Configure Cisco pix 515e firewall to access internal web server (NAS box)

We have a Cisco PIX 515e firewall and I need to configure it to allow access to our internal NAS storage (www.storageflex.com)

I configure the NAS box internally via IE using an ip address and port 80.

Hence I need to map our public ip to this NAS's internal ip and port.

Our firewall config as follows (setup by a consultant):

Note these lines:
alias (inside) 192.168.0.49 xx.xxx.104.242 255.255.255.255
static (inside,outside) tcp xx.xxx.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.255 0 0

They are used for our ftp server. We broadcast our internal ftp server to our clients outside.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MMGFIRE
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq ftp
access-list acl_out permit tcp any any eq 3000
access-list acl_out permit tcp any host 192.168.0.49 eq ftp
access-list acl_out permit icmp any any
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq pop3
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any any eq 3000
access-list acl_in permit ip any any
access-list acl_in permit icmp any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.104.242 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
alias (inside) 192.168.0.49 xx.xxx.104.242 255.255.255.255
static (inside,outside) tcp xx.xxx.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 80.227.104.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
[OK]

I was thinking of this:
alias (inside) 192.168.0.2 xx.xxx.104.242 255.255.255.255
static (inside,outside) tcp xx.xxx.104.242 www 192.168.0.2 www netmask 255.255.255.255 0 0

But that doesnt work because only one alias command can be used. Any help is much appreciated.
clinthammerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
Hi clinthammer,
You are basically correct. You don't need the additional 'alias' command. The alias command translates IP address within the actual protocol itself. The existing one is there to reduce problems with the way FTP works I suspect.

Therefore you should only need :-
static (inside,outside) tcp xx.xxx.104.242 www 192.168.0.2 www netmask 255.255.255.255 0 0

Your inbound access-list is already permitting www so that does not need to be changed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
clinthammerAuthor Commented:
Well ity works. From within my office, i cant connect to the public ip. But from outside i can connect to it.

Is there some protocl that prevents this?

Thanks,
CD
0
grbladesCommented:
It is a limitation of the PIX. It wont forward data sent to one interface back out the same interface. Therefore within the company you will have to use the servers real IP address on the internal interface to connect.
I normally setup a hostname on the internal DNS server so that people access it with a single URL but always get given the correct IP wherever they are.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.