Redirect web trafic

Answered Question
Mar 28th, 2007
User Badges:

Hello,


First excuse my bad english.

I've a problem. I want redirect external web trafic to my web server on lan (inside). I test configuration with privates IP (see below my basic configuration). My web server is ok but that's not work, impossible to join web server from any computer on outside side.

I forgot something, but what ????


JLE


: Saved

:

PIX Version 7.2(2)14

!

hostname pix

domain-name test.com

enable password xxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.1.240 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name test.be

access-list outside_access_in extended permit tcp any eq www host 192.168.2.2 eq www

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1


no asdm history enable

arp timeout 14400

global (inside) 2 192.168.2.2 netmask 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 0.0.0.0 www 192.168.2.2 www netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.2.2 255.255.255.255 inside


no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end


no asdm history enable



Correct Answer by abinjola about 10 years 3 months ago

your users would ring ya phone bell crazy once you do a cl xlate..so better watch it


try


cl xlate loc 192.168.2.2


the above would not cl the entire xlate entries

Correct Answer by vitripat about 10 years 3 months ago

Hey there ..


I'm not sure what is the private IP address of the webserver (it seems 192.168.2.2 though) and what is the public address from which it will be accessed. For now, please implement following commands-


clear config static

no access-group outside_access_in in interface outside

clear config access-list outside_access_in


Now, as I'm not aware of the IP address which will be used by the outside hosts to access the server, I'll assume that outside hosts will use x.x.x.x to access the web server and the private IP address of web server is 192.168.2.2. For this scenario, commands would be-


static (inside,outside) x.x.x.x 192.168.2.2

access-list outside_access_in permit tcp any host x.x.x.x eq 80

access-group outside_access_in in interface outside

clear xlate


If you are looking to use the IP address on outside interface of PIX to access the internal webserver, the command set would be-


static (inside,outside) tcp interface 80 192.168.2.2 80

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

clear xlate


Hope this helps. Let me know how this goes.



Regards,

Vibhor.

Correct Answer by David White about 10 years 3 months ago

I assume you mean you want your web server to be reachable via the Outside IP of your PIX? If so, you need to modify both your ACL and your static statements to read:


access-list outside_access_in extended permit tcp any interface outside eq www

static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255


David.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Correct Answer
David White Wed, 03/28/2007 - 10:53
User Badges:
  • Cisco Employee,

I assume you mean you want your web server to be reachable via the Outside IP of your PIX? If so, you need to modify both your ACL and your static statements to read:


access-list outside_access_in extended permit tcp any interface outside eq www

static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255


David.

Correct Answer
vitripat Wed, 03/28/2007 - 10:59
User Badges:
  • Gold, 750 points or more

Hey there ..


I'm not sure what is the private IP address of the webserver (it seems 192.168.2.2 though) and what is the public address from which it will be accessed. For now, please implement following commands-


clear config static

no access-group outside_access_in in interface outside

clear config access-list outside_access_in


Now, as I'm not aware of the IP address which will be used by the outside hosts to access the server, I'll assume that outside hosts will use x.x.x.x to access the web server and the private IP address of web server is 192.168.2.2. For this scenario, commands would be-


static (inside,outside) x.x.x.x 192.168.2.2

access-list outside_access_in permit tcp any host x.x.x.x eq 80

access-group outside_access_in in interface outside

clear xlate


If you are looking to use the IP address on outside interface of PIX to access the internal webserver, the command set would be-


static (inside,outside) tcp interface 80 192.168.2.2 80

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

clear xlate


Hope this helps. Let me know how this goes.



Regards,

Vibhor.

Correct Answer
abinjola Wed, 03/28/2007 - 11:25
User Badges:
  • Cisco Employee,

your users would ring ya phone bell crazy once you do a cl xlate..so better watch it


try


cl xlate loc 192.168.2.2


the above would not cl the entire xlate entries

tagadapouette Wed, 03/28/2007 - 12:04
User Badges:

Thanks all for your replies.

Yes, IP of my web server is 192.168.2.2

Yes I want my web server to be reachable via the outside IP of my PIX.

I'll try all your suggestions tomorow (it's too late : 20h45 in Belgium. Not enough time in a day)


Perhaps another question: I want to configure VPN access (for Windows vpn client) with PPTP (no longer exists?) or L2TP. I used the wizard, but one more time it's impossible to make a vpn connection. Have you a link with step by step guide?

Sorry, it' my first firewall and that's not realy easy to configure.


JLE

abinjola Wed, 03/28/2007 - 12:18
User Badges:
  • Cisco Employee,

if there is one single PPTP client trying to go outside then use following commands :-


policy-map global_policy

class inspection_default

inspect pptp


see if it helps

Actions

This Discussion