topic Redirect web trafic in Network Security

Redirect web trafic

tagadapouette — Mon, 11 Mar 2019 09:53:08 GMT

Hello,

First excuse my bad english.

I've a problem. I want redirect external web trafic to my web server on lan (inside). I test configuration with privates IP (see below my basic configuration). My web server is ok but that's not work, impossible to join web server from any computer on outside side.

I forgot something, but what ????

JLE

: Saved

PIX Version 7.2(2)14

hostname pix

domain-name test.com

enable password xxx

names

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.1.240 255.255.255.0

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name test.be

access-list outside_access_in extended permit tcp any eq www host 192.168.2.2 eq www

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 2 192.168.2.2 netmask 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 0.0.0.0 www 192.168.2.2 www netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.2.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

no asdm history enable

Re: Redirect web trafic

David White — Wed, 28 Mar 2007 17:53:43 GMT

I assume you mean you want your web server to be reachable via the Outside IP of your PIX? If so, you need to modify both your ACL and your static statements to read:

access-list outside_access_in extended permit tcp any interface outside eq www

static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255

David.

Re: Redirect web trafic

vitripat — Wed, 28 Mar 2007 17:59:18 GMT

Hey there ..

I'm not sure what is the private IP address of the webserver (it seems 192.168.2.2 though) and what is the public address from which it will be accessed. For now, please implement following commands-

clear config static

no access-group outside_access_in in interface outside

clear config access-list outside_access_in

Now, as I'm not aware of the IP address which will be used by the outside hosts to access the server, I'll assume that outside hosts will use x.x.x.x to access the web server and the private IP address of web server is 192.168.2.2. For this scenario, commands would be-

static (inside,outside) x.x.x.x 192.168.2.2

access-list outside_access_in permit tcp any host x.x.x.x eq 80

access-group outside_access_in in interface outside

clear xlate

If you are looking to use the IP address on outside interface of PIX to access the internal webserver, the command set would be-

static (inside,outside) tcp interface 80 192.168.2.2 80

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

clear xlate

Hope this helps. Let me know how this goes.

Regards,

Vibhor.

Re: Redirect web trafic

abinjola — Wed, 28 Mar 2007 18:25:33 GMT

your users would ring ya phone bell crazy once you do a cl xlate..so better watch it

try

cl xlate loc 192.168.2.2

the above would not cl the entire xlate entries

Re: Redirect web trafic

tagadapouette — Wed, 28 Mar 2007 19:04:18 GMT

Thanks all for your replies.

Yes, IP of my web server is 192.168.2.2

Yes I want my web server to be reachable via the outside IP of my PIX.

I'll try all your suggestions tomorow (it's too late : 20h45 in Belgium. Not enough time in a day)

Perhaps another question: I want to configure VPN access (for Windows vpn client) with PPTP (no longer exists?) or L2TP. I used the wizard, but one more time it's impossible to make a vpn connection. Have you a link with step by step guide?

Sorry, it' my first firewall and that's not realy easy to configure.

JLE

Re: Redirect web trafic

abinjola — Wed, 28 Mar 2007 19:18:07 GMT

if there is one single PPTP client trying to go outside then use following commands :-

policy-map global_policy

class inspection_default

inspect pptp

see if it helps

Re: Redirect web trafic

vitripat — Wed, 28 Mar 2007 19:18:27 GMT

Here is a link which should be helpful-

Configuring the Cisco Secure PIX Firewall to Use PPTP:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

Regards,

Vibhor.

Re: Redirect web trafic

David White — Wed, 28 Mar 2007 19:23:35 GMT

PPTP termination on the PIX is not available starting with version 7.0. It is available in versions 6.3 and lower.

PPTP over IPSec is available. See the following TAC doc for configuration steps:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

David.

Re: Redirect web trafic

tagadapouette — Thu, 29 Mar 2007 12:24:29 GMT

Great all is ok now!!

Thanks to all.

JLE