[lug] OT: Cisco PIX
Timothy Schuler
timothy.schuler at attbi.com
Thu Oct 17 19:40:17 MDT 2002
Hugh,
In your access-list don't use the <internal host> as the destination -
use the <ext_ip> you defined in the static command.
After you make changes to an acl or to NAT make sure you always do a
'clear xlate' to flush the translation table buffer.
Make sure this part of the access-list is getting hit when you try and
go to the web server from an outside address by issuing a 'show
access-list acl_out' command. The 'hitcnt' counter should be
incrementing - if it doesn't there is still a problem with your acl.
Here is a decent reference for 'inside' / 'outside' PIX configuration
using NAT. Beware of url wrapping.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a0080094ea2.shtml
--TJ
TJ Schuler, CCIE #8800
Coleman Technologies, Inc.
720-981-4276 Office Phone
720-339-6000 Cell Phone
http://www.ctiusa.com
> -----Original Message-----
> From: lug-admin at lug.boulder.co.us
> [mailto:lug-admin at lug.boulder.co.us] On Behalf Of Hugh Brown
> Sent: Thursday, October 17, 2002 2:46 PM
> To: LUG
> Subject: [lug] OT: Cisco PIX
>
>
> I am struggling with getting a Cisco PIX firewall (501) to
> redirect web traffic on the outside interface to a specific
> host on the inside interface.
>
> Under linux I would do this:
>
> ipmasqadm portfw -a -P tcp -L <ext ip> 80 -R <internal host> 80
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s <remotehost> $UNPRIVPORTS \
> -d <ext ip> 443 -j ACCEPT -l
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s <ext ip> 443 \
> -d <remote host> $UNPRIVPORTS -j ACCEPT -l
>
>
> I have tried the following on the pix
>
>
> static (inside,outside) <ext ip> <internal host> netmask
> 255.255.255.255 0 0 access-list acl_out permit tcp host
> <remote host> gt 1024 host <internal
> host> eq 80
> access-group acl_out in interface outside
>
>
> and I get:
>
> 106023: Deny tcp src outside:<remote host>/40623 dst
> inside:<ext ip>/80 by access-group "acl_out"
>
> What am I doing wrong?
>
> Hugh
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
More information about the LUG
mailing list