We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Cisco 515e routing between inside interfaces

danware
danware asked
on
Medium Priority
283 Views
Last Modified: 2012-08-13
Hi, I have a pix 515e asa7.  I have inside 10.1.0.0/255.255.252.0 and "unsecure" 192.168.1.0/255.255.255.0.  I need to route JUST port 80 from unsecure (interface2) to inside to only ip 10.1.1.2.  I have attached the pix tftp save file as well.  It works, although some info has been removed or altered for security reasons.
: Saved
: Written by enable_15 at 17:39:14.397 UTC Sun Feb 8 2009
!
PIX Version 7.2(1) 
!
hostname pixfirewall
domain-name default.domain.invalid
enable password ------------- encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.252.0 
!
interface Ethernet2
 nameif unsecure
 security-level 50
 ip address 192.168.1.1 255.255.255.0 
!
passwd ---------- encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service unsecure tcp
 port-object eq domain
 port-object eq www
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq 7000 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list inbound extended permit icmp any any 
access-list inbound extended permit tcp any any eq smtp 
access-list inbound extended permit tcp any any eq 7000 
access-list inbound extended permit tcp any any eq www 
access-list inbound extended permit tcp any any eq https 
access-list inbound extended permit tcp any any eq 81 
access-list inbound extended permit udp any any eq 27015 
access-list inbound extended permit tcp any any eq 5910 
access-list inbound extended permit tcp any any eq 5911 
access-list inbound extended permit tcp any any eq 3389 
access-list inbound extended permit tcp any any eq ssh 
access-list inbound extended permit tcp any any eq ftp 
access-list outside_20_cryptomap extended permit ip 10.1.0.0 255.255.252.0 10.1.4.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 10.1.4.0 255.255.255.0 
access-list unsecure_access_in extended permit tcp any host 10.1.1.2 eq www 
access-list unsecure_access_in extended permit tcp any any eq www 
access-list unsecure_access_in extended permit udp any any eq domain 
access-list unsecure_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any object-group unsecure 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu unsecure 1500
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (unsecure) 1 access-list unsecure_nat_outbound outside
nat (unsecure) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 7000 10.1.1.3 7000 netmask 255.255.255.255 
static (inside,outside) tcp interface www 10.1.1.2 www netmask 255.255.255.255 
static (inside,outside) tcp interface https 10.1.1.2 https netmask 255.255.255.255 
static (inside,outside) tcp interface 81 10.1.1.4 www netmask 255.255.255.255 
static (inside,outside) udp interface 27015 10.1.1.4 27015 netmask 255.255.255.255  norandomseq
static (inside,outside) tcp interface 5910 10.1.1.2 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 10.1.1.2 3389 netmask 255.255.255.255 
static (inside,outside) tcp 24.171.58.178 5911 10.1.1.4 5900 netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group unsecure_access_in in interface unsecure
route outside 10.1.4.0 255.255.255.0 75.132.13.162 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
url-server (inside) vendor smartfilter host 10.1.1.5 port 4005 timeout 30 protocol UDP 
filter url http 10.1.0.0 255.255.252.0 0.0.0.0 0.0.0.0 allow cgi-truncate 
http server enable
http 10.1.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer -----------
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
tunnel-group ----------type ipsec-l2l
tunnel-group ----------ipsec-attributes
 pre-shared-key ---------
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.2.10-10.1.2.250 inside
dhcpd dns 10.1.1.2 10.1.1.4 interface inside
dhcpd domain ------------- interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.10-192.168.1.100 unsecure
dhcpd dns 24.217.0.3 24.217.0.4 interface unsecure
dhcpd enable unsecure
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tftp-server inside 10.1.1.10 /515e.cfg
prompt hostname context 
Cryptochecksum:ad8e100a2e19d3e9c5704104ce6f099a
: end

Open in new window

Comment
Watch Question

Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
try this:
static (inside,unsecure) 10.1.1.2 10.1.1.2 netmask 255.255.255.255

access-list unsecure permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.2 eq 80
access-list unsecure deny ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.252.0
access-list unsecure permit ip any any
access-group unsecure in interface unsecure

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
I inserted those commands into the pix, I can still get to the internet, but CANNOT get to http on 10.1.1.2 from 192.168.1.10(or others).  What else do you think I should do?

Author

Commented:
Nevermind, forgot first line, It works great!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.