Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

web server at inside

I have a PIX515e and need to configure a web server on the inside interface (NOT on the dmz interface!!).

I'am a absolute beginner in this firewall stuff and need a simply explanation what rules i need to make it accessable from outside. I've already read the other posts about this theme, but they didn't helped me because they don't match my configuration.

important IPs:

webserver inside: 192.168.144.103

router: x.x.x.1

DNS: from ISP

config file:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

enable password xxxx encrypted

passwd xxxx encrypted

hostname firewall

domain-name xxxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.144.101 cem-sbs01

name 192.168.144.103 cem-sbs03

name x.x.x.8 out_interface

access-list outside_access_in permit tcp any host out_interface

pager lines 24

logging on

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside out_interface 255.255.255.128

ip address inside 192.168.144.100 255.255.255.0

ip address dmz 192.168.10.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location cem-sbs01 255.255.255.255 inside

pdm location 192.168.144.49 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http cem-sbs01 255.255.255.255 inside

http 192.168.144.49 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

: end

[OK]

Thank you

4 REPLIES
Gold

Re: web server at inside

Hi -

Have a read of the following document and see if this helps your situation. In this document it explains how to configure Mail Server on the inside network via PIX but you can look at this as configuring access to web server on the inside. Basically you'll require a ACL and Static for your situation.

Hope this of help :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Let me know if you need further help - Thanks, Jay

Silver

Re: web server at inside

1. You need to set up a static for the server

2. You need to edit the access-list outside_access_in to allow access to http for the ip address that you use in the static.

How many legitimate ip addresses do you have to work with?

If you have only one, for your static, you can forward just a port:

static (inside, outside) tcp interface www inside.ip.address.here www netmask 255.255.255.255

You then would need to "clear xlate" (this will break all connections, and you should be good to go - your access list allows all tcp connections to the ip address of your outside interface. You might want to edit that to only allow http.

New Member

Re: web server at inside

Thank you very much!

It's now working fine......

Gold

Re: web server at inside

Hi -

Here's a example:

> pix(config)# global(outside) 1 200.200.200.1

> pix(config)# nat(inside) 1 0 0

> pix(config)# static (inside,outside) 200.200.200.2 192.168.1.2

> pix(config)# access-list PERMIT_IN permit tcp any host 200.200.200.2 eq 80

> pix(config)# access-list PERMIT_IN in interface outside

Were IP 200.200.200.1 (outside interface), 200.200.200.2 is a outside address connecting to port 80 on inside IP 192.168.1.2

Remember to save the config with command 'write memory' and also execute command 'clear xlate' to activate the new translations.

Hope this helps - Jay.

110
Views
0
Helpful
4
Replies