I would like to secure an inbound access-list on a PIX 525 running software version 8.
Hosts on the outside will connect to 3 servers on the inside for WWW.
This will involve an explicit access rule and NAT.
The servers are named and grouped:
name 192.168.1.1 SERVER1 name 192.168.1.2 SERVER2 name 192.168.1.3 SERVER3
object-group network SERVERS network-object host SERVER1 network-object host SERVER2 network-object host SERVER3
Static NAT is used to map the outside 10.x.x.x addresses to 192.x.x.x. on the inside:
static (inside,outside) 10.10.10.1 SERVER1 netmask 255.255.255.255 static (inside,outside) 10.10.10.2 SERVER2 netmask 255.255.255.255 static (inside,outside) 10.10.10.3 SERVER3 netmask 255.255.255.255
I have then created an access-list to permit access to the SERVERS network-group:
access-list outside_access_in extended permit tcp any object-group SERVERS eq http
For some reason when external users connect to the outside 10.x.x.x they are not permitted. I'm guessing this because the access-list mentions the INSIDE names - not the OUTSIDE NAT addresses. I suppose my question is what order is the traffic processed? NAT or access- list?
Should my network group really contain the OUTSIDE NAT addresses of the servers?