I am charged with configuring a PIX 515 (running v6.3.5) to allow inbound access to multiple web servers as well as FTP servers. My ip addressing is as follows:
All IP Addresses on the outside subnet are taken by the 2 upstream routers (1 ip each, 1 HSRP IP, managed by our ISP), and by the 2 firewalls in failover with the virtual IP address.
My question is, how do I configure the firewall to allow access to the internal web servers with Public IPs (all servers will have Public IP Addresses on their outside interface)? I know generally speaking, to allow inbound access you must have a static statement as well as an access list to provide inbound access, but how do you do this with only 1 public IP? Can you bypass the need for static statements, and let the firewall act as a router and filter access via ACLs? PAT from the outside in is not an option.
Your on the right track - you need an ACL on the outside interface and a static - port mapped to TCP port 80, if you only have the one IP address then you can use key word 'interface' on the static command i.e.
Ok, so what if you have multiple web servers on the inside interface of the PIX that need to be accessed from outside? My understanding of the command above is that you can only provide access to 1 internal IP address through that command, and external users will not be able to access all 30 or 40 internal webservers. Please correct me if I am wrong.
My assumption is that the external ISP router will be announcing the internal Public IP block. Can I perform a static for each server that needs to be accessed via the outside: (outside, inside) 206.x.x.x 255.255.255.255 206.x.x.x 255.255.255.255? Will this allow traffic inside the firewall, and then I will control access via ACLs?
- 1 public IP address (assinged to outside interface of PIX.)
- 5 web-servers (may be more), on the interfanal network, you need to access these servers from outside using public IP address assigned to outside interface of PIX.
- 2 FTP servers which are also on inside network and are to be accessed from outside using public IP on outside interface of PIX.
** No. of internal servers fictitious.
Problem in this scenario is that we need to map a single public IP to many internal IPs. This would have been ok if internal servers wer using different services, but when it comes to 5 webservers which need to use the same IP, or 2 FTP servers which need to use same public IP, it is a problem. Why?
In such scenarios, we generally do port-redirection. But this works when there are internal servers, working on independent ports. For eg. 1 web-server, 1 mail server, 1 ftp server. Here we can redirect port 80 traffic from public IP to web server, port 25 to mail server and port 21 to FTP server.
Problem is that there are multiple internal web servers, which are all working at port 80 !! And we can redirect port 80 from the public IP to only one of these servers !! Solution?
Well .. though there is not a very clear solution, we need to have things modified at the clients end. What we need to have clients on outside do is, have them send requests for webserver1 on port 80, request for webserver2 on port 8080, request for webserver3 on port 8081. How this helps?
- we redirect port 80 from outside public IP to webserver1 internal IP on port 80
- redirect port 8080 from outside public IP to webserver2 internal IP on port 80
- redirect port 8081 from outside public IP to webserver3 internal IP on port 80
I understand that this may not seem to be a very good solution, but with current limitations, this is the only option available .. :(
Let me know if you need commands for this. Hope this is helpful.
jon.marshall is dead on- this took care of the issue. I guess the key to this situation is that the subnet on the Inside interface is also routable on the internet, and our ISP is announcing this block out to the internet. This worked well for me.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :