Solved

Please help!!! Pix 501 issue

Posted on 2006-11-21
10
343 Views
Last Modified: 2013-11-16
Today I issued the following command into my cousin's company's pix 501 through the PDM:
static (inside,outside) 70.88.231.137 192.168.0.25 netmask 255.255.255.255 0 0

After I did that the firewall stopped passing traffic altogether. Now I can't even VPN into it to reverse the change. I'm thinking the only way is to power down and up the firewall since I didn't get a chance to save to flash.

I was just trying to do some port forwarding for a web application.
0
Comment
Question by:alateos
  • 5
  • 3
  • 2
10 Comments
 

Author Comment

by:alateos
ID: 17992953
Can someone at least tell me what that command did?
0
 
LVL 8

Expert Comment

by:thur6165
ID: 17993183
You setup a NAT so that all traffic going to 70.88.231.137 will be passed to 192.168.0.25,  you would now need to set a access list to allow the traffic thru, thats why everything is being dropped.  Just reboot if you did not save the config.
0
 
LVL 8

Expert Comment

by:thur6165
ID: 17993258
I missed your objective in that last line.  This should take care of your access list.

Access-list out-in perm tcp any host 70.88.231.137 eq 80
Access-group out-in in interface outside
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 20

Expert Comment

by:calvinetter
ID: 17993589
>After I did that the firewall stopped passing traffic altogether.
   Let me guess, 70.88.231.137 is the IP address of the outside interface, right?  If so, & you want to forward web traffic to your internal server, do this:

no static (inside,outside) 70.88.231.137 192.168.0.25  <- skip if you already rebooted PIX without saving config
static (inside,outside) tcp 70.88.231.137 80 192.168.0.25 80
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 80
access-group inbound_acl in interface outside

FYI: Never use a dash '-' in ACL names! Underscore as above is ok.  If you already have an ACL on the outside interface, replace "inbound_acl" with the name/number of your existing ACL.

cheers
0
 

Author Comment

by:alateos
ID: 17994750
If I just had "sent" the command to the pix, doesn't mean that it saved it to flash, right?
0
 

Author Comment

by:alateos
ID: 17994756
Also, my web application runs on port 8080
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 500 total points
ID: 17994984
>If I just had "sent" the command to the pix, doesn't mean that it saved it to flash, right?
   Right.  As long as you didn't tell the PIX to save the config at any time, you could have the PIX rebooted & try again remotely or go onsite.

>my web application runs on port 8080
   Fine.  Just replace 8080 for 80 in the example I gave you.

cheers
0
 

Author Comment

by:alateos
ID: 17995305
how can i just apply port forwarding such that all traffic going to 70.88.231.137 on port 8080 will be forwarded to 192.168.0.25 on port 8080?
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 18000186
 As I said before, just substitute 8080 for 80 in my previous post.  eg:
static (inside,outside) tcp 70.88.231.137 8080 192.168.0.25 8080
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 8080
access-group inbound_acl in interface outside

cheers
0
 

Author Comment

by:alateos
ID: 18000315
ok thanks.. I'll test it soon
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question