Inbound Trafic

[daidem77]

I am trying to allow ouside traffic to the inside network. Basically I want to enable users to browse the webserver that is located inside our network. I have created the following basic conduit and the static entry. I can see that each time I try to access the website with the given ouside address, the coduit is being hit. But I can't still get to the webserver. Can someone please tell me what I am doing wrong.

static (inside, outside) xx.xx.xx.55 172.16.0.12 netmask 255.255.255.255 0 0
conduit permit tcp host xx.xx.xx.55 eq

http://www any

conduit permit tcp host xx.xx.xx.55 eq

http://www any

(hitcnt=4)

Do you need object groups in addition to the above?

I just need a static entry with a conduit or access-list to access a local web server.

Pulic IP xx.xx.xx.55
Inside Web Server 172.16.0.12

 

[daidem77]

I am still waiting for any of your guys to help me. I really don't know what I am getting wrong. Please help.

 

[KiscoKid]

Hello.

If your version of PIXOS supports it, can I recommend instead you use an access list rather than a conduit? Cisco replaced conduits quite some time ago due to numerous concerns .. security being one of them.

So you could remove your conduit and in its place use


access-list outside_access_in permit tcp any host x.x.x.55 eq www

access-group outside_access_in in interface outside

The static NAT statement you're using looks fine. Is the inside address of the PIX on the same subnet (172.16.0.x) as the webserver?

Also make sure the web server itself isn't running some kind of windows firewall!

 

[daidem77]

Thank you for advice. Yes the webserver is in the same subnet as webserver inside interface. I have not configured any conduits yet. I have not gone live with the pix yet. Here are some of my sample access llist

static (inside,outside) tcp interface 1278 172.20.0.8 1278 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface

http://www 172.20.0.11

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface smtp 172.20.0.33 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 172.20.0.33 pop3 netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 172.20.0.22 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 172.20.0.22 domain netmask 255.255.255.255 0 0
access-list outside_access_in remark INTERNET
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq www
access-list outside_access_in remark POP3
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq pop3
access-list outside_access_in remark SMTP
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq smtp
access-list outside_access_in remark DNS
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq domain
access-list outside_access_in remark CUSTOM-APP
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq 1278
access-group outside_access_in in interface outside

What should I do if I have more than one webserver? Should I use a port like port 8080 on the second server and use port forwarding?

 

[lgarner]

static (inside,outside) tcp interface

http://www 172.20.0.11

http://www netmask

255.255.255.255 0 0
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq www

These lines should work fine, though you could substitute "interface" in the ACL.

Yes, you could use different ports in the static statement to support different web servers if you only have one public address.

 

[daidem77]

Sorry what do mean by subsititute interface with acl. Can you show me a sample?

 

[lgarner]

access-list outside_access_in permit tcp any interface eq www

instead of:
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq www