?
Solved

Cisco Pix 506e  - Port forward a few public IP's to private IP's

Posted on 2005-03-30
8
Medium Priority
?
313 Views
Last Modified: 2013-11-16
Hi,
I have a public range with 13 usable IP's  (66.66.66.26-38)
66.66.66.26 is my WAN address on the CISCO PIX 506e
66.66.66.25 is my gateway
255.255.255.240 is my subnet mask

On the Lan side
192.168.1.1 Gateway
255.255.255.0 SM

I want to port forward everything on a few of the other PUBLIC IP's to a few PRIVATE IP's
For Example:
66.66.66.27 I want to forward to 192.168.1.7 (everything).   I think this is a PAT issue.

I understand the Access Lists. I tried this below, but I think I am missing another mapping, since .27 is not the wan address on the PIX

static (inside, outside) 66.66.66.27 192.168.1.7
access-list 101 permit tcp any host 66.66.66.27
access-group 101 in interface outside

ANy ideas?  this is pretty urgent.
0
Comment
Question by:fitzpab
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13671404
You've got the right idea, and that should be all you need to do.
However, you've only permitted tcp in the acl. If you want everything forwarded, use "ip" instead

   access-list 101 permit ip any host 66.66.66.27

You might also need to issue the "clear xlate" command both right before you put in the statics, and right after you put in all your new statics.

Check to make sure you do NOT have this in the config:
  sysopt noproxyarp outside

0
 
LVL 1

Author Comment

by:fitzpab
ID: 13677357
Thanks for the response...still not working, so there is something not configured right.  I've made one change since taking it out of the box and that was the route command to get internet access:

route outside 0.0.0.0 0.0.0.0 66.66.66.25 1

Current config:

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password kfl7M44bJzaTMd8ye encrypted
passwd ta.qizy4R//ChqQH encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.66.66.26 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 66.66.66.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.150-192.168.1.249 inside
dhcpd dns 43.4.221.17 43.4.221.18
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username login password LKtYL45ymWOQeKb2 encrypted privilege 15
terminal width 80
Cryptochecksum:8144e2dfse3a1c383aa94fbf2a01ac5ad1
: end
[OK]

I add the following:
clear xlate
static (inside, outside) 66.66.66.27 192.168.1.7
access-list 101 permit ip any host 66.66.66.27
access-group 101 in interface outside
clear xlate

and the following lines show up in the running config:
access-list 101 permit ip any host 66.66.66.27
static (inside,outside) 66.66.66.27 192.168.1.7 netmask 255.255.255.255 0 0
access-group 101 in interface outside

I still can't connect.  I have a host at the 192.168.1.7 address running a webserver and the URLjust times out when I try http://66.66.66.27   
Any ideas?  I appreciate the help
-Berne
Oh yeah, the sysopt command is not in the config as you can see above.





0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 13678339
Can you reach any public web site from a PC inside the PIX?
Is your default gateway set to the PIX inside IP?
What are you using for DNS server in your PC config?

>times out when I try http://66.66.66.27   
Are you trying to reach the public IP of your own web server from within the inside of the PIX?
   You can't. Period.

If you're trying from outside the PIX, then check the results of the following commands:
  "show interface"  make sure both interfaces are up, and look for error counters like CRC errors
  "sho xlate" and see if you have any entries for the PC or server
  "sho access-list" and look for the hitcounter to increase as you have someone try to hit your web site (hitcount= )


 
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 13678342
What do you have in front of the PIX? A router? A DSL modem? Cable modem?
You might have to check with your ISP to make sure they are routing to you properly.
0
 
LVL 1

Author Comment

by:fitzpab
ID: 13678606
Can you reach any public web site from a PC inside the PIX?
>Yes...I can reach all public websites!!

Is your default gateway set to the PIX inside IP?
>The default gateway of the pc's inside the firewall is set to the inside IP  192.168.1.1

What are you using for DNS server in your PC config?
>DHCP from the PIX....My ISP's DNS Servers (Telepacific)

>times out when I try http://66.66.66.27   
Are you trying to reach the public IP of your own web server from within the inside of the PIX?
   You can't. Period.
>Yes, I was trying to, but I was also trying to reach the http://66.66.66.27 public address from outside the firewall (note: The IP addresses I am using in these examples are NOT the exact ones for security reasons, but accurate representations)

If you're trying from outside the PIX, then check the results of the following commands:
  "show interface"  make sure both interfaces are up, and look for error counters like CRC errors
  "sho xlate" and see if you have any entries for the PC or server
  "sho access-list" and look for the hitcounter to increase as you have someone try to hit your web site (hitcount= )
>I'll try this when I get home.  I setup my SSH and PDM access from only my home office IP range.
>Thanks for the ideas
-Berne
0
 
LVL 1

Author Comment

by:fitzpab
ID: 13678611
What do you have in front of the PIX? A router? A DSL modem? Cable modem?
You might have to check with your ISP to make sure they are routing to you properly.

>It is Telepacific...A T1 with their router.  They should be bridging, not blocking anything.  I'll check with them again.  I spoke >to a tech the other day but they seemed a little green.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14354283
Are you still working on this?
Have you found a solution?
Do you need more information?

This question will be classified as abandoned soon if we don't get some feedback from you.

Can you close out this question? See here for details:
http://www.experts-exchange.com/help.jsp#hs5

Thanks for your attention!
0
 
LVL 1

Author Comment

by:fitzpab
ID: 14358658
None of these worked, but I haven't been able to get back to do more testing.  Later this summer.  For now, I am going to close the question and give points to LRMOORE as I very much appreciated the help.
-Berne
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question