11-14-2010 05:19 PM - edited 03-11-2019 12:09 PM
Hello -
I am attempting to access a SSL terminating webserver on an internal host through a PIX 515 running 8.0.
I have an inside and outside interfaces defined.
I wish to have any external host use SSL to access the destination webserver.
I also have a management station that is on the same subnet as the inside interface and the webserver host.
The outside interface has a security value of 20 while the inside one has a value of 100.
I put an exemption for the inside subnet but some strange reason I can ping all interfaces but I cannot
get ASDM to access the inside interface.
Any advice is appreciated.
L.
Solved! Go to Solution.
11-14-2010 05:30 PM
Lou,
To access ASDM you will need the following things:
1) The command 'http server enable'
2) A copy of the ASDM code in flash and the command 'asdm image
3) A permission line like 'http 192.168.2.0 255.255.255.0 inside'
Also, you can only have ASDM connect to the interface facing you. If you are on the inside, you will be able to connect to the inside interface IP. If you are on the outside, then only the outside interface IP will work for you.
You can check to make sure the PIX is reading the ASDM image correctly by looking at 'show version':
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5) <<<<<<<<<<<<
If the line is missing, check to make sure you have the 'asdm image' line and the right version in flash.
With regards to the other issue. It sounds like you are trying to access an SSL server on the INSIDE from the Internet... right? If so, a quick sample of what you would need to do would be:
static (inside,outside) tcp interface 443
!
access-list outside_access_in permit tcp any interface outside eq 443
!
access-group outside_access_in in interface outside
With that configlet, you can then connect to the outside interface of your PIX with HTTPS and it will pass that HTTPS connection through to the internal SSL server.
- Magnus
11-14-2010 05:25 PM
Hi,
I guess we are going to need more information, the problem started to be a Webserver and it ended up with loosing ASDM access. Would you please clarify the following points?
Are the outside hosts going to access this SSL server on the inside?
Are you planning to do NAT or you plan to do an excemption NAT?
What rule did you put that kill your ASDM on the inside? Can you paste it?
Normally what you will need is (in case NAT control is enable or you have any NAT going on in the config) is translate the host to something and then allowed on the outside ACL.
Please clarify those points, we will be more than glad to assist you.
Cheers,
Mike
11-14-2010 05:30 PM
Lou,
To access ASDM you will need the following things:
1) The command 'http server enable'
2) A copy of the ASDM code in flash and the command 'asdm image
3) A permission line like 'http 192.168.2.0 255.255.255.0 inside'
Also, you can only have ASDM connect to the interface facing you. If you are on the inside, you will be able to connect to the inside interface IP. If you are on the outside, then only the outside interface IP will work for you.
You can check to make sure the PIX is reading the ASDM image correctly by looking at 'show version':
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5) <<<<<<<<<<<<
If the line is missing, check to make sure you have the 'asdm image' line and the right version in flash.
With regards to the other issue. It sounds like you are trying to access an SSL server on the INSIDE from the Internet... right? If so, a quick sample of what you would need to do would be:
static (inside,outside) tcp interface 443
!
access-list outside_access_in permit tcp any interface outside eq 443
!
access-group outside_access_in in interface outside
With that configlet, you can then connect to the outside interface of your PIX with HTTPS and it will pass that HTTPS connection through to the internal SSL server.
- Magnus
11-19-2010 08:11 AM
Thanks Magnus - sorry for the delay.
I implemented a static link that was very similar to what you suggested, but not identical.
This could be why I am getting the following problem...
My SSL webserver is receiving the forwarded SYNs from the client, and responding, but the ACK is getting lost.
I have a record of the ACK on the server but I get no record of it on the PIX. No ACLs appear to be triggered by the
ACK either.
The Management-subnet is actually not being used for management but the interface 192.168.11.15 is.
Any thoughts?
name 192.168.1.80 BPM-server
name 192.168.1.64 BPM-server-subnet description Small subnet to hold BPM and AG servers name 192.168.1.0 Management-subnet description Small subnet to manage devices ! interface Ethernet0 description Management interface for Vlab PIX nameif Vlab-1-mgmt security-level 100 ip address 192.168.11.15 255.255.255.0 management-only ! interface Ethernet1 description This is used for management access and for the BPM and other demo servers nameif inside security-level 10 ip address 192.168.1.2 255.255.255.0 ! interface Ethernet2 description This will provide external service to the Bell Privacy Manager demo and Sharepoint servers nameif BPM-Vlab-external-1 security-level 20 ip address xxx.yyy.zzz.67 255.255.255.248
! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring same-security-traffic permit intra-interface object-group network DM_INLINE_NETWORK_1 network-object BPM-server-subnet 255.255.255.248 network-object xxx.yyy.zzz.64 255.255.255.248
access-list 100 extended permit tcp Management-subnet 255.255.255.0 any access-list 100 extended permit ip any Management-subnet 255.255.255.0 access-list 100 extended permit ip xxx.yyy.zzz.64 255.255.255.248 Management-subnet 255.255.255.0
access-list BPM-Vlab-external-1_access_in extended permit icmp any xxx.yyy.zzz.64 255.255.255.248 access-list BPM-Vlab-external-1_access_in extended permit ip any object-group DM_INLINE_NETWORK_1 access-list inside_access_in extended permit udp host 192.168.1.1 host 192.168.1.2 access-list 110 extended permit tcp any host xxx.yyy.zzz.67 eq https
access-list inside_access_in_1 extended permit udp host 192.168.1.1 host 192.168.1.2 access-list BPM-Vlab-external-1_access_in_1 extended permit ip any Management-subnet 255.255.255.0 access-list BPM-Vlab-external-1_access_in_1 extended permit ip Management-subnet 255.255.255.0 any access-list BPM-Vlab-external-1_access_in_1 extended permit ip any xxx.yyy.zzz.64 255.255.255.248
access-list BPM-Vlab-external-1_access_in_1 extended permit ip any anyglobal (BPM-Vlab-external-1) 1 xxx.yyy.zzz.69
nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,BPM-Vlab-external-1) tcp interface https BPM-server https netmask 255.255.255.255 access-group 100 in interface inside access-group BPM-Vlab-external-1_access_in_1 in interface BPM-Vlab-external-1 ! router rip version 2 ! route BPM-Vlab-external-1 0.0.0.0 0.0.0.0 xxx.yyy.zzz.68 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide