PIX 515 PPPOE Connection With Internal Website

[havanajoe]

I have a PIX 515 setup as the connection point for my DSL connection. I am running it as a PPPoE client, the external interface gets a DHCP address from my ISP. I am trying to setup a web server inside my network. I have setup the static command to look like this...

static (inside,outside) tcp interface

http://www 10.10.10.3

http://www netmask

255.255.255.255 0 0

The ACL that I use is this...

access-list inbound permit tcp any host 10.10.10.3 eq www

The error that I am seeing in the syslog is this...

Deny tcp src outside:199.71.141.254/1242 dst inside:216.8.169.148/80 by access-group "inbound"

If I change the ACL to permit tcp any any eq www

then it works just fine. The problem is that I don't want to open it up like that, I really hate using the any any statement.

Does anyone have any ideas?

 

[themut]

Hello there,

If you don't get a static IP address from your ISP you will not be able to overcome this issue. However, you can ask your what the block of IP addresses your ISP uses to assign your IP address. Then you can configure:

access-list inbound permit tcp any <block> <subnet> eq www

IF you get a static IP address then use this IP on your ACL. Hope this helps.

 

[yizhar]

HI.

In your case, you have a single IP address which is port 80 mapped to your web server. So even when using any any actualy port 80 traffic can reach only the web server.

I agree with themut - only when using static ip addresses you'll be able to specify them in the ACL.

The ACL should specify external address, not the internal address of your server.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[havanajoe]

That's what I thought, too bad that the PIX won't let you setup an acl to interface as it does to enable the outside to be a PPPoE connection point. Oh well, I guess I will live with the any any.

Thanks for confirming my initial suspicions guys!