Tom's Hardware: Topic PIX 501 Help needed with simple HTTP / HTTPS config
Tom's Hardware > Forum > General Networking > Firewall > PIX 501 Help needed with simple HTTP / HTTPS config
Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions.
Sign up now! Its free!
Archived from groups: comp.security.firewalls (More info?)
In article <1125447672.331715.14670@g43g2000cwa.googlegroups.com>,
<michael@culpeppertech.com> wrote:
:Here's what should be a simple config issue... We have a PIX501, and a
:web server behind it. I need everyone from the Outside
:interface to be able to view our website sitting behind the firewall at
:an internal address.
IX Version 6.3(4)
:name 192.168.4.192 WEB
bject-group service HTTPHTTPS tcp
: port-object eq www
: port-object eq https
:access-list inside_outbound_nat0_acl permit ip any 192.168.4.80 255.255.255.240
:access-list outside_cryptomap_dyn_20 permit ip any 192.168.4.80 255.255.255.240
:access-list outside_cryptomap_dyn_40 permit ip any 192.168.4.80 255.255.255.240
:access-list outside_access_in remark HTTP
:access-list outside_access_in permit tcp interface outside eq www host RCMSWEB eq www log
That line is wrong, even if we assume that RCMSWEB is what you earlier
named as WEB .
:ip address outside 198.107.3.16 255.255.255.0
:ip address inside 192.168.4.1 255.255.255.0
:ip local pool VPNIP 192.168.4.80-192.168.4.95
Your VPN pool must always be "outside" relative to your inside interface.
Otherwise the return traffic will not be able to get to it. This will
affect your inside_outbound_nat0_acl and outside_cryptomap_dyn_* ACLs.
dm location 192.168.11.0 255.255.255.0 inside
That line, though not actually a functional line, is wrong, as
192.168.11.0 is not "inside" and you have no "route" statement
pointing that subnet to the inside interface.
:global (outside) 1 interface
OK.
:global (inside) 2 interface
?? global (inside) would only be used in rather uncommon reverse-NAT
configurations, which you are NOT using. And you don't have a
nat (outside) 2 statement to match that global (inside) 2.
:nat (inside) 0 access-list inside_outbound_nat0_acl
:nat (inside) 1 0.0.0.0 0.0.0.0 0 0
:static (inside,outside) RCMSWEB RCMSWEB netmask 255.255.255.255 0 0
If RCMSWEB is what you named as WEB earlier then you are static'ing
a private IP (192.168.4.192) to be translated to itself when it goes
outside. That's not going to work.
:access-group outside_access_in in interface outside
:route outside 0.0.0.0 0.0.0.0 198.107.3.1 1
:crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
:crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
:crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
:crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
outside_cryptomap_dyn_20 and outside_cryptomap_dyn_40 have the same
contents, so those two policies duplicate each other. You probably
only want one of the two.
:crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
:crypto map outside_map interface outside
:vpngroup rcmsremote address-pool VPNIP
:telnet 192.168.4.0 255.255.255.0 inside
:telnet 192.168.11.0 255.255.255.0 inside
192.168.11.0 is not "inside" according to the rest of your configuration.
:I can factory default this thing if it's easier to start from scratch.
Yup. It's messed up.
name 192.168.4.192 WEB
object-group service HTTPHTTPS tcp
port-object eq www
port-object eq https
access-list outside_access_in permit tcp any interface outside object-group HTTPHTTPS
static (inside,outside) tcp interface www WEB www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https WEB https netmask 255.255.255.255 0 0
access-list outside_cryptomap_nonat permit ip any 192.168.255.80 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.255.80 255.255.255.240
nat (inside) 0 access-list outside_cryptomap_nonat
ip local pool VPNIP 192.168.255.80-192.168.255.95
crypto dynamic-map outside_dyn_map 20 match-address outside_cryptomap_dyn_20
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 set transform-set ESP-3DES-MD5
vpngroup rcmsremote address-pool VPNIP
--
'The short version of what Walter said is "You have asked a question
which has no useful answer, please reconsider the nature of the
problem you wish to solve".' -- Tony Mantler
Please mind
You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.
Sponsored links
Ad
Related Topics
- Addressing problem with NATted DMZ
- Help with AtGuard
- NVIDIA firewall and print server don't play nice....HELP!
- Please help hijack this log. Don't know how to check spywa..
- NAT is not a mechanism for securing a network.. but.. HELP!
- Management unable to communicate with firewall cluster
- RPC Dynamic Ports? Windows 2003 with Checkpoint firewall.
- Trouble with Netgear FVS114 establishing VPN
- Partnership with firewalls
They won a badge
Join us in greeting them
- 18:41 groveborn won the Sophmore badge
- 01:00 Square_Head won the Freshman badge
- 01:00 electrosam won the Freshman badge
- 17:42 rsud won the Sophmore badge
- 01:00 kayvonjoon won the Freshman badge
- 01:00 knowbody60 won the Uniformed badge
- 01:00 lacoon won the Uniformed badge
- 01:00 Tazman39 won the Uniformed badge
- 01:00 Avro Arrow won the Uniformed badge
- 01:00 repete456 won the Uniformed badge