02-21-2007 03:52 PM - edited 03-11-2019 02:36 AM
I have a webserver that is on the network behind the firewall running a specific application. I was told that I needed to allow public access to that web application. How can I set the firewall to allow traffic to that specific webserver. Also, I need the traffic to be directed to: http://192.168.xx.xx/Public
What's the best way to set this up?
02-21-2007 03:58 PM
First .. do we have a public IP address for the domain of your webserver? If yes, lets assume that the public IP address is "y.y.y.y", then, you'll need following commands-
static (inside,outside) y.y.y.y 192.168.xx.xx
access-list 101 permit tcp any host y.y.y.y eq 80
access-group 101 in interface outside
clear xlate local 192.168.xx.xx
Outside users will be able to access your webserver using "http://y.y.y.y/Public"
Second .. if we dont have a separate public IP for the webserver, and need to use the public IP address given to outside interface of PIX, commands would be-
static (inside,outside) tcp interface 80 192.168.xx.xx 80
access-list 101 permit tcp any interface eq 80
access-gr 101 in interface outside
clear xlate local 192.168.xx.xx
Now outside users will be able to access your server using the public IP on the outside interface of PIX.
Hope this helps.
Regards,
Vibhor.
02-21-2007 04:18 PM
I received 2 errors:
f01(config)# access-list 101 permit tcp any interface eq 80
ERROR: % Invalid input detected at '^' marker. (the marker pointed to the e)
f-01(config)# access-gr 101 in interface outside
ERROR: access-list <101> is standard. Only "extended" or "ethertype" acls
can be attached to an interface
02-21-2007 04:22 PM
this seems to be FWSM .. is it?
02-21-2007 04:27 PM
not to make myself sound like a complete moron - but what is FWSM?
02-21-2007 04:29 PM
a Firewall module installed in a cat 6k switch or a 7k router ..
can you confirm what firewall do we have here ?
a IOS based firewall .. a PIX firewall or a firewall module ?
02-21-2007 04:28 PM
this is what I'm working with:
f01# show ver
Cisco Adaptive Security Appliance Software Version 7.0(4)2
Device Manager Version 5.0(4)1
Compiled on Tue 15-Nov-05 11:41 by root
System image file is "disk0:/asa704-2-k8.bin"
Config file at boot was "startup-config"
f-01 up 1 year 64 days
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080: @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : ☻CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: ♥CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : ☺CNlite-MC-IPSECm-MAIN-2.04
02-21-2007 04:29 PM
perfect .. this is ASA .. similar to PIX.
02-21-2007 04:30 PM
It seems that your ASA is working in "Transparent" mode .. for that commands would be a little different.
02-21-2007 04:33 PM
Don't suppose you know what the commands would be to get this working?
02-21-2007 04:39 PM
As this is a Transparent firewall, you only need following commands-
access-list ACL_IN extended permit tcp any host 192.168.xx.xx eq 80
access-group ACL_IN in interface outside
02-22-2007 05:42 PM
Well, I found out the hard way that you can only have 1 access-list per interface. When I created the access-list ACL_IN and the access-group ACL_IN - it broke many things. This is what ended up fixing this:
Step 1. static (inside, outside)
Step 2. access-list outside_access_in extend tcp any host
Step 3. no access-group outside_access_in in interface outside
Step 4. access-group outside_access_in in interface outside
and that worked!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: