We help IT Professionals succeed at work.

PIX 501 Port Redirect

bytebulb
bytebulb asked
on
1,233 Views
Last Modified: 2013-11-16
I've been trying to setup a PIX 501 to forward all port 80 traffic to the internal address 192.168.1.100.  The inside address on the PIX is 192.168.1.1.  The outside address on the PIX is obtained via DHCP from a broadband cable modem.  I have PAT enabled on the firewall.  I can't seem to get the config right, mostly because I am new to the PIX CLI.  I've tried helplessly to ge this done through the GUI.  Please list all steps necesary.  I know this is probably an easy one...

Also, should I have a router between the firewall and modem for any reason?  Any recommendations on a good reference book for PIX??

Thanks,
Peter
Comment
Watch Question

Not a problem...  Please post your entire "sanitized" config (ie, passwords removed & any public IPs masked out like so: x.x.x.23), so I can see what needs to be changed/removed.  This should only take a few config lines to get you going.

>Also, should I have a router between the firewall and modem for any reason?
Don't need to.

>Any recommendations on a good reference book for PIX??
For PIX software v6.x:  http://www.ciscopress.com/bookstore/product.asp?isbn=1587051494&rl=1

cheers
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Hmm. You might have a problem there. The PIX is already listening on port 80 for its configuration GUI, so I think it would interfere with what you have inside.

So if that is the case, do a 'http server disable' on PIX and proceed with the comments above by grblades.

If you dont want to disable that, then you have to be running your internal web server onto a different port than 80. In that case, lets assume that you choose 8080, then the config would be;


static (inside,outside) tcp interface 8080 192.168.1.100 8080

access-list outside_in permit tcp any any eq 8080
access-group outside_in in interface outside

Hope this helps.

Cheers,
Rajesh

Commented:
Actually you can tight the security a bit with that ACL statement:

access-list outside_in permit tcp any interface outside eq 80

This command does not work on pretty old IOS versions like 6.1, if the command does not work, you can use:

access-list outside_in permit tcp any <IP address of the outside interface> eq 80

Greets,

OMonge.

Author

Commented:
Thanks for the help.  I will try these commands.  Any other ideas on books?  I'm interested in learing more on PIX...

-Peter

Commented:
Peter,

If you like, please check this link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/index.htm

Tha's the Cisco PIX Firewall and VPN Configuration Guide, Version 6.3

Greets,

OMonge.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.