Incoming web server ACL

keithg · ‎02-16-2006

I have the current config and need to allow incoming www traffic to a web server behind the pix. what access-list command should i use and how do i do a nat command to forward the outside interfaces traffic on port 80 to the internal web server address. The outside interface is dhcp from dsl router. I've tried multiple access-list, access-group and static commands and i'm still unsuccessful. Please help.

varakantam · ‎02-16-2006

I am not what kinda of address space you are working with but it is always advisable to have a seperate IP address for hosts which need access from external resources. If you do not have only one external IP address what you are looking for is something called Static PAT ; but we warned that anything that comes on port 80 will be directed to webserver so use with caution.

static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http netmask

255.255.255.255

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_3_1/fwsm_cfg/cfgnat_f.htm#wp1043281

keithg · ‎02-17-2006

I only have one external IP, which is DHCP from my ISP, so I have IP ADDRESS OUTSIDE DHCP SETROUTE for that interface. What would the command for the static look like? Would it be this?

static (inside,outside) tcp interface outside http 192.168.2.x http netmask 255.255.255.255

Also what would the acl look like or do I need one?