04-19-2003 06:24 AM - edited 02-20-2020 09:21 PM
WE have a PIX 515 6.1(1)
We know how we expose a internal http server to a specific IP...but how do we achieve the same for a range of IP's??
How can IP expose my http server to the specific range of IP addresses or a network address range for eg: 201.12.18.96 netmask 255.255.255.240 or something like x.x.x.0 255.255.255.0
Could you help me by explaining a sample PIX conduit or a access list command??
Thanks in Advance.
04-19-2003 11:00 AM
HI.
One way you can do it is by setting up multiple private ip addresses on the web server, and then using static to map them to registered ip adresses at the pix.
You can use multiple static commands (one for each ip), or you can use static with a subnet, but for this to work, you'll have to plan the private ip addresses given to the web server so that they'll match.
This is not the only way - there are other possible solutions.
But what is the goal here - what are you trying to do?
You can play with DNS records , and "host headers" at the web server, you can host multiple domains on a single server using single ip address.
Yizhar
04-20-2003 04:57 AM
Hi,
Thanks for you reply.
I am hosting a webservice for my client for a temporary period. My aim is to only allow the range of addreses (x.x.x.96 255.255.255.224) which are his nat pool IP's to access the http port exposed at my end. This hhtp server is right now statically mapped to allow access to "any" by
static (inside,outside) tcp x.x.x.105 8080 192.168.5.116 8080 netmask 255.255.255.255
conduit permit tcp host x.x.x.105 eq 8080 any
We can very well take care of this problem by allowing only a particular host to access this http service but what could be done if you need to allow the access for the range of ip's in above case??
Using static command per IP is really a tedious thing to do if there are many IP's which needs to be take care, isn't there any better solution where we can only expose the http access only to a range of IP's or a network address.
Secondly, can you please elaborate more on th solution you propose??
Thanks Again
04-20-2003 11:43 AM
HI.
I misunderstood your question in the first place.
I thought that you were trying to host multiple web sites on your server with different ip addresses at your side. You should ignore my first reply....
All you have to do is very simple if I got the point now.
Just change this:
> conduit permit tcp host x.x.x.105 eq 8080 any
To this:
no conduit permit tcp host x.x.x.105 eq 8080 any
conduit permit tcp host x.x.x.105 eq 8080 x.x.x.96 255.255.255.224
"Allowing Untrusted Hosts Access to Hosts on Your Trusted Network ":
http://www.cisco.com/warp/public/707/28.html#topic7
Yizhar
04-20-2003 09:55 PM
Thanks a lot Yizhar....
But...to tell you the fact I had tried the similar couple of days back....obviously the rule logically says so....but I think it needed a "write mem" and a "Power Cycle" to PIX after it was written....;-)
Anyways, thanks a million...my problems seems to be solved.
Thanks Again!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide