PIX 515E question RE: https access

bhhouston · ‎12-16-2004

We have a web server in our dmz allowing http access to an application. We have installed SSL and now want to change our application access to https. I'm having a little trouble with the config. Here's the relevant config info:

access-list inbound permit tcp any host x.x.x.110 eq www

static (dmz,outside) x.x.x.110 x.x.x.110 netmask 255.255.255.255 0 0

access-group inbound in interface outside

I have added:

access-list inbound permit tcp any host x.x.x.110 eq https

My questions are: Is this sufficient to allow https access to my application? Do I need to remove the access-list . . . www command? Would I be better served by changing my new access-list command from eq https to eq 443? Is there anything else I need to add to insure access? Have I missed anything?

Thanks, Ben

paddyxdoyle · ‎12-16-2004

Hi,

What you have done is fine, you can remove your first rule (www) only if you want to prevent anyone from accessing your web site using HTTP.

It doesn't matter whether you use "eq 443" or "eq https" on the PIX as it will interpret either correctly.

HTH

PD

d.kratz · ‎12-16-2004

Hello Ben,

You need configure the nat statement. The nat command will define for what networks firewall will route.

The command is some thing like:

nat (inside) 0 x.y.z.110 255.255.255.255 0 0

Regards,

Kratz

bhhouston · ‎12-16-2004

Thanks for the replys. It appears that my addition will take care of my access and I can take http access away by removing the www statement. That's just the kind of information I was looking for.

Oh, and my NAT statement was already in place so I think I'm good there.

Thanks again and if you think of anything else that would help me, feel free to add something.

Two thumbs up to the Cisco forums.

Ben