03-28-2007 10:44 AM - edited 03-11-2019 02:53 AM
Hello,
First excuse my bad english.
I've a problem. I want redirect external web trafic to my web server on lan (inside). I test configuration with privates IP (see below my basic configuration). My web server is ok but that's not work, impossible to join web server from any computer on outside side.
I forgot something, but what ????
JLE
: Saved
:
PIX Version 7.2(2)14
!
hostname pix
domain-name test.com
enable password xxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.240 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name test.be
access-list outside_access_in extended permit tcp any eq www host 192.168.2.2 eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 2 192.168.2.2 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 0.0.0.0 www 192.168.2.2 www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
no asdm history enable
Solved! Go to Solution.
03-28-2007 10:53 AM
I assume you mean you want your web server to be reachable via the Outside IP of your PIX? If so, you need to modify both your ACL and your static statements to read:
access-list outside_access_in extended permit tcp any interface outside eq www
static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255
David.
03-28-2007 10:59 AM
Hey there ..
I'm not sure what is the private IP address of the webserver (it seems 192.168.2.2 though) and what is the public address from which it will be accessed. For now, please implement following commands-
clear config static
no access-group outside_access_in in interface outside
clear config access-list outside_access_in
Now, as I'm not aware of the IP address which will be used by the outside hosts to access the server, I'll assume that outside hosts will use x.x.x.x to access the web server and the private IP address of web server is 192.168.2.2. For this scenario, commands would be-
static (inside,outside) x.x.x.x 192.168.2.2
access-list outside_access_in permit tcp any host x.x.x.x eq 80
access-group outside_access_in in interface outside
clear xlate
If you are looking to use the IP address on outside interface of PIX to access the internal webserver, the command set would be-
static (inside,outside) tcp interface 80 192.168.2.2 80
access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
clear xlate
Hope this helps. Let me know how this goes.
Regards,
Vibhor.
03-28-2007 11:25 AM
your users would ring ya phone bell crazy once you do a cl xlate..so better watch it
try
cl xlate loc 192.168.2.2
the above would not cl the entire xlate entries
03-28-2007 10:53 AM
I assume you mean you want your web server to be reachable via the Outside IP of your PIX? If so, you need to modify both your ACL and your static statements to read:
access-list outside_access_in extended permit tcp any interface outside eq www
static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255
David.
03-28-2007 10:59 AM
Hey there ..
I'm not sure what is the private IP address of the webserver (it seems 192.168.2.2 though) and what is the public address from which it will be accessed. For now, please implement following commands-
clear config static
no access-group outside_access_in in interface outside
clear config access-list outside_access_in
Now, as I'm not aware of the IP address which will be used by the outside hosts to access the server, I'll assume that outside hosts will use x.x.x.x to access the web server and the private IP address of web server is 192.168.2.2. For this scenario, commands would be-
static (inside,outside) x.x.x.x 192.168.2.2
access-list outside_access_in permit tcp any host x.x.x.x eq 80
access-group outside_access_in in interface outside
clear xlate
If you are looking to use the IP address on outside interface of PIX to access the internal webserver, the command set would be-
static (inside,outside) tcp interface 80 192.168.2.2 80
access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
clear xlate
Hope this helps. Let me know how this goes.
Regards,
Vibhor.
03-28-2007 11:25 AM
your users would ring ya phone bell crazy once you do a cl xlate..so better watch it
try
cl xlate loc 192.168.2.2
the above would not cl the entire xlate entries
03-28-2007 12:04 PM
Thanks all for your replies.
Yes, IP of my web server is 192.168.2.2
Yes I want my web server to be reachable via the outside IP of my PIX.
I'll try all your suggestions tomorow (it's too late : 20h45 in Belgium. Not enough time in a day)
Perhaps another question: I want to configure VPN access (for Windows vpn client) with PPTP (no longer exists?) or L2TP. I used the wizard, but one more time it's impossible to make a vpn connection. Have you a link with step by step guide?
Sorry, it' my first firewall and that's not realy easy to configure.
JLE
03-28-2007 12:18 PM
if there is one single PPTP client trying to go outside then use following commands :-
policy-map global_policy
class inspection_default
inspect pptp
see if it helps
03-28-2007 12:18 PM
Here is a link which should be helpful-
Configuring the Cisco Secure PIX Firewall to Use PPTP:
Regards,
Vibhor.
03-28-2007 12:23 PM
PPTP termination on the PIX is not available starting with version 7.0. It is available in versions 6.3 and lower.
PPTP over IPSec is available. See the following TAC doc for configuration steps:
David.
03-29-2007 05:24 AM
Great all is ok now!!
Thanks to all.
JLE
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: