[lug] OT: Cisco PIX

Timothy Schuler timothy.schuler at attbi.com
Thu Oct 17 19:40:17 MDT 2002


Hugh,

In your access-list don't use the <internal host> as the destination -
use the <ext_ip> you defined in the static command.

After you make changes to an acl or to NAT make sure you always do a
'clear xlate' to flush the translation table buffer.

Make sure this part of the access-list is getting hit when you try and
go to the web server from an outside address by issuing a 'show
access-list acl_out' command. The 'hitcnt' counter should be
incrementing - if it doesn't there is still a problem with your acl.

Here is a decent reference for 'inside' / 'outside' PIX configuration
using NAT. Beware of url wrapping.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a0080094ea2.shtml


--TJ
TJ Schuler, CCIE #8800
Coleman Technologies, Inc.
720-981-4276 Office Phone
720-339-6000 Cell Phone
http://www.ctiusa.com


> -----Original Message-----
> From: lug-admin at lug.boulder.co.us 
> [mailto:lug-admin at lug.boulder.co.us] On Behalf Of Hugh Brown
> Sent: Thursday, October 17, 2002 2:46 PM
> To: LUG
> Subject: [lug] OT: Cisco PIX
> 
> 
> I am struggling with getting a Cisco PIX firewall (501) to 
> redirect web traffic on the outside interface to a specific 
> host on the inside interface.
> 
> Under linux I would do this:
> 
> ipmasqadm portfw -a -P  tcp -L <ext ip> 80 -R <internal host> 80
> 
> ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
>              -s <remotehost> $UNPRIVPORTS \
>              -d <ext ip> 443 -j ACCEPT  -l
> 
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
>              -s <ext ip> 443 \
>              -d <remote host> $UNPRIVPORTS -j ACCEPT  -l
> 
> 
> I have tried the following on the pix
> 
> 
> static (inside,outside) <ext ip> <internal host> netmask 
> 255.255.255.255 0 0 access-list acl_out permit tcp host 
> <remote host> gt 1024 host <internal
> host> eq 80
> access-group acl_out in interface outside
> 
> 
> and I get:
> 
> 106023: Deny tcp src outside:<remote host>/40623 dst 
> inside:<ext ip>/80 by access-group "acl_out"
> 
> What am I doing wrong?
> 
> Hugh
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> 




More information about the LUG mailing list