?
Solved

Cisco 515e routing between inside interfaces

Posted on 2009-02-08
3
Medium Priority
?
273 Views
Last Modified: 2012-08-13
Hi, I have a pix 515e asa7.  I have inside 10.1.0.0/255.255.252.0 and "unsecure" 192.168.1.0/255.255.255.0.  I need to route JUST port 80 from unsecure (interface2) to inside to only ip 10.1.1.2.  I have attached the pix tftp save file as well.  It works, although some info has been removed or altered for security reasons.
: Saved
: Written by enable_15 at 17:39:14.397 UTC Sun Feb 8 2009
!
PIX Version 7.2(1) 
!
hostname pixfirewall
domain-name default.domain.invalid
enable password ------------- encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.252.0 
!
interface Ethernet2
 nameif unsecure
 security-level 50
 ip address 192.168.1.1 255.255.255.0 
!
passwd ---------- encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service unsecure tcp
 port-object eq domain
 port-object eq www
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq 7000 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list inbound extended permit icmp any any 
access-list inbound extended permit tcp any any eq smtp 
access-list inbound extended permit tcp any any eq 7000 
access-list inbound extended permit tcp any any eq www 
access-list inbound extended permit tcp any any eq https 
access-list inbound extended permit tcp any any eq 81 
access-list inbound extended permit udp any any eq 27015 
access-list inbound extended permit tcp any any eq 5910 
access-list inbound extended permit tcp any any eq 5911 
access-list inbound extended permit tcp any any eq 3389 
access-list inbound extended permit tcp any any eq ssh 
access-list inbound extended permit tcp any any eq ftp 
access-list outside_20_cryptomap extended permit ip 10.1.0.0 255.255.252.0 10.1.4.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 10.1.4.0 255.255.255.0 
access-list unsecure_access_in extended permit tcp any host 10.1.1.2 eq www 
access-list unsecure_access_in extended permit tcp any any eq www 
access-list unsecure_access_in extended permit udp any any eq domain 
access-list unsecure_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any object-group unsecure 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu unsecure 1500
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (unsecure) 1 access-list unsecure_nat_outbound outside
nat (unsecure) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 7000 10.1.1.3 7000 netmask 255.255.255.255 
static (inside,outside) tcp interface www 10.1.1.2 www netmask 255.255.255.255 
static (inside,outside) tcp interface https 10.1.1.2 https netmask 255.255.255.255 
static (inside,outside) tcp interface 81 10.1.1.4 www netmask 255.255.255.255 
static (inside,outside) udp interface 27015 10.1.1.4 27015 netmask 255.255.255.255  norandomseq
static (inside,outside) tcp interface 5910 10.1.1.2 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 10.1.1.2 3389 netmask 255.255.255.255 
static (inside,outside) tcp 24.171.58.178 5911 10.1.1.4 5900 netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group unsecure_access_in in interface unsecure
route outside 10.1.4.0 255.255.255.0 75.132.13.162 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
url-server (inside) vendor smartfilter host 10.1.1.5 port 4005 timeout 30 protocol UDP 
filter url http 10.1.0.0 255.255.252.0 0.0.0.0 0.0.0.0 allow cgi-truncate 
http server enable
http 10.1.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer -----------
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
tunnel-group ----------type ipsec-l2l
tunnel-group ----------ipsec-attributes
 pre-shared-key ---------
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.2.10-10.1.2.250 inside
dhcpd dns 10.1.1.2 10.1.1.4 interface inside
dhcpd domain ------------- interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.10-192.168.1.100 unsecure
dhcpd dns 24.217.0.3 24.217.0.4 interface unsecure
dhcpd enable unsecure
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tftp-server inside 10.1.1.10 /515e.cfg
prompt hostname context 
Cryptochecksum:ad8e100a2e19d3e9c5704104ce6f099a
: end

Open in new window

0
Comment
Question by:danware
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 23585873
try this:
static (inside,unsecure) 10.1.1.2 10.1.1.2 netmask 255.255.255.255

access-list unsecure permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.2 eq 80
access-list unsecure deny ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.252.0
access-list unsecure permit ip any any
access-group unsecure in interface unsecure
0
 

Author Comment

by:danware
ID: 23585918
I inserted those commands into the pix, I can still get to the internet, but CANNOT get to http on 10.1.1.2 from 192.168.1.10(or others).  What else do you think I should do?
0
 

Author Comment

by:danware
ID: 23585928
Nevermind, forgot first line, It works great!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question