alateos
asked on
Please help!!! Pix 501 issue
Today I issued the following command into my cousin's company's pix 501 through the PDM:
static (inside,outside) 70.88.231.137 192.168.0.25 netmask 255.255.255.255 0 0
After I did that the firewall stopped passing traffic altogether. Now I can't even VPN into it to reverse the change. I'm thinking the only way is to power down and up the firewall since I didn't get a chance to save to flash.
I was just trying to do some port forwarding for a web application.
static (inside,outside) 70.88.231.137 192.168.0.25 netmask 255.255.255.255 0 0
After I did that the firewall stopped passing traffic altogether. Now I can't even VPN into it to reverse the change. I'm thinking the only way is to power down and up the firewall since I didn't get a chance to save to flash.
I was just trying to do some port forwarding for a web application.
You setup a NAT so that all traffic going to 70.88.231.137 will be passed to 192.168.0.25, you would now need to set a access list to allow the traffic thru, thats why everything is being dropped. Just reboot if you did not save the config.
I missed your objective in that last line. This should take care of your access list.
Access-list out-in perm tcp any host 70.88.231.137 eq 80
Access-group out-in in interface outside
Access-list out-in perm tcp any host 70.88.231.137 eq 80
Access-group out-in in interface outside
>After I did that the firewall stopped passing traffic altogether.
Let me guess, 70.88.231.137 is the IP address of the outside interface, right? If so, & you want to forward web traffic to your internal server, do this:
no static (inside,outside) 70.88.231.137 192.168.0.25 <- skip if you already rebooted PIX without saving config
static (inside,outside) tcp 70.88.231.137 80 192.168.0.25 80
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 80
access-group inbound_acl in interface outside
FYI: Never use a dash '-' in ACL names! Underscore as above is ok. If you already have an ACL on the outside interface, replace "inbound_acl" with the name/number of your existing ACL.
cheers
Let me guess, 70.88.231.137 is the IP address of the outside interface, right? If so, & you want to forward web traffic to your internal server, do this:
no static (inside,outside) 70.88.231.137 192.168.0.25 <- skip if you already rebooted PIX without saving config
static (inside,outside) tcp 70.88.231.137 80 192.168.0.25 80
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 80
access-group inbound_acl in interface outside
FYI: Never use a dash '-' in ACL names! Underscore as above is ok. If you already have an ACL on the outside interface, replace "inbound_acl" with the name/number of your existing ACL.
cheers
ASKER
If I just had "sent" the command to the pix, doesn't mean that it saved it to flash, right?
ASKER
Also, my web application runs on port 8080
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
how can i just apply port forwarding such that all traffic going to 70.88.231.137 on port 8080 will be forwarded to 192.168.0.25 on port 8080?
As I said before, just substitute 8080 for 80 in my previous post. eg:
static (inside,outside) tcp 70.88.231.137 8080 192.168.0.25 8080
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 8080
access-group inbound_acl in interface outside
cheers
static (inside,outside) tcp 70.88.231.137 8080 192.168.0.25 8080
clear xlate
access-list inbound_acl permit tcp any host 70.88.231.137 eq 8080
access-group inbound_acl in interface outside
cheers
ASKER
ok thanks.. I'll test it soon
ASKER