cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
652
Views
0
Helpful
11
Replies

WebServer behind a PIX firewall

tgarner-library
Level 1
Level 1

I have a webserver that is on the network behind the firewall running a specific application. I was told that I needed to allow public access to that web application. How can I set the firewall to allow traffic to that specific webserver. Also, I need the traffic to be directed to: http://192.168.xx.xx/Public

What's the best way to set this up?

11 Replies 11

vitripat
Level 7
Level 7

First .. do we have a public IP address for the domain of your webserver? If yes, lets assume that the public IP address is "y.y.y.y", then, you'll need following commands-

static (inside,outside) y.y.y.y 192.168.xx.xx

access-list 101 permit tcp any host y.y.y.y eq 80

access-group 101 in interface outside

clear xlate local 192.168.xx.xx

Outside users will be able to access your webserver using "http://y.y.y.y/Public"

Second .. if we dont have a separate public IP for the webserver, and need to use the public IP address given to outside interface of PIX, commands would be-

static (inside,outside) tcp interface 80 192.168.xx.xx 80

access-list 101 permit tcp any interface eq 80

access-gr 101 in interface outside

clear xlate local 192.168.xx.xx

Now outside users will be able to access your server using the public IP on the outside interface of PIX.

Hope this helps.

Regards,

Vibhor.

I received 2 errors:

f01(config)# access-list 101 permit tcp any interface eq 80

ERROR: % Invalid input detected at '^' marker. (the marker pointed to the e)

f-01(config)# access-gr 101 in interface outside

ERROR: access-list <101> is standard. Only "extended" or "ethertype" acls

can be attached to an interface

this seems to be FWSM .. is it?

not to make myself sound like a complete moron - but what is FWSM?

a Firewall module installed in a cat 6k switch or a 7k router ..

can you confirm what firewall do we have here ?

a IOS based firewall .. a PIX firewall or a firewall module ?

this is what I'm working with:

f01# show ver

Cisco Adaptive Security Appliance Software Version 7.0(4)2

Device Manager Version 5.0(4)1

Compiled on Tue 15-Nov-05 11:41 by root

System image file is "disk0:/asa704-2-k8.bin"

Config file at boot was "startup-config"

f-01 up 1 year 64 days

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080: @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : ☻CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: ♥CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : ☺CNlite-MC-IPSECm-MAIN-2.04

perfect .. this is ASA .. similar to PIX.

It seems that your ASA is working in "Transparent" mode .. for that commands would be a little different.

Don't suppose you know what the commands would be to get this working?

As this is a Transparent firewall, you only need following commands-

access-list ACL_IN extended permit tcp any host 192.168.xx.xx eq 80

access-group ACL_IN in interface outside

Well, I found out the hard way that you can only have 1 access-list per interface. When I created the access-list ACL_IN and the access-group ACL_IN - it broke many things. This is what ended up fixing this:

Step 1. static (inside, outside) netmask 255.255.255.255

Step 2. access-list outside_access_in extend tcp any host eq www

Step 3. no access-group outside_access_in in interface outside

Step 4. access-group outside_access_in in interface outside

and that worked!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: