Web access through firewall

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


We have a Cisco PIX 501 Firewall running PIX version 6.3 with NDM
version 3.0.

The firewall is connected to an SDSL router which has a fixed external
IP address.  We'll refer to that as 333.333.333.442 which we all know
is fake.

Behind the firewall are our switches and our internal network with
fixed IP addresses which we will say are in the 10.10.0.x
(255.255.255.0) range.  The fireall itself being 10.10.10.254.

Everything works wonderfully at the moment in that all of our computers
behind the firewall have access to all aspects of the Internet without
any problems.  We are using PAT tranlation and it works fine.

We now want to be able to access a web site, which is on one of our
servers, from the other side of the firewall (i.e. the Internet).
Let's say that server is on 10.10.0.99 on the inside of the network.

With the firewalls I have worked with before (mostly NetGear) I would
create a new service and assign it to a port (from 90 to 90 for
example).  I would then create a rule which would assign that service
to an IP address on the inside of the network (in this case
10.10.0.99).  I would then be able to connect to that site by
http://333.333.333.442:90

I assume that is the general concept of what I need to do on this
firewall but I have not been able to figure out how to do so.

I am hoping this is relatively straightforward as I'm sure I'm not the
first who has ever had this basic sort of need.

Can anyone help me with setting this up?

Thank you in advance for any assistance, suggestions or "direction
pointing" you may provide.



Re: Web access through firewall


First, congratulations on getting rid of the NetGear and getting your PIX.

Now, for the fun part:

Need an ACL:

access-list 111 permit tcp any host 333.333.333.442 eq www
access-list 111 permit tcp any host 333.333.333.442 eq https (for SSL)

Apply the ACL:
access-group 111 in interface outside

Need Static statement:
static (inside,outside) tcp interface www 10.10.0.99 www netmask
255.255.255.255 0 0

If your web server is using a different port then simply substitute the
second www above (10.10.0.99 www ...) for the port number you are using
so the static line would look like this:

static (inside,outside) tcp interface www 10.10.0.99 90 netmask
255.255.255.255 0 0

Obviously do this to your running config prior to making it permanent
and test the outcome.

My two yen worth!
Wilson

Derek Erb wrote:
Quoted text here. Click to load it


Re: Web access through firewall



Quoted text here. Click to load it

Create a static translation...

static (inside,outside) tcp interface www 10.10.0.99 90 netmask
255.255.255.255 0 0

You also need to allow that traffic into the PIX...

access-list inside_acl permit tcp any host 333.333.333.442 eq 90

and apply it to the outside interface.



Jonathan




Site Timeline