Configure Cisco pix 515e firewall to access internal web server (NAS box)

Posted on 2004-11-23
Medium Priority
Last Modified: 2013-11-16
We have a Cisco PIX 515e firewall and I need to configure it to allow access to our internal NAS storage (www.storageflex.com)

I configure the NAS box internally via IE using an ip address and port 80.

Hence I need to map our public ip to this NAS's internal ip and port.

Our firewall config as follows (setup by a consultant):

Note these lines:
alias (inside) xx.xxx.104.242
static (inside,outside) tcp xx.xxx.104.242 ftp ftp netmask 0 0

They are used for our ftp server. We broadcast our internal ftp server to our clients outside.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MMGFIRE
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any any eq 3000
access-list acl_out permit tcp any host eq ftp
access-list acl_out permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any any eq 3000
access-list acl_in permit ip any any
access-list acl_in permit icmp any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.104.242
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
alias (inside) xx.xxx.104.242
static (inside,outside) tcp xx.xxx.104.242 ftp ftp netmask 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

I was thinking of this:
alias (inside) xx.xxx.104.242
static (inside,outside) tcp xx.xxx.104.242 www www netmask 0 0

But that doesnt work because only one alias command can be used. Any help is much appreciated.
Question by:clinthammer
  • 2
LVL 36

Accepted Solution

grblades earned 2000 total points
ID: 12662974
Hi clinthammer,
You are basically correct. You don't need the additional 'alias' command. The alias command translates IP address within the actual protocol itself. The existing one is there to reduce problems with the way FTP works I suspect.

Therefore you should only need :-
static (inside,outside) tcp xx.xxx.104.242 www www netmask 0 0

Your inbound access-list is already permitting www so that does not need to be changed.

Author Comment

ID: 12663095
Well ity works. From within my office, i cant connect to the public ip. But from outside i can connect to it.

Is there some protocl that prevents this?

LVL 36

Expert Comment

ID: 12663165
It is a limitation of the PIX. It wont forward data sent to one interface back out the same interface. Therefore within the company you will have to use the servers real IP address on the internal interface to connect.
I normally setup a hostname on the internal DNS server so that people access it with a single URL but always get given the correct IP wherever they are.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question