Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

Please help!!! Pix 501 issue

Today I issued the following command into my cousin's company's pix 501 through the PDM:
static (inside,outside) 70.88.231.137 192.168.0.25 netmask 255.255.255.255 0 0

After I did that the firewall stopped passing traffic altogether. Now I can't even VPN into it to reverse the change. I'm thinking the only way is to power down and up the firewall since I didn't get a chance to save to flash.

I was just trying to do some port forwarding for a web application.
0
alateos
Asked:
alateos
  • 5
  • 3
  • 2
1 Solution
 
alateosAuthor Commented:
Can someone at least tell me what that command did?
0
 
thur6165Commented:
You setup a NAT so that all traffic going to 70.88.231.137 will be passed to 192.168.0.25,  you would now need to set a access list to allow the traffic thru, thats why everything is being dropped.  Just reboot if you did not save the config.
0
 
thur6165Commented:
I missed your objective in that last line.  This should take care of your access list.

Access-list out-in perm tcp any host 70.88.231.137 eq 80
Access-group out-in in interface outside
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
calvinetterCommented:
>After I did that the firewall stopped passing traffic altogether.
   Let me guess, 70.88.231.137 is the IP address of the outside interface, right?  If so, & you want to forward web traffic to your internal server, do this:

no static (inside,outside) 70.88.231.137 192.168.0.25  <- skip if you already rebooted PIX without saving config
static (inside,outside) tcp 70.88.231.137 80 192.168.0.25 80
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 80
access-group inbound_acl in interface outside

FYI: Never use a dash '-' in ACL names! Underscore as above is ok.  If you already have an ACL on the outside interface, replace "inbound_acl" with the name/number of your existing ACL.

cheers
0
 
alateosAuthor Commented:
If I just had "sent" the command to the pix, doesn't mean that it saved it to flash, right?
0
 
alateosAuthor Commented:
Also, my web application runs on port 8080
0
 
calvinetterCommented:
>If I just had "sent" the command to the pix, doesn't mean that it saved it to flash, right?
   Right.  As long as you didn't tell the PIX to save the config at any time, you could have the PIX rebooted & try again remotely or go onsite.

>my web application runs on port 8080
   Fine.  Just replace 8080 for 80 in the example I gave you.

cheers
0
 
alateosAuthor Commented:
how can i just apply port forwarding such that all traffic going to 70.88.231.137 on port 8080 will be forwarded to 192.168.0.25 on port 8080?
0
 
calvinetterCommented:
 As I said before, just substitute 8080 for 80 in my previous post.  eg:
static (inside,outside) tcp 70.88.231.137 8080 192.168.0.25 8080
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 8080
access-group inbound_acl in interface outside

cheers
0
 
alateosAuthor Commented:
ok thanks.. I'll test it soon
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now