How to allow access to web server & ports 80,443?

[john11112222]

We need to allow outside access to our web server to ports 80 and 443. Here is the configuration from the previous location. We just moved. If we put the web server at 10.1.1.100 and want the public IP to be *.*.*.165, does someone know how to modify the current config to allow this?
======================

pix515# sh ru
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password

hostname pix515
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging timestamp
logging buffered debugging
logging trap debugging
logging host inside *.*.*.51
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.162 255.255.255.240
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 *.*.*.163
nat (inside) 0 *.*.*.160 255.255.255.240 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 *.*.*.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp identity address
telnet x.x.x.245.0 255.255.255.0 outside
telnet y.y.y.227.0 255.255.255.0 outside
telnet z.z.z.47.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh a.a.a.245.0 255.255.255.0 outside
ssh b.b.b.227.0 255.255.255.0 outside
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80

: end
pix515#

 

[martinp05]

hello,

you need an static for the translation:

static (inside,outside) <global-ip of the webserver> <local ip of the webserver>

then you need an access-list for inbound traffic:

access-list acl_outside_intf permit ip any <global ip of the webserver> eq 80

access-list acl_outside_intf permit ip any <global ip of the webserver> eq 443

then you must bind this access-list to the outside interface:

access-group acl_outside_intf in interface outside

done.

now everybody can access your webserver via port 80 and 443 over the public ip.

martin


----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[john11112222]

Wow! Thanks. We'll try it today.

 

[martinp05]

hello,

sorry,

please use in the access-list tcp instead of ip.

-->
access-list acl_outside_intf permit tcp any <global ip of the webserver> eq 80

access-list acl_outside_intf permit tcp any <global ip of the webserver> eq 443


martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[john11112222]

command #1 worked, static (inside,outside)...

command #2 did not.
access-list acl_outside_intf permit tcp any x.x.x.165 eq 80

It said "invalid ip address eq"

What to do?

 

[john11112222]

The following command #2 worked. Please confirm it is OK.

access-list acl_outside_intf permit tcp any x.x.x.165 255.255.255.255 eq 80

thanks

 

[lgarner]

Yes. The original #2 would work with the keyword "host" preceding the address.

"access-list acl_outside_intf permit tcp any host x.x.x.165 eq 80

 

[martinp05]

hello,

sorry,
i forgot the "host"

access-list acl_outside_intf permit tcp any host x.x.x.x eq 80.

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[caswcu]

search for my posts from a 3 week span. very good examples