WebServer behind a PIX firewall

Unanswered Question
Feb 21st, 2007

I have a webserver that is on the network behind the firewall running a specific application. I was told that I needed to allow public access to that web application. How can I set the firewall to allow traffic to that specific webserver. Also, I need the traffic to be directed to: http://192.168.xx.xx/Public

What's the best way to set this up?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vitripat Wed, 02/21/2007 - 15:58

First .. do we have a public IP address for the domain of your webserver? If yes, lets assume that the public IP address is "y.y.y.y", then, you'll need following commands-

static (inside,outside) y.y.y.y 192.168.xx.xx

access-list 101 permit tcp any host y.y.y.y eq 80

access-group 101 in interface outside

clear xlate local 192.168.xx.xx

Outside users will be able to access your webserver using "http://y.y.y.y/Public"

Second .. if we dont have a separate public IP for the webserver, and need to use the public IP address given to outside interface of PIX, commands would be-

static (inside,outside) tcp interface 80 192.168.xx.xx 80

access-list 101 permit tcp any interface eq 80

access-gr 101 in interface outside

clear xlate local 192.168.xx.xx

Now outside users will be able to access your server using the public IP on the outside interface of PIX.

Hope this helps.



tgarner-library Wed, 02/21/2007 - 16:18

I received 2 errors:

f01(config)# access-list 101 permit tcp any interface eq 80

ERROR: % Invalid input detected at '^' marker. (the marker pointed to the e)

f-01(config)# access-gr 101 in interface outside

ERROR: access-list <101> is standard. Only "extended" or "ethertype" acls

can be attached to an interface

vitripat Wed, 02/21/2007 - 16:29

a Firewall module installed in a cat 6k switch or a 7k router ..

can you confirm what firewall do we have here ?

a IOS based firewall .. a PIX firewall or a firewall module ?

tgarner-library Wed, 02/21/2007 - 16:28

this is what I'm working with:

f01# show ver

Cisco Adaptive Security Appliance Software Version 7.0(4)2

Device Manager Version 5.0(4)1

Compiled on Tue 15-Nov-05 11:41 by root

System image file is "disk0:/asa704-2-k8.bin"

Config file at boot was "startup-config"

f-01 up 1 year 64 days

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080: @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : ☻CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: ♥CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : ☺CNlite-MC-IPSECm-MAIN-2.04

vitripat Wed, 02/21/2007 - 16:30

It seems that your ASA is working in "Transparent" mode .. for that commands would be a little different.

vitripat Wed, 02/21/2007 - 16:39

As this is a Transparent firewall, you only need following commands-

access-list ACL_IN extended permit tcp any host 192.168.xx.xx eq 80

access-group ACL_IN in interface outside

tgarner-library Thu, 02/22/2007 - 17:42

Well, I found out the hard way that you can only have 1 access-list per interface. When I created the access-list ACL_IN and the access-group ACL_IN - it broke many things. This is what ended up fixing this:

Step 1. static (inside, outside) netmask

Step 2. access-list outside_access_in extend tcp any host eq www

Step 3. no access-group outside_access_in in interface outside

Step 4. access-group outside_access_in in interface outside

and that worked!


This Discussion