Solved: NAT on a PIX

loubarsony · ‎11-14-2010

Hello -

I am attempting to access a SSL terminating webserver on an internal host through a PIX 515 running 8.0.

I have an inside and outside interfaces defined.

I wish to have any external host use SSL to access the destination webserver.

I also have a management station that is on the same subnet as the inside interface and the webserver host.

The outside interface has a security value of 20 while the inside one has a value of 100.

I put an exemption for the inside subnet but some strange reason I can ping all interfaces but I cannot
get ASDM to access the inside interface.

Any advice is appreciated.

L.

Magnus Mortensen · ‎11-14-2010

Lou,

To access ASDM you will need the following things:

1) The command 'http server enable'

2) A copy of the ASDM code in flash and the command 'asdm image ' in the config

3) A permission line like 'http 192.168.2.0 255.255.255.0 inside'

Also, you can only have ASDM connect to the interface facing you. If you are on the inside, you will be able to connect to the inside interface IP. If you are on the outside, then only the outside interface IP will work for you.

You can check to make sure the PIX is reading the ASDM image correctly by looking at 'show version':

Cisco PIX Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(5) <<<<<<<<<<<<

If the line is missing, check to make sure you have the 'asdm image' line and the right version in flash.

With regards to the other issue. It sounds like you are trying to access an SSL server on the INSIDE from the Internet... right? If so, a quick sample of what you would need to do would be:

static (inside,outside) tcp interface 443 443

!

access-list outside_access_in permit tcp any interface outside eq 443

!

access-group outside_access_in in interface outside

With that configlet, you can then connect to the outside interface of your PIX with HTTPS and it will pass that HTTPS connection through to the internal SSL server.

- Magnus

View solution in original post

Maykol Rojas · ‎11-14-2010

Hi,

I guess we are going to need more information, the problem started to be a Webserver and it ended up with loosing ASDM access. Would you please clarify the following points?

Are the outside hosts going to access this SSL server on the inside?

Are you planning to do NAT or you plan to do an excemption NAT?

What rule did you put that kill your ASDM on the inside? Can you paste it?

Normally what you will need is (in case NAT control is enable or you have any NAT going on in the config) is translate the host to something and then allowed on the outside ACL.

Please clarify those points, we will be more than glad to assist you.

Cheers,

Mike

Magnus Mortensen · ‎11-14-2010

Lou,

To access ASDM you will need the following things:

1) The command 'http server enable'

2) A copy of the ASDM code in flash and the command 'asdm image ' in the config

3) A permission line like 'http 192.168.2.0 255.255.255.0 inside'

Also, you can only have ASDM connect to the interface facing you. If you are on the inside, you will be able to connect to the inside interface IP. If you are on the outside, then only the outside interface IP will work for you.

You can check to make sure the PIX is reading the ASDM image correctly by looking at 'show version':

Cisco PIX Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(5) <<<<<<<<<<<<

If the line is missing, check to make sure you have the 'asdm image' line and the right version in flash.

With regards to the other issue. It sounds like you are trying to access an SSL server on the INSIDE from the Internet... right? If so, a quick sample of what you would need to do would be:

static (inside,outside) tcp interface 443 443

!

access-list outside_access_in permit tcp any interface outside eq 443

!

access-group outside_access_in in interface outside

With that configlet, you can then connect to the outside interface of your PIX with HTTPS and it will pass that HTTPS connection through to the internal SSL server.

- Magnus

loubarsony · ‎11-19-2010

Thanks Magnus - sorry for the delay.

I implemented a static link that was very similar to what you suggested, but not identical.

This could be why I am getting the following problem...

My SSL webserver is receiving the forwarded SYNs from the client, and responding, but the ACK is getting lost.

I have a record of the ACK on the server but I get no record of it on the PIX. No ACLs appear to be triggered by the
ACK either.

The Management-subnet is actually not being used for management but the interface 192.168.11.15 is.

Any thoughts?

name 192.168.1.80 BPM-server

name 192.168.1.64 BPM-server-subnet description Small subnet to hold BPM and AG servers
name 192.168.1.0 Management-subnet description Small subnet to manage devices
!
interface Ethernet0
 description Management interface for Vlab PIX
 nameif Vlab-1-mgmt
 security-level 100
 ip address 192.168.11.15 255.255.255.0 
 management-only
!
interface Ethernet1
 description This is used for management access and for the BPM and other demo servers
 nameif inside
 security-level 10
 ip address 192.168.1.2 255.255.255.0 
!
interface Ethernet2
 description This will provide external service to the Bell Privacy Manager demo and Sharepoint servers
 nameif BPM-Vlab-external-1
 security-level 20
 ip address xxx.yyy.zzz.67 255.255.255.248 
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object BPM-server-subnet 255.255.255.248
 network-object xxx.yyy.zzz.64 255.255.255.248
access-list 100 extended permit tcp Management-subnet 255.255.255.0 any 
access-list 100 extended permit ip any Management-subnet 255.255.255.0 
access-list 100 extended permit ip xxx.yyy.zzz.64 255.255.255.248 Management-subnet 255.255.255.0 
access-list BPM-Vlab-external-1_access_in extended permit icmp any xxx.yyy.zzz.64 255.255.255.248 
access-list BPM-Vlab-external-1_access_in extended permit ip any object-group DM_INLINE_NETWORK_1 
access-list inside_access_in extended permit udp host 192.168.1.1 host 192.168.1.2 
access-list 110 extended permit tcp any host xxx.yyy.zzz.67 eq https
access-list inside_access_in_1 extended permit udp host 192.168.1.1 host 192.168.1.2 
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any Management-subnet 255.255.255.0 
access-list BPM-Vlab-external-1_access_in_1 extended permit ip Management-subnet 255.255.255.0 any 
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any xxx.yyy.zzz.64 255.255.255.248 
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any any 


global (BPM-Vlab-external-1) 1 xxx.yyy.zzz.69
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,BPM-Vlab-external-1) tcp interface https BPM-server https netmask 255.255.255.255 
access-group 100 in interface inside
access-group BPM-Vlab-external-1_access_in_1 in interface BPM-Vlab-external-1
!
router rip
 version 2
!
route BPM-Vlab-external-1 0.0.0.0 0.0.0.0 xxx.yyy.zzz.68 1