Solved

Please help!!! Pix 501 issue

Posted on 2006-11-21
10
322 Views
Last Modified: 2013-11-16
Today I issued the following command into my cousin's company's pix 501 through the PDM:
static (inside,outside) 70.88.231.137 192.168.0.25 netmask 255.255.255.255 0 0

After I did that the firewall stopped passing traffic altogether. Now I can't even VPN into it to reverse the change. I'm thinking the only way is to power down and up the firewall since I didn't get a chance to save to flash.

I was just trying to do some port forwarding for a web application.
0
Comment
Question by:alateos
  • 5
  • 3
  • 2
10 Comments
 

Author Comment

by:alateos
ID: 17992953
Can someone at least tell me what that command did?
0
 
LVL 8

Expert Comment

by:thur6165
ID: 17993183
You setup a NAT so that all traffic going to 70.88.231.137 will be passed to 192.168.0.25,  you would now need to set a access list to allow the traffic thru, thats why everything is being dropped.  Just reboot if you did not save the config.
0
 
LVL 8

Expert Comment

by:thur6165
ID: 17993258
I missed your objective in that last line.  This should take care of your access list.

Access-list out-in perm tcp any host 70.88.231.137 eq 80
Access-group out-in in interface outside
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 17993589
>After I did that the firewall stopped passing traffic altogether.
   Let me guess, 70.88.231.137 is the IP address of the outside interface, right?  If so, & you want to forward web traffic to your internal server, do this:

no static (inside,outside) 70.88.231.137 192.168.0.25  <- skip if you already rebooted PIX without saving config
static (inside,outside) tcp 70.88.231.137 80 192.168.0.25 80
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 80
access-group inbound_acl in interface outside

FYI: Never use a dash '-' in ACL names! Underscore as above is ok.  If you already have an ACL on the outside interface, replace "inbound_acl" with the name/number of your existing ACL.

cheers
0
 

Author Comment

by:alateos
ID: 17994750
If I just had "sent" the command to the pix, doesn't mean that it saved it to flash, right?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:alateos
ID: 17994756
Also, my web application runs on port 8080
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 500 total points
ID: 17994984
>If I just had "sent" the command to the pix, doesn't mean that it saved it to flash, right?
   Right.  As long as you didn't tell the PIX to save the config at any time, you could have the PIX rebooted & try again remotely or go onsite.

>my web application runs on port 8080
   Fine.  Just replace 8080 for 80 in the example I gave you.

cheers
0
 

Author Comment

by:alateos
ID: 17995305
how can i just apply port forwarding such that all traffic going to 70.88.231.137 on port 8080 will be forwarded to 192.168.0.25 on port 8080?
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 18000186
 As I said before, just substitute 8080 for 80 in my previous post.  eg:
static (inside,outside) tcp 70.88.231.137 8080 192.168.0.25 8080
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 8080
access-group inbound_acl in interface outside

cheers
0
 

Author Comment

by:alateos
ID: 18000315
ok thanks.. I'll test it soon
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now