Method Two – SRA Appliance on DMZ Interface

This method is optional and requires that the PIX have an unused third interface, such as a PIX 515, PIX 525, or PIX 535. We will be using the default numbering scheme of the SRA appliance.

From a management system, log into the SRA appliance’s management interface. By default the management interface is X0 and the default IP address is 192.168.200.1.

Navigate to the Network > Routes page and make sure the Default Gateway is set to 192.168.200.2 When done, click on the Accept button in the upper-right-hand corner to save and activate the change.

Navigate to the NetExtender > Client Addresses page. Enter 192.168.200.201 in the field next to Client Address Range Begin:, and enter 192.168.200.249 in the field next to Client Address Range End:’. When done, click on the Accept button in the upper-right-hand corner to save and activate the change.

Navigate to the NetExtender > Client Routes page. Add a client route for 192.168.100.0 and 192.168.200.0.

Navigate to the Network > DNS page and enter your internal network’s DNS addresses, internal domain name, and WINS server addresses. These are critical for NetExtender to function correctly. When done, click on the Accept button in the upper-right-hand corner to save and activate the change.

Navigate to the System > Restart page and click on the Restart… button.

Install the SRA appliance’s X0 interface on the unused DMZ network of the PIX. Do not hook any of the appliance’s other interfaces up.

Connect to the PIX’s management CLI via console port, telnet, or SSH and enter configure mode.

Issue the command ‘clear http’ to shut off the PIX’s HTTP/S management interface.

Issue the command ‘interface ethernet2 auto’ (or whatever interface you will be using)

Issue the command ‘nameif ethernet2 dmz security4’ (or whatever interface you will be using)

Issue the command ‘ip address dmz 192.168.200.2 255.255.255.0’

Issue the command ‘nat (dmz) 1 192.168.200.0 255.255.255.0 0 0’

Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq www’ (replace x.x.x.x with the WAN IP address of your PIX)

Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq https’ (replace x.x.x.x with the WAN IP address of your PIX)

Issue the command ‘access-list dmz-to-inside permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0’

Issue the command ‘access-list dmz-to-inside permit ip host 192.168.200.1 any’

Issue the command ‘static (dmz,outside) tcp x.x.x.x www 192.168.200.1 www netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)

Issue the command ‘static (dmz,outside) tcp x.x.x.x https 192.168.200.1 https netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)

Issue the command ‘static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0’

Issue the command ‘access-group sslvpn in interface outside’

Issue the command ‘access-group dmz-to-inside in interface dmz’

Exit config mode and issue the command ‘wr mem’ to save and activate the changes.

From an external system, attempt to connect to the SRA appliance using both HTTP and HTTPS. If you cannot access the SRA appliance, check all steps above and test again.