https on PIX

lformelli · ‎09-26-2006

I have installed some PIX 501 with 6.3

software Cisco Secure.

I need to permit traffic to application layer https.

Does somebody advice me about configuration command or documents

about ?

best regards

Lorenzo

a.kiprawih · ‎09-26-2006

Hi Lorenzo,

Your question "..need to permit traffic to application layer https?" - are you referring to how to permit https traffic for application access from outside to inside?

If this is you're looking at, pls see example below:

What you need to do is to map your internal server IP (running application accessible via https) to a public IP and use access -list (ACL) to allow only HTTPS to pass through from outside to inside/internal (to your internal server). Once ready, bind the ACL to the outside interface.

Example:

access-list outside permit tcp any host xx.xx.xx.10 eq https <--- access-list allowing incoming https traffic only

access-list outside deny ip any any <-- deny other unwanted traffic. Make sure this parameter is the last one in your ACL.

access-group outside in interface outside <-- bind ACL outside to your outside (eth0) interface

static (inside,outside) xx.xx.xx.10 aa.aa.aa.50 netmask 255.255.255.255 <--- map you aa.aa.aa.50 (internal server IP) to a public IP

route outside 0 0 xx.xx.xx.1 <---- default route for PIX pointing to your internet router

Test connectivity using ICMP/ping from outside (ping from internet router or internet) to your server temporary opening the ICMP in the same outside ACL. Remove this if ping is successful.

access-list outside permit icmp any host xx.xx.xx.10

Rgds,

AK