Allow public internet to access web server on the Inside
This configuration snippet shows how to setup a server on the inside of your network and make it accessible to anyone on the outside. In this example the public address space is represented with the 172.16.1.0 network. There are two web servers that need to be accessible from the outside. Each should be able to be accessed on port 80 as well as port 443.
# This configuration was taken from a PIX running 6.3(4) with default security assignments of 0 on the outside
# and 100 on the inside.
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
# The access list allows tcp traffic from any source address to reach each of the servers on the specified ports.
# This opens up an entry point for Internet users to reach these servers. Remember when going from a lower
# security interface to a higher security interface you need an access-list along with a static command for the
# server. Therefore the hosts defined in the access-list need to have a static entry which is further down in
# the configuration. Access-lists that get applied to the outside interface should always point to the published
# public IP address. The public IP address is published with the static command.
access-list outside-entry permit tcp any host 172.16.1.10 eq www
access-list outside-entry permit tcp any host 172.16.1.10 eq https
access-list outside-entry permit tcp any host 172.16.1.12 eq www
access-list outside-entry permit tcp any host 172.16.1.12 eq https
ip address outside 172.16.1.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
# When going from a higher interface to a lower interface a NAT and global command are used.
# Any address on the 10.1.1.0 / 24 network going to the outside will use PAT translating the source IP
# to the IP address that is configured on the outside interface above.
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
# The static command publishes the address of 172.15.1.10 as an available address on the outside of the pix
# that translates to 10.1.1.10 on the inside of the pix.
static (inside,outside) 172.15.1.10 10.1.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 172.15.1.12 10.1.1.12 netmask 255.255.255.255 0 0
# The access-list is not used until it is applied to the interface as shown below.
access-group outside-entry in interface outside
# Finally for reference a default route is defined to the Internet.
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
# Default configuration lines have been omitted.
Refer to http://ciscoconfigs.net/
