Cisco Systems, Inc.(R)
Close Window


Feedback  |  Help

TAC Case Collection
  FREE TEXT QUERY  
  GUIDED SEARCH  
  VIEW ALL SOLUTIONS  

Knowledge Base:
   		 




Feedback
Please rate this solution.
 Excellent
 Good
 Average
 Fair
 Poor
This solution solved my problem.
 Yes
 No
Suggestions for improvement.
(Please include your email address if you would like to hear from us).
 


Search Result
Case Number K15147035
Title Configure a PIX/ASA Firewall to allow the inbound traffic
Resolution Complete these steps in order to give external employees or customers access to internal servers:
  1. Create a static Network Address Translation (NAT) on the PIX Firewall.

    This often applies to web or mail servers. These servers usually have private addresses on their LAN, such as 192.168.1.10, but require public addresses if they are to be reached from the Internet. You can give an external address to these devices with the use of multiple Network Interface Cards (NICs) or if you attach them to a router with an interface that contains a public network like 12.148.16.0.

  2. But these options can be prohibitively expensive or unnecessary in some organizations. An alternative is to configure a static NAT. This is done on a PIX Firewall, which is attached to the Internet.

    This example allows access to the company web server. The internal address of this device is 172.16.4.22. The goal is for people on the Internet to select 14.62.31.228 in order to access the server. You can assume that the server is on the inside interface and that the Internet is reached through the outside interface.

     
  3. In order to establish the translation, issue these commands on the PIX Firewall:


    At this point, any traffic destined for 14.62.31.228 is redirected to 172.16.4.22. But, an Access Control List (ACL) statement or conduit must be created in order to allow the specified traffic to pass.

  4. If no previous ACL exists, allow HTTP traffic to reach the server from the Internet and issue these commands:

    • pixfirewall (config t)#access-list

    • internet permit tcp any host 14.62.31.228 eq 80

    • pixfirewall (config t)#access-group internet in interface outside 

      At this point, external users should be able to access the web server using HTTP.

Refer to these documents for more information on on how to configure static NAT on the PIX/ASA Firewall:
Problem Type
Connectivity through the device
How to (General Information)
Product Family
Firewall - PIX 500 series
ASA Hardware & Software
PIX Software Version
PIX version 5.x
PIX version 6.x
PIX version 7.x
ASA Software Version
7.0
7.1
7.2
PIX Model PIX 500 Series Firewall
ASA Models
ASA 5520
ASA 5540
ASA 5500
ASA 5510
Client Location on Network with PIX Outside
Features & Tasks Network Address Translation (NAT)
Protocol / Ports
UDP
TCP
Direct URL http://www.ciscotaccc.com/security/showcase?case=K15147035

Close Window TAC Case Collection...Just Solve It!
© 1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.