Configure Cisco pix 515e firewall to access internal web server (NAS box)

Posted on 2004-11-23
Last Modified: 2013-11-16
We have a Cisco PIX 515e firewall and I need to configure it to allow access to our internal NAS storage (

I configure the NAS box internally via IE using an ip address and port 80.

Hence I need to map our public ip to this NAS's internal ip and port.

Our firewall config as follows (setup by a consultant):

Note these lines:
alias (inside)
static (inside,outside) tcp ftp ftp netmask 0 0

They are used for our ftp server. We broadcast our internal ftp server to our clients outside.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MMGFIRE
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any any eq 3000
access-list acl_out permit tcp any host eq ftp
access-list acl_out permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any any eq 3000
access-list acl_in permit ip any any
access-list acl_in permit icmp any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
alias (inside)
static (inside,outside) tcp ftp ftp netmask 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

I was thinking of this:
alias (inside)
static (inside,outside) tcp www www netmask 0 0

But that doesnt work because only one alias command can be used. Any help is much appreciated.
Question by:clinthammer
    LVL 36

    Accepted Solution

    Hi clinthammer,
    You are basically correct. You don't need the additional 'alias' command. The alias command translates IP address within the actual protocol itself. The existing one is there to reduce problems with the way FTP works I suspect.

    Therefore you should only need :-
    static (inside,outside) tcp www www netmask 0 0

    Your inbound access-list is already permitting www so that does not need to be changed.

    Author Comment

    Well ity works. From within my office, i cant connect to the public ip. But from outside i can connect to it.

    Is there some protocl that prevents this?

    LVL 36

    Expert Comment

    It is a limitation of the PIX. It wont forward data sent to one interface back out the same interface. Therefore within the company you will have to use the servers real IP address on the internal interface to connect.
    I normally setup a hostname on the internal DNS server so that people access it with a single URL but always get given the correct IP wherever they are.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now