Solved: Redirect web trafic

tagadapouette · ‎03-28-2007

Hello,

First excuse my bad english.

I've a problem. I want redirect external web trafic to my web server on lan (inside). I test configuration with privates IP (see below my basic configuration). My web server is ok but that's not work, impossible to join web server from any computer on outside side.

I forgot something, but what ????

JLE

: Saved

:

PIX Version 7.2(2)14

!

hostname pix

domain-name test.com

enable password xxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.1.240 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name test.be

access-list outside_access_in extended permit tcp any eq www host 192.168.2.2 eq www

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 2 192.168.2.2 netmask 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 0.0.0.0 www 192.168.2.2 www netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.2.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

no asdm history enable

David White · ‎03-28-2007

I assume you mean you want your web server to be reachable via the Outside IP of your PIX? If so, you need to modify both your ACL and your static statements to read:

access-list outside_access_in extended permit tcp any interface outside eq www

static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255

David.

View solution in original post

vitripat · ‎03-28-2007

Hey there ..

I'm not sure what is the private IP address of the webserver (it seems 192.168.2.2 though) and what is the public address from which it will be accessed. For now, please implement following commands-

clear config static

no access-group outside_access_in in interface outside

clear config access-list outside_access_in

Now, as I'm not aware of the IP address which will be used by the outside hosts to access the server, I'll assume that outside hosts will use x.x.x.x to access the web server and the private IP address of web server is 192.168.2.2. For this scenario, commands would be-

static (inside,outside) x.x.x.x 192.168.2.2

access-list outside_access_in permit tcp any host x.x.x.x eq 80

access-group outside_access_in in interface outside

clear xlate

If you are looking to use the IP address on outside interface of PIX to access the internal webserver, the command set would be-

static (inside,outside) tcp interface 80 192.168.2.2 80

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

clear xlate

Hope this helps. Let me know how this goes.

Regards,

Vibhor.

View solution in original post

abinjola · ‎03-28-2007

your users would ring ya phone bell crazy once you do a cl xlate..so better watch it

try

cl xlate loc 192.168.2.2

the above would not cl the entire xlate entries

View solution in original post

David White · ‎03-28-2007

I assume you mean you want your web server to be reachable via the Outside IP of your PIX? If so, you need to modify both your ACL and your static statements to read:

access-list outside_access_in extended permit tcp any interface outside eq www

static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255

David.

vitripat · ‎03-28-2007

Hey there ..

I'm not sure what is the private IP address of the webserver (it seems 192.168.2.2 though) and what is the public address from which it will be accessed. For now, please implement following commands-

clear config static

no access-group outside_access_in in interface outside

clear config access-list outside_access_in

Now, as I'm not aware of the IP address which will be used by the outside hosts to access the server, I'll assume that outside hosts will use x.x.x.x to access the web server and the private IP address of web server is 192.168.2.2. For this scenario, commands would be-

static (inside,outside) x.x.x.x 192.168.2.2

access-list outside_access_in permit tcp any host x.x.x.x eq 80

access-group outside_access_in in interface outside

clear xlate

If you are looking to use the IP address on outside interface of PIX to access the internal webserver, the command set would be-

static (inside,outside) tcp interface 80 192.168.2.2 80

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

clear xlate

Hope this helps. Let me know how this goes.

Regards,

Vibhor.

abinjola · ‎03-28-2007

your users would ring ya phone bell crazy once you do a cl xlate..so better watch it

try

cl xlate loc 192.168.2.2

the above would not cl the entire xlate entries

tagadapouette · ‎03-28-2007

Thanks all for your replies.

Yes, IP of my web server is 192.168.2.2

Yes I want my web server to be reachable via the outside IP of my PIX.

I'll try all your suggestions tomorow (it's too late : 20h45 in Belgium. Not enough time in a day)

Perhaps another question: I want to configure VPN access (for Windows vpn client) with PPTP (no longer exists?) or L2TP. I used the wizard, but one more time it's impossible to make a vpn connection. Have you a link with step by step guide?

Sorry, it' my first firewall and that's not realy easy to configure.

JLE

abinjola · ‎03-28-2007

if there is one single PPTP client trying to go outside then use following commands :-

policy-map global_policy

class inspection_default

inspect pptp

see if it helps

vitripat · ‎03-28-2007

Here is a link which should be helpful-

Configuring the Cisco Secure PIX Firewall to Use PPTP:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

Regards,

Vibhor.

David White · ‎03-28-2007

PPTP termination on the PIX is not available starting with version 7.0. It is available in versions 6.3 and lower.

PPTP over IPSec is available. See the following TAC doc for configuration steps:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

David.

tagadapouette · ‎03-29-2007

Great all is ok now!!

Thanks to all.

JLE