Resolution
Complete these steps in order to give external employees or customers access to internal servers:
- Create a static Network Address Translation (NAT) on the PIX Firewall.
This often applies to web or mail servers. These servers usually have private addresses on their LAN, such as 192.168.1.10, but require public addresses if they are to be reached from the Internet. You can give an external address to these devices with the use of multiple Network Interface Cards (NICs) or if you attach them to a router with an interface that contains a public network like 12.148.16.0.
- But these options can be prohibitively expensive or unnecessary in some organizations. An alternative is to configure a static NAT. This is done on a PIX Firewall, which is attached to the Internet.
This example allows access to the company web server. The internal address of this device is 172.16.4.22. The goal is for people on the Internet to select 14.62.31.228 in order to access the server. You can assume that the server is on the inside interface and that the Internet is reached through the outside interface.
- In order to establish the translation, issue these commands on the PIX Firewall:
At this point, any traffic destined for 14.62.31.228 is redirected to 172.16.4.22. But, an Access Control List (ACL) statement or conduit must be created in order to allow the specified traffic to pass.
If no previous ACL exists, allow HTTP traffic to reach the server from the Internet and issue these commands:
- pixfirewall (config t)#access-list
- internet permit tcp any host 14.62.31.228 eq 80
- pixfirewall (config t)#access-group internet in interface outside
At this point, external users should be able to access the web server using HTTP.
Refer to these documents for more information on on how to configure static NAT on the PIX/ASA Firewall:
Problem Type
Connectivity through the device
How to (General Information)
Product Family
Firewall - PIX 500 series
ASA Hardware & Software