setting up pix for web server

Hello, I am a newbie when it comes to a pix. I am setting up a web server for my company and I need to know what exactly I need to configure in the pix. We are using a pix 506e and we have a static public ip. As far as I know I need a command stating static (inside,outside) 69.0.0.0 172.16.2.5 netmask 255.255.254.0 0 0 and setup an ACL. Now what are the commands to do this? And is there anything else that I need to do?

Hi there,

You are quite right there (although i am guessing these are bogus IP Addresses)

The Static command is correct although if you are using a single ip address on the external you are better mapping port 80 only;

static (inside, outside) tcp outsideip www insideip www netmask 255.255.255.0

The access list needs to be built up on the external interface, this would be done like this;

access-list restrict-inside extended permit tcp any host outsideip eq 80

Then it needs to be applied to the interface;

access-group restrict-inside in interface Outside

Hopefully that should all work ok.

Cheers

OK, so if my Ip's are internal 172.16.0.0 external 69.0.0.0 255.255.254.0 all fake of course, the static command should look like
static (inside, outside) tcp 69.0.0.0 www 172.16.0.0 www netmask 255.255.254.0

does this map to port 80?

What is the command to get to the external and internal interfaces?

Thanks

Hi,

Yes that is correct. This is doing a static translation from the outside to inside on port 80.

What is the command to get to the external and internal interfaces?

- Not too sure i understand the question ?

Are you refering to translation ?

If so, You will need to use a global command which sets what IP Address on the outside you will start natting to (or in your case because of the single ip address, PAT)

Then you need to define what ranges on the inside are then allowed to nat through

e.g.

global (outside) 1 outsideip
nat (inside) 1 0.0.0.0 0.0.0.0

This is basically saying, for ANYTHING on the inside (i.e. 0.0.0.0 0.0.0.0, but if you want to you can specify only your internal subnets which is better to do) will be translated to the outside IP using PAT.

If you had multiple ip addresses on the outside then you could substitue the global command like this

global (outside) 1 x.y.z.100 - x.y.z.150

What this will do is the first 50 machines would use NAT on the address .100 to .149 and then any other machines will then resort to PAT on the last address of .150.

Hope thats what you was asking

actually I was just refering to the cisco commands to do what you said

The access list needs to be built up on the external interface, this would be done like this;

access-list restrict-inside extended permit tcp any host outsideip eq 80

Then it needs to be applied to the interface;

access-group restrict-inside in interface Outside

When you say apply it to the interface, what do you mean.

Smurf's instructions are precise and very well written.

"Applying" it to an interface, means that the access-lists you have previously written, are associated with one of the PIX interfaces.

The same concept exists on Cisco routers and other similar Cisco-oriented products.