Allow public internet to access web server using names and object-groups
This configuration snippet shows how to setup a server on the inside of your network and make it accessible to anyone on the outside. In this example the public address space is represented with the 172.16.1.0 network. There are two web servers that need to be accessible from the outside. Each should be able to be accessed on port 80 as well as port 443. In this example we will use the names and network-objects commands to simplify the configuration.
# This configuration was taken from a PIX running 6.3(4) with default security assignments of 0 on the outside
# and 100 on the inside.
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
# Names just lets you assign an easy to read name to an ip address or network. For hosts that are being
# translated, I like to use the -G in the name to signify that it is a global address and a -L to signify
# that it is a local address. Again it is one server, but it has a public address and a private address so
# I use a name for each one to signify the difference.
names
name 172.16.1.10 WebServer1-G
name 10.1.1.10 WebServer1-L
name 172.16.1.12 WebServer2-G
name 10.1.1.12 WebServer2-L
# The object-group command defines a group of objects that can be used in access-lists. So in this case
# we defined an object-group called WebServices and that it is comprised of TCP ports. The ports we
# defined are 80 and 443. Once you understand the whole config you will see how it is easy to add additional
# ports to be opened across multiple servers just by adding the new port to the object group.
object-group service WebServices tcp
description Web Services
port-object eq www
port-object eq https
# This object group defines a group of individual hosts. Note that the above object-group was of the type
# service whereas this on is of the type network.
object-group network WebServers
description All Web Servers
network-object WebServer1-G 255.255.255.255
network-object WebServer2-G 255.255.255.255
# The access list allows tcp traffic from any source address to reach each of the servers on the specified ports.
# This opens up an entry point for Internet users to reach these servers. Remember when going from a lower
# security interface to a higher security interface you need an access-list along with a static command for the
# server. Therefore the hosts defined in the access-list need to have a static entry which is further down in
# the configuration. Access-lists that get applied to the outside interface should always point to the published
# public IP address. The public IP address is published with the static command. Instead of the typical
# access list listing hosts and services we are now using the object groups to define things in a much
# easier way.
access-list outside-entry permit tcp any object-group WebServers object-group WebServices
ip address outside 172.16.1.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
# When going from a higher interface to a lower interface a NAT and global command are used.
# Any address on the 10.1.1.0 / 24 network going to the outside will use PAT translating the source IP
# to the IP address that is configured on the outside interface above.
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
# The static command publishes the address of 172.15.1.10 as an available address on the outside of the pix
# that translates to 10.1.1.10 on the inside of the pix. In this case we are using the names that were
# defined instead of the IP addresses.
static (inside,outside) WebServer1-G WebServer1-L netmask 255.255.255.255 0 0
static (inside,outside) WebServer2-G WebServer2-L netmask 255.255.255.255 0 0
# The access-list is not used until it is applied to the interface as shown below.
access-group outside-entry in interface outside
# Finally for reference a default route is defined to the Internet.
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
# Default configuration lines have been omitted.
Refer to http://ciscoconfigs.net/
