Solved

Please help!!! Pix 501 issue

Posted on 2006-11-21
10
352 Views
Last Modified: 2013-11-16
Today I issued the following command into my cousin's company's pix 501 through the PDM:
static (inside,outside) 70.88.231.137 192.168.0.25 netmask 255.255.255.255 0 0

After I did that the firewall stopped passing traffic altogether. Now I can't even VPN into it to reverse the change. I'm thinking the only way is to power down and up the firewall since I didn't get a chance to save to flash.

I was just trying to do some port forwarding for a web application.
0
Comment
Question by:alateos
  • 5
  • 3
  • 2
10 Comments
 

Author Comment

by:alateos
ID: 17992953
Can someone at least tell me what that command did?
0
 
LVL 8

Expert Comment

by:thur6165
ID: 17993183
You setup a NAT so that all traffic going to 70.88.231.137 will be passed to 192.168.0.25,  you would now need to set a access list to allow the traffic thru, thats why everything is being dropped.  Just reboot if you did not save the config.
0
 
LVL 8

Expert Comment

by:thur6165
ID: 17993258
I missed your objective in that last line.  This should take care of your access list.

Access-list out-in perm tcp any host 70.88.231.137 eq 80
Access-group out-in in interface outside
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 20

Expert Comment

by:calvinetter
ID: 17993589
>After I did that the firewall stopped passing traffic altogether.
   Let me guess, 70.88.231.137 is the IP address of the outside interface, right?  If so, & you want to forward web traffic to your internal server, do this:

no static (inside,outside) 70.88.231.137 192.168.0.25  <- skip if you already rebooted PIX without saving config
static (inside,outside) tcp 70.88.231.137 80 192.168.0.25 80
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 80
access-group inbound_acl in interface outside

FYI: Never use a dash '-' in ACL names! Underscore as above is ok.  If you already have an ACL on the outside interface, replace "inbound_acl" with the name/number of your existing ACL.

cheers
0
 

Author Comment

by:alateos
ID: 17994750
If I just had "sent" the command to the pix, doesn't mean that it saved it to flash, right?
0
 

Author Comment

by:alateos
ID: 17994756
Also, my web application runs on port 8080
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 500 total points
ID: 17994984
>If I just had "sent" the command to the pix, doesn't mean that it saved it to flash, right?
   Right.  As long as you didn't tell the PIX to save the config at any time, you could have the PIX rebooted & try again remotely or go onsite.

>my web application runs on port 8080
   Fine.  Just replace 8080 for 80 in the example I gave you.

cheers
0
 

Author Comment

by:alateos
ID: 17995305
how can i just apply port forwarding such that all traffic going to 70.88.231.137 on port 8080 will be forwarded to 192.168.0.25 on port 8080?
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 18000186
 As I said before, just substitute 8080 for 80 in my previous post.  eg:
static (inside,outside) tcp 70.88.231.137 8080 192.168.0.25 8080
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 8080
access-group inbound_acl in interface outside

cheers
0
 

Author Comment

by:alateos
ID: 18000315
ok thanks.. I'll test it soon
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Router Security Commands. 2 31
trouble on installing syslog-ng on CentOS 7 7 60
Basic Client Hyper-V test lab connectivity issue. 7 42
IR 1023 Scanning 4 29
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question