Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
2
Replies

PIX 501 Configuration

rob
Level 1
Level 1

‎06-07-2005 03:17 AM - edited ‎02-21-2020 12:11 AM

Hi all,

Can anyone help me with an idea of a config for my pix 501 firewall?

Basically, all I want to do is put the pix in between the Internet gateway and my web server. The webserver is on a live IP and obviously so is the gateway. I understand the access-list aspect of the PIX, but I'm a little unsure of the static vs nat config, as nearly all configs I see use NAT which isn't appropriate here. I just want the pix to block traffic on any other port other than 80 and 443 getting to the web server, and for the web server to be able to churn out whatever it likes.

any ideas?

cheers very much!

Rob

0 Helpful
2 Replies 2

paddyxdoyle
Level 6
Level 6

‎06-07-2005 04:41 AM

Hi Rob,

As you are putting the PIX in between your gateway and web server i believe you have two options as i don't believe the PIX 501 can work in transparent mode.

1. Split your public address range into two subnets, create one subnet between your PIX's outside interface and your Internet gateway and create the other between your inside PIX interface and your web server. This is the only method you can use if you don't want to use NAT, it also depends on how many public addresses you have been allocated and whether you have enough to create two subnets.

2. Remove the public address from your web server and move it to the outside interface of your PIX. Give your web server a private address and use Port redirection on your outside interface for ports 80 and 443

e.g. This example assumes your web server now has a private address of 192.168.1.1 and the outside interface has a public address.

# static (inside, outside) tcp outside www 192.168.1.1 www netmask 255.255.255.255

# static (inside, outside) tcp outside https 192.168.1.1 https netmask 255.255.255.255

So you are basically saying here that any http and https traffic that hits the outside IP address of the PIX is redirected to the private address using the same protocol.

I think this is probably your best option as external users will still be accessing your web server by its usual public address so you won't have to make any DNS changes.

Also you will need to add an access-list to your outside interface specifically permitting HTTP and HTTPS traffic to your public address which will be

# access-list 101 permit tcp any host eq www

# access-list 101 permit tcp any host eq https

# access-group 101 in interface outside

Hope this makes sense

Rgds

Paddy

0 Helpful

rob
Level 1
Level 1
In response to paddyxdoyle

‎06-07-2005 04:53 AM

sure does, thanks for that Paddy! I think option 2 looks the best to me!

cheers very much Paddy!

Rob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card