Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Internal website through PIX 515E

I recently became the network administrator for a small local government entity. I have been thrust into the world of CISCO which is fine but I have a lot to learn. I have a CISCO PIX 515E firewall and I need to configure it so that when a link on the website(hosted outside the company) is clicked, it will point to a GIS server running apache inside our network. I have absolutely no idea how to do this in the CLI. I'm sorry if I'm asking too much here but any help would be appreciated. The apache server works internally so at least that much is set up correctly. I just need the general public to be able to access it from the outside.

22 REPLIES
New Member

Re: Internal website through PIX 515E

Is the apache server publicly addressable or does it have a private IP?

New Member

Re: Internal website through PIX 515E

It's a private IP but I was given the impression that you could still access a webpage by using the public IP as long as the correct routing was configured in the PIX firewall.

Green

Re: Internal website through PIX 515E

All you need is a static and an access-list statement.

public ip = 1.1.1.1

private ip = 192.168.1.10

static (inside,outside) 1.1.1.1 192.168.1.10 netmask 255.255.255.255

access-list permit tcp any host 1.1.1.1 eq 80

access-group in interface outside

If 1.1.1.1 is also the outside address of your pix then you can do this

static (inside,outside) interface 192.168.1.10 netmask 255.255.255.255

or port forward

static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255

As far as dns goes, the solution for that depends on where your dns server is. If it is outside then you can do dns doctoring, if it is inside and is returning the outside address you can do hairpinning on the inside interface with pix 7.

New Member

Re: Internal website through PIX 515E

The dns is handled by the server(this is a single server situation). I have entered in those commands before(i.e. the static, access-list, and access-group commands) and had no luck. If I go to a browser and type in the IP address of the computer hosting this apache server, it comes up just as it should. But, should it work the same way if I come from an outside ip address such as...I go to my house, open a browser and type in "http://1.1.1.1" will it route to the apache server on the internal address and come up properly? If there is any other information that you need please ask and I will provide what I can.

And thank you to all who are trying to help my poor cisco ignorant self.

Green

Re: Internal website through PIX 515E

Yes, the pix would make the translation between the public address, 1.1.1.1 and the private one. Could you possibly post your pix config? Remove passwords etc. Give us the inside address of the server and the address you are attempting to hit from the outside, and is this address the same as your outside interface on pix?

New Member

Re: Internal website through PIX 515E

There was a tcp interface forwarded to 192.168.100.11 I removed it because it was conflicting with the forward I was trying to do to 192.168.100.68. Not to mention that there is no 192.168.100.11 within my network. That may have been leftover from before they moved when they still hosted their own website. The outside IP address I would rather not give out. the outside address of the PIX is our one and only public IP address. So yes it is the same. Modified config attached...

Green

Re: Internal website through PIX 515E

Access-list is wrong, this would only allow a source of 192.168.100.68 to a destination of 1.1.1.1. Change it to this...

no access-list outside_access_in permit tcp host 192.168.100.68 host 1.1.1.1 eq www

access-list outside_access_in permit tcp any host 1.1.1.1 eq www

access-group outside_access_in in interface outside

This can be removed...

static (inside,outside) tcp 192.168.100.68 www 1.1.1.1 www netmask 255.255

.255.255 0 0

and if you don't have a 100.11 you can remove these too...

static (inside,outside) tcp interface smtp 192.168.100.11 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp interface 32000 192.168.100.11 32000 netmask 255.255

.255.255 0 0

static (inside,outside) tcp interface 32001 192.168.100.11 32001 netmask 255.255

.255.255 0 0

static (inside,outside) udp interface 32000 192.168.100.11 32000 netmask 255.255

.255.255 0 0

static (inside,outside) udp interface 32001 192.168.100.11 32001 netmask 255.255

.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.100.11 pop3 netmask 255.255.2

55.255 0 0

New Member

Re: Internal website through PIX 515E

Thank you again for the advice. I put in those exact entries(substituting our public IP for 1.1.1.1) and I still get page cannot be displayed. Is there anything else I'm missing? the config is still the same with the exception of the items you said to change.

Green

Re: Internal website through PIX 515E

Could you post config again just to be sure. Substitute 1.1.1.1 as before.

From the inside you are doing http://192.168.100.68 and it is working?

From the outside you are doing http://1.1.1.1 and it is not working?

New Member

Re: Internal website through PIX 515E

That is correct.

Here you go...I really appreciate all of this.

Green

Re: Internal website through PIX 515E

Is the server default gateway 192.168.100.100?

New Member

Re: Internal website through PIX 515E

yes

Green

Re: Internal website through PIX 515E

Sorry, I'm pretty much out of ideas. It should work fine. You might as well get rid of access-lists 140, smtp.1, and smtp.2 as they are not being used.

When trying from the outside you aren't coming across the vpn tunnel you have configured are you?

New Member

Re: Internal website through PIX 515E

Definitely not coming across the vpn. It needs to be accessible to the general public. Thanks again for all your time and effort. I'll sit here and ponder it some more. The guy who was here before me didn't set this up. He called in another company to do it for him so there are some entries in there that probably don't need to be. The only ip addresses that I changed in the config other than the pulic to 1.1.1.1 were changed to x's. Anything that is in there as 0's or the 10.211 which is a separate IP pool that connects to the same server are all the exact IP addresses. Don't know if that makes a difference.

New Member

Re: Internal website through PIX 515E

yes

EDIT: This is a duplicate entry...please disregard.

Green

Re: Internal website through PIX 515E

Have you tried write mem and rebooting?

Post a thread over in the Firewall forum with your config, that may help.

Green

Re: Internal website through PIX 515E

^

New Member

Re: Internal website through PIX 515E

Every time I changed something in the config I did the write memory and reload commands. I'll try there. thanks for letting me pick your brain all day :)

New Member

Re: Internal website through PIX 515E

actually...that did it, man. I just tested it from an external ip and it worked. I just can't hit the external IP from an internal IP. thank you so very much.

Green

Re: Internal website through PIX 515E

Ha, I think a rating is deserved after all that. Anyway, let me know if you want to work out the other problem. Enjoy.

New Member

Re: Internal website through PIX 515E

other problem? I could care less if they can't hit the external IP from inside the network. It's for the public to be able to access the most updated maps of our area through our 911 service. Unless there's another issue that I'm forgetting, everyone can just hit the local IP from inside the network if they want to see it.

Thanks again.

Green

Re: Internal website through PIX 515E

This would not be a PIX thing; it would be a DNS thing.

You need an internal DNS with the domain names resolving to your internal addresses. This has to be configured as the first DNS on the client.

The links/URLs on your website must be domain names, not IP addresses ... or if you're using a dynamic web, the script language should query the client's environment and determine if it's inside or outside and send the appropriate address.

So, from the inside, when the client browser asks for http://www.here.gov ... the local DNS serves up the internal address ... when someone outside requests that URL, it is given teh correct Outside address to access your site.

I believe the Pix can only "hairpin" from VPN tunnel to VPN tunnel (and only with recent code i.e., > 6.3{something}).

Good Luck

Scott

184
Views
10
Helpful
22
Replies
CreatePlease to create content