PIX Configuration

Posted on 2004-11-08
Last Modified: 2013-11-16
This is the question

I have a 3 public ip addresses  the first ip address has a static map to the internal interface of the pix, the other two have static mappings.  I am using access list to provice port redirection.  I want to redirect port 80 (www) to an inside address, however because the their are static mapping for the three public address i have, it seems i can not do this.
Question by:akita29
    LVL 36

    Expert Comment

    Hi akita29,
    Thats correct. If you have static mappings you are effectivly saying all ports outside for that IP are to go to the specified internal IP address. You cannot redirect a particular other port to another machine.

    If you post your current configuration we can suggest ways around it for you.

    Author Comment

    PIX Version 6.3(3)                  
    interface ethernet0 auto                        
    interface ethernet1 auto                        
    nameif ethernet0 outside security0                                  
    nameif ethernet1 inside security100                                  
    enable password
    fixup protocol dns maximum-length 512                                    
    fixup protocol ftp 21                    
    fixup protocol h323 h225 1720                            
    fixup protocol h323 ras 1718-1719                                
    fixup protocol http 80                      
    fixup protocol pptp 1723                        
    fixup protocol rsh 514                      
    fixup protocol rtsp 554                      
    fixup protocol sip 50                  
    fixup protocol sip udp 5060                          
    fixup protocol skinny 2000                          
    no fixup protocol smtp 25                        
    fixup protocol sqlnet 1521                          
    fixup protocol tftp 69                      
    access-list 1 permit icmp any any                                
    access-list 1 permit gre any any                                
    access-list 1 permit tcp any host eq pop3                                                    
    access-list 1 permit tcp any host eq smtp                                                    
    access-list 1 permit tcp any host eq imap4                                                      
    access-list 1 permit tcp any host eq 8010                                                    
    access-list 1 permit tcp any host eq 8100                                                    
    access-list 1 permit tcp any host                                          
    access-list 1 permit tcp any host eq pptp                                                    
    access-list 1 permit tcp any host eq 9010                                                    
    access-list 1 permit tcp any host eq 1666                                                    
    access-list 1 permit tcp any host eq 1700                                                    
    access-list 1 permit tcp any host range 27000 27009                                                              
    access-list 1 permit udp any host range 27000 27009                                                              
    access-list 1 permit tcp any host eq 2027                                                    
    access-list 1 permit tcp any host eq 2031                                                    
    access-list 10 permit ip 255.255                                                              
    pager lines 24              
    logging on          
    mtu outside 1500                
    mtu inside 1500              
    ip address outside                                              
    ip address inside                                        
    ip audit info action alarm                          
    ip audit attack action alarm                            
    ip local pool remote-users                                              
    pdm history enable                  
    arp timeout 14400                
    global (outside) 1 interface                            
    nat (inside) 0 access-list 10                            
    nat (inside) 1 0 0                                  
    static (inside,outside) tcp interface 1666 1666 netmask                                                                                
     0 0    
    static (inside,outside) netmask                                                  
    static (inside,outside) netmask 0 0                                                                        
    access-group 1 in interface outside                                  
    route outside 1                                          
    timeout xlate 3:00:00                    
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
    timeout uauth 0:05:00 absolute                              
    aaa-server TACACS+ protocol tacacs+                                  
    aaa-server RADIUS protocol radius                                
    aaa-server LOCAL protocol local                              
    no snmp-server location                      
    no snmp-server contact                      
    snmp-server community                    
    no snmp-server enable traps                          
    floodguard enable                
    sysopt connection permit-ipsec                              
    crypto ipsec transform-set myset esp-des esp-md5-hmac                                                    
    crypto dynamic-map dynmap 10 set transform-set myset                                                    
    crypto map ipsec-maps 10 ipsec-isakmp dynamic dynmap                            
    crypto map ipsec-maps interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup vpn3000 address-pool remote-users
    vpngroup vpn3000 dns-server
    vpngroup vpn3000 wins-server
    vpngroup vpn3000 default-domain
    vpngroup vpn3000 split-tunnel 10
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password ********
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    LVL 5

    Expert Comment


    static (inside,outside) tcp interface 80 X.X.X.X 80 netmask 0 0
                                                              ^^^^^ - internal ip address you want port 80 to be redirected to.

    The internal host would then be available on :80


    Author Comment

    Try it, however can not hit the web page.. i will take a look again..
    LVL 5

    Expert Comment


    try to do a "clear xlate".

    Author Comment

    Did the clear xlate, no luck.  any other suggestions.  question on the netmask i enterd 0 0  however should it be 0 0 for a class c

    Author Comment

    btw i did not write it to memory, because if there an error i just need to restart the pix.  this should not be an issue?
    LVL 36

    Expert Comment

    > static (inside,outside) tcp interface 1666 1666 netmask 0 0
    You are redirecting port 1666 to an internal machine here so you can add additional ports to the list.

    I am not sure if you can redirect port 80 on the external interface. I have seen problmens with this before. I would try something like :-

    static (inside,outside) tcp interface 81 10.0.7.x 80 netmask 0 0
    Then try to view the website from outside the network (NOT inside) on
    If that works change the '81' in the line above to '80' and try again.

    It wont matter that you haven't saved the config.
    LVL 79

    Assisted Solution

    clear xlate
    static (inside,outside) tcp interface 80 80 netmask
    access-list 1 permit tcp any interface outside eq 80
    access-group 1 in interface outside  <== always re-apply the acl

    LVL 5

    Accepted Solution


    damn, I missed the access-list part...

    lrmoore is right, you also need to add the access-lists to allow port 80 in.

    Author Comment

    Thanks guys or girls.  Lrmoore you have helped in that past another good job.  martap thank you also, you started the ball rolling, both of you ROCK...

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Show ip route - definition 1 48
    Cisco VOIP 7941 6 58
    azure vpn connection 2 23
    Porting over phone number to another circuit 3 17
    How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now