Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: setting up pix for web server

setting up pix for web server 10 years 2 months ago #17208

  • jmbmichael
  • jmbmichael's Avatar
  • Offline
  • New Member
  • Posts: 13
  • Karma: 0
Hello, I am a newbie when it comes to a pix. I am setting up a web server for my company and I need to know what exactly I need to configure in the pix. We are using a pix 506e and we have a static public ip. As far as I know I need a command stating static (inside,outside) 69.0.0.0 172.16.2.5 netmask 255.255.254.0 0 0 and setup an ACL. Now what are the commands to do this? And is there anything else that I need to do?
The administrator has disabled public write access.

Re: setting up pix for web server 10 years 2 months ago #17217

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi there,

You are quite right there (although i am guessing these are bogus IP Addresses)

The Static command is correct although if you are using a single ip address on the external you are better mapping port 80 only;

static (inside, outside) tcp outsideip www insideip www netmask 255.255.255.0

The access list needs to be built up on the external interface, this would be done like this;

access-list restrict-inside extended permit tcp any host outsideip eq 80

Then it needs to be applied to the interface;

access-group restrict-inside in interface Outside

Hopefully that should all work ok.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: setting up pix for web server 10 years 2 months ago #17219

  • jmbmichael
  • jmbmichael's Avatar
  • Offline
  • New Member
  • Posts: 13
  • Karma: 0
OK, so if my Ip's are internal 172.16.0.0 external 69.0.0.0 255.255.254.0 all fake of course, the static command should look like
static (inside, outside) tcp 69.0.0.0 www 172.16.0.0 www netmask 255.255.254.0

does this map to port 80?

What is the command to get to the external and internal interfaces?

Thanks
The administrator has disabled public write access.

Re: setting up pix for web server 10 years 2 months ago #17220

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi,

Yes that is correct. This is doing a static translation from the outside to inside on port 80.
What is the command to get to the external and internal interfaces?
- Not too sure i understand the question ?

Are you refering to translation ?

If so, You will need to use a global command which sets what IP Address on the outside you will start natting to (or in your case because of the single ip address, PAT)

Then you need to define what ranges on the inside are then allowed to nat through

e.g.

global (outside) 1 outsideip
nat (inside) 1 0.0.0.0 0.0.0.0

This is basically saying, for ANYTHING on the inside (i.e. 0.0.0.0 0.0.0.0, but if you want to you can specify only your internal subnets which is better to do) will be translated to the outside IP using PAT.

If you had multiple ip addresses on the outside then you could substitue the global command like this

global (outside) 1 x.y.z.100 - x.y.z.150

What this will do is the first 50 machines would use NAT on the address .100 to .149 and then any other machines will then resort to PAT on the last address of .150.

Hope thats what you was asking :)
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: setting up pix for web server 10 years 2 months ago #17223

  • jmbmichael
  • jmbmichael's Avatar
  • Offline
  • New Member
  • Posts: 13
  • Karma: 0
actually I was just refering to the cisco commands to do what you said
The access list needs to be built up on the external interface, this would be done like this;

access-list restrict-inside extended permit tcp any host outsideip eq 80

Then it needs to be applied to the interface;

access-group restrict-inside in interface Outside

When you say apply it to the interface, what do you mean.
The administrator has disabled public write access.

Re: setting up pix for web server 10 years 2 months ago #17224

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
Smurf's instructions are precise and very well written.

"Applying" it to an interface, means that the access-lists you have previously written, are associated with one of the PIX interfaces.

The same concept exists on Cisco routers and other similar Cisco-oriented products.
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.
Time to create page: 0.088 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup