05-29-2007 01:56 PM - edited 03-05-2019 04:22 PM
I recently became the network administrator for a small local government entity. I have been thrust into the world of CISCO which is fine but I have a lot to learn. I have a CISCO PIX 515E firewall and I need to configure it so that when a link on the website(hosted outside the company) is clicked, it will point to a GIS server running apache inside our network. I have absolutely no idea how to do this in the CLI. I'm sorry if I'm asking too much here but any help would be appreciated. The apache server works internally so at least that much is set up correctly. I just need the general public to be able to access it from the outside.
05-29-2007 02:01 PM
Is the apache server publicly addressable or does it have a private IP?
05-30-2007 05:19 AM
It's a private IP but I was given the impression that you could still access a webpage by using the public IP as long as the correct routing was configured in the PIX firewall.
05-30-2007 05:56 AM
All you need is a static and an access-list statement.
public ip = 1.1.1.1
private ip = 192.168.1.10
static (inside,outside) 1.1.1.1 192.168.1.10 netmask 255.255.255.255
access-list
access-group
If 1.1.1.1 is also the outside address of your pix then you can do this
static (inside,outside) interface 192.168.1.10 netmask 255.255.255.255
or port forward
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255
As far as dns goes, the solution for that depends on where your dns server is. If it is outside then you can do dns doctoring, if it is inside and is returning the outside address you can do hairpinning on the inside interface with pix 7.
05-30-2007 07:29 AM
The dns is handled by the server(this is a single server situation). I have entered in those commands before(i.e. the static, access-list, and access-group commands) and had no luck. If I go to a browser and type in the IP address of the computer hosting this apache server, it comes up just as it should. But, should it work the same way if I come from an outside ip address such as...I go to my house, open a browser and type in "http://1.1.1.1" will it route to the apache server on the internal address and come up properly? If there is any other information that you need please ask and I will provide what I can.
And thank you to all who are trying to help my poor cisco ignorant self.
05-30-2007 07:54 AM
Yes, the pix would make the translation between the public address, 1.1.1.1 and the private one. Could you possibly post your pix config? Remove passwords etc. Give us the inside address of the server and the address you are attempting to hit from the outside, and is this address the same as your outside interface on pix?
05-30-2007 08:52 AM
There was a tcp interface forwarded to 192.168.100.11 I removed it because it was conflicting with the forward I was trying to do to 192.168.100.68. Not to mention that there is no 192.168.100.11 within my network. That may have been leftover from before they moved when they still hosted their own website. The outside IP address I would rather not give out. the outside address of the PIX is our one and only public IP address. So yes it is the same. Modified config attached...
05-30-2007 09:08 AM
Access-list is wrong, this would only allow a source of 192.168.100.68 to a destination of 1.1.1.1. Change it to this...
no access-list outside_access_in permit tcp host 192.168.100.68 host 1.1.1.1 eq www
access-list outside_access_in permit tcp any host 1.1.1.1 eq www
access-group outside_access_in in interface outside
This can be removed...
static (inside,outside) tcp 192.168.100.68 www 1.1.1.1 www netmask 255.255
.255.255 0 0
and if you don't have a 100.11 you can remove these too...
static (inside,outside) tcp interface smtp 192.168.100.11 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp interface 32000 192.168.100.11 32000 netmask 255.255
.255.255 0 0
static (inside,outside) tcp interface 32001 192.168.100.11 32001 netmask 255.255
.255.255 0 0
static (inside,outside) udp interface 32000 192.168.100.11 32000 netmask 255.255
.255.255 0 0
static (inside,outside) udp interface 32001 192.168.100.11 32001 netmask 255.255
.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.100.11 pop3 netmask 255.255.2
55.255 0 0
05-30-2007 10:44 AM
Thank you again for the advice. I put in those exact entries(substituting our public IP for 1.1.1.1) and I still get page cannot be displayed. Is there anything else I'm missing? the config is still the same with the exception of the items you said to change.
05-30-2007 11:05 AM
Could you post config again just to be sure. Substitute 1.1.1.1 as before.
From the inside you are doing http://192.168.100.68 and it is working?
From the outside you are doing http://1.1.1.1 and it is not working?
05-30-2007 11:19 AM
05-30-2007 11:27 AM
Is the server default gateway 192.168.100.100?
05-30-2007 11:31 AM
yes
05-30-2007 11:36 AM
Sorry, I'm pretty much out of ideas. It should work fine. You might as well get rid of access-lists 140, smtp.1, and smtp.2 as they are not being used.
When trying from the outside you aren't coming across the vpn tunnel you have configured are you?
05-30-2007 11:49 AM
Definitely not coming across the vpn. It needs to be accessible to the general public. Thanks again for all your time and effort. I'll sit here and ponder it some more. The guy who was here before me didn't set this up. He called in another company to do it for him so there are some entries in there that probably don't need to be. The only ip addresses that I changed in the config other than the pulic to 1.1.1.1 were changed to x's. Anything that is in there as 0's or the 10.211 which is a separate IP pool that connects to the same server are all the exact IP addresses. Don't know if that makes a difference.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide