danware
asked on
Cisco 515e routing between inside interfaces
Hi, I have a pix 515e asa7. I have inside 10.1.0.0/255.255.252.0 and "unsecure" 192.168.1.0/255.255.255.0. I need to route JUST port 80 from unsecure (interface2) to inside to only ip 10.1.1.2. I have attached the pix tftp save file as well. It works, although some info has been removed or altered for security reasons.
: Saved
: Written by enable_15 at 17:39:14.397 UTC Sun Feb 8 2009
!
PIX Version 7.2(1)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password ------------- encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.252.0
!
interface Ethernet2
nameif unsecure
security-level 50
ip address 192.168.1.1 255.255.255.0
!
passwd ---------- encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service unsecure tcp
port-object eq domain
port-object eq www
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 7000
access-list outside_access_in extended permit tcp any interface outside eq www
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any any eq smtp
access-list inbound extended permit tcp any any eq 7000
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit tcp any any eq https
access-list inbound extended permit tcp any any eq 81
access-list inbound extended permit udp any any eq 27015
access-list inbound extended permit tcp any any eq 5910
access-list inbound extended permit tcp any any eq 5911
access-list inbound extended permit tcp any any eq 3389
access-list inbound extended permit tcp any any eq ssh
access-list inbound extended permit tcp any any eq ftp
access-list outside_20_cryptomap extended permit ip 10.1.0.0 255.255.252.0 10.1.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 10.1.4.0 255.255.255.0
access-list unsecure_access_in extended permit tcp any host 10.1.1.2 eq www
access-list unsecure_access_in extended permit tcp any any eq www
access-list unsecure_access_in extended permit udp any any eq domain
access-list unsecure_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any object-group unsecure
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu unsecure 1500
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (unsecure) 1 access-list unsecure_nat_outbound outside
nat (unsecure) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 7000 10.1.1.3 7000 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.1.1.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.1.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface 81 10.1.1.4 www netmask 255.255.255.255
static (inside,outside) udp interface 27015 10.1.1.4 27015 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 5910 10.1.1.2 5900 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.1.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp 24.171.58.178 5911 10.1.1.4 5900 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group unsecure_access_in in interface unsecure
route outside 10.1.4.0 255.255.255.0 75.132.13.162 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
url-server (inside) vendor smartfilter host 10.1.1.5 port 4005 timeout 30 protocol UDP
filter url http 10.1.0.0 255.255.252.0 0.0.0.0 0.0.0.0 allow cgi-truncate
http server enable
http 10.1.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer -----------
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group ----------type ipsec-l2l
tunnel-group ----------ipsec-attributes
pre-shared-key ---------
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.2.10-10.1.2.250 inside
dhcpd dns 10.1.1.2 10.1.1.4 interface inside
dhcpd domain ------------- interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.10-192.168.1.100 unsecure
dhcpd dns 24.217.0.3 24.217.0.4 interface unsecure
dhcpd enable unsecure
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside 10.1.1.10 /515e.cfg
prompt hostname context
Cryptochecksum:ad8e100a2e19d3e9c5704104ce6f099a
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nevermind, forgot first line, It works great!
ASKER