave me 74.94.144.140-145 and I gave 140 to the outside if of the PIX.
so should I do the staement you show (leaving off 140)?
Thanks so much man. I'd give you another 500 points if I could!
There are two ways doug.
1) Leave off 140 for PAT like following
global (outside) 1 interface
And use rest for pool 141-145 like following
global (outside) 1 74.94.144.141-.74.94.144.1
2) Do not define PAT and just use the following
global (outside) 1 74.94.144.140-.74.94.144.1
But your current config is now as following
global (outside) 1 interface
global (outside) 1 74.94.144.141-.74.94.144.1
And this config is OK. 140 is still usable and is added to PAT pool.
You are welcome :) I hope i will be helpfull and current points will be enough :)
Regards
1) Leave off 140 for PAT like following
global (outside) 1 interface
And use rest for pool 141-145 like following
global (outside) 1 74.94.144.141-.74.94.144.1
2) Do not define PAT and just use the following
global (outside) 1 74.94.144.140-.74.94.144.1
But your current config is now as following
global (outside) 1 interface
global (outside) 1 74.94.144.141-.74.94.144.1
And this config is OK. 140 is still usable and is added to PAT pool.
You are welcome :) I hope i will be helpfull and current points will be enough :)
Regards
ASKER
What does PAT mean??
Port Address Translation.
When you have only 1 global address, you have to make PAT. So the NATed inside client IPs will use only 1 global address. This is also defined "Many to One".
When you have only 1 global address, you have to make PAT. So the NATed inside client IPs will use only 1 global address. This is also defined "Many to One".
ASKER
I'm gonna close this. I can't get it to work. :-(
I already have a
global (outside) 1 interface
line in my config. When I do anything to change it, we all get bounced from the web. I am gonna have to RTFM I guess....ugh.
I already have a
global (outside) 1 interface
line in my config. When I do anything to change it, we all get bounced from the web. I am gonna have to RTFM I guess....ugh.
Hi doug
*Are you able to connect to internet with that configuration?
* Type sh run and post here the output please.
* Setup syslog for us to see logs
here is another way for port forwarding
static (inside,outside) 74.94.144.141 192.168.10.5 netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any host 74.64.144.141 eq www
access-group outside_access_in in interface outside
And try to reach 74.94.144.141
Dont forget to post your config
*Are you able to connect to internet with that configuration?
* Type sh run and post here the output please.
* Setup syslog for us to see logs
here is another way for port forwarding
static (inside,outside) 74.94.144.141 192.168.10.5 netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any host 74.64.144.141 eq www
access-group outside_access_in in interface outside
And try to reach 74.94.144.141
Dont forget to post your config
ASKER
I can't test today, it brings the net down. I will save this for tomorrow if you don't mind. Fewer people around and I can test it then.
btw, you typed clear xlate after you made the changes didn't you? If you dont, none take effect.
ASKER
Arrggghh!!! i bet that might have been it!
Hopefully later today or late tomorrow I can give it a shot.
Hopefully later today or late tomorrow I can give it a shot.
I wrote clear xlate in my first post :). Anyway I hope it was the only problem. And please dont forget to post your running config.
ASKER
Here is my SHO RUN (I had to edit it to obscure my real IPs, so here's the scenario):
74.94.144.140 is the PIX outside interface
74.94.144.146 is the def gateway from comcast
74.94.144.141 is the one I want to point at 192.168.10.5
74.94.144.142 is an email server I have plugging into the Comcast box.
Appreciate any help sir!!!
sho run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aeszTov9WyMJMAk1 encrypted
passwd BUV1V0Qx426/.4tE encrypted
hostname DPW-Fire-515
domain-name newmarketnh.gov
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inbound permit icmp any any
access-list inbound permit tcp any host 74.94.144.140 eq 3389
access-list inbound permit tcp any host 74.94.144.140 eq telnet
access-list inbound permit tcp any host 74.94.144.142 eq pop3
access-list inbound permit tcp any host 74.94.144.142 eq smtp
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outbound permit tcp any host 74.94.144.142 eq pop3
access-list outbound permit tcp any host 74.94.144.142 eq smtp
pager lines 24
logging host inside 192.168.1.3
mtu outside 1500
mtu inside 1500
ip address outside 74.94.144.140 255.255.255.248
ip address inside 192.168.1.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.8 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.6.1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 192.168.1.254 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.94.144.141 www 192.168.10.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.94.144.141 https 192.168.10.5 https netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 74.94.144.146 1
route inside 192.168.5.0 255.255.255.0 192.168.1.254 1
route inside 192.168.6.0 255.255.255.0 192.168.1.254 1
route inside 192.168.9.0 255.255.255.0 192.168.1.254 1
route inside 192.168.10.0 255.255.255.0 192.168.1.254 1
route inside 192.168.11.0 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor n2h2 host 192.168.1.3 port 4005 timeout 10 protocol TCP
filter url except 192.168.1.89 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map newmarket 10 ipsec-isakmp dynamic dynmap
crypto map newmarket client authentication LOCAL
crypto map newmarket interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
terminal width 80
Cryptochecksum:389b14fc5b1
: end
74.94.144.140 is the PIX outside interface
74.94.144.146 is the def gateway from comcast
74.94.144.141 is the one I want to point at 192.168.10.5
74.94.144.142 is an email server I have plugging into the Comcast box.
Appreciate any help sir!!!
sho run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aeszTov9WyMJMAk1 encrypted
passwd BUV1V0Qx426/.4tE encrypted
hostname DPW-Fire-515
domain-name newmarketnh.gov
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inbound permit icmp any any
access-list inbound permit tcp any host 74.94.144.140 eq 3389
access-list inbound permit tcp any host 74.94.144.140 eq telnet
access-list inbound permit tcp any host 74.94.144.142 eq pop3
access-list inbound permit tcp any host 74.94.144.142 eq smtp
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outbound permit tcp any host 74.94.144.142 eq pop3
access-list outbound permit tcp any host 74.94.144.142 eq smtp
pager lines 24
logging host inside 192.168.1.3
mtu outside 1500
mtu inside 1500
ip address outside 74.94.144.140 255.255.255.248
ip address inside 192.168.1.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.8 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.6.1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 192.168.1.254 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.94.144.141 www 192.168.10.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.94.144.141 https 192.168.10.5 https netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 74.94.144.146 1
route inside 192.168.5.0 255.255.255.0 192.168.1.254 1
route inside 192.168.6.0 255.255.255.0 192.168.1.254 1
route inside 192.168.9.0 255.255.255.0 192.168.1.254 1
route inside 192.168.10.0 255.255.255.0 192.168.1.254 1
route inside 192.168.11.0 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor n2h2 host 192.168.1.3 port 4005 timeout 10 protocol TCP
filter url except 192.168.1.89 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map newmarket 10 ipsec-isakmp dynamic dynmap
crypto map newmarket client authentication LOCAL
crypto map newmarket interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
terminal width 80
Cryptochecksum:389b14fc5b1
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
static(inside,outside) 74.94.155.152 192.168.10.5 tcp 0 0
access-list expeoplehitin permit tcp any host 74.94.155.152 eq xxx (xxx is port number you allow)
access-group expeoplehitin in interface outside
write mem
clear xlate
Regards