[lug] OT: Cisco PIX

Hugh Brown hugh at math.byu.edu
Fri Oct 18 21:08:59 MDT 2002 

Thank you, that worked.  I don't know how I missed these pages on the
cisco site.

Hugh

On Thu, 2002-10-17 at 21:40, Timothy Schuler wrote:
> Hugh,
> 
> In your access-list don't use the <internal host> as the destination -
> use the <ext_ip> you defined in the static command.
> 
> After you make changes to an acl or to NAT make sure you always do a
> 'clear xlate' to flush the translation table buffer.
> 
> Make sure this part of the access-list is getting hit when you try and
> go to the web server from an outside address by issuing a 'show
> access-list acl_out' command. The 'hitcnt' counter should be
> incrementing - if it doesn't there is still a problem with your acl.
> 
> Here is a decent reference for 'inside' / 'outside' PIX configuration
> using NAT. Beware of url wrapping.
> 
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
> tion_example09186a0080094ea2.shtml
> 
> 
> --TJ
> TJ Schuler, CCIE #8800
> Coleman Technologies, Inc.
> 720-981-4276 Office Phone
> 720-339-6000 Cell Phone
> http://www.ctiusa.com
> 
> 
> > -----Original Message-----
> > From: lug-admin at lug.boulder.co.us 
> > [mailto:lug-admin at lug.boulder.co.us] On Behalf Of Hugh Brown
> > Sent: Thursday, October 17, 2002 2:46 PM
> > To: LUG
> > Subject: [lug] OT: Cisco PIX
> > 
> > 
> > I am struggling with getting a Cisco PIX firewall (501) to 
> > redirect web traffic on the outside interface to a specific 
> > host on the inside interface.
> > 
> > Under linux I would do this:
> > 
> > ipmasqadm portfw -a -P  tcp -L <ext ip> 80 -R <internal host> 80
> > 
> > ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
> >              -s <remotehost> $UNPRIVPORTS \
> >              -d <ext ip> 443 -j ACCEPT  -l
> > 
> > ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> >              -s <ext ip> 443 \
> >              -d <remote host> $UNPRIVPORTS -j ACCEPT  -l
> > 
> > 
> > I have tried the following on the pix
> > 
> > 
> > static (inside,outside) <ext ip> <internal host> netmask 
> > 255.255.255.255 0 0 access-list acl_out permit tcp host 
> > <remote host> gt 1024 host <internal
> > host> eq 80
> > access-group acl_out in interface outside
> > 
> > 
> > and I get:
> > 
> > 106023: Deny tcp src outside:<remote host>/40623 dst 
> > inside:<ext ip>/80 by access-group "acl_out"
> > 
> > What am I doing wrong?
> > 
> > Hugh
> > 
> > 
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list