Solved

Port Forwarding issues with PIX 501

Posted on 2008-10-05
6
255 Views
Last Modified: 2012-05-05
I simply want to allow my clients (192.168.0.x) to the internet behind my PIX 501 and forward port 80, 25, and 443 traffic from the outside to my internal server (192.168.0.10).   I'm trying to use the PDM, but their nomenclature does not always make sense.

DHCP is provided by my SBS server.  I'm using one of my Static IPs.  My SBC DSL modem is bridged to be the default gateway address (68.74.53.38).  The PIX outside IF is 68.74.53.33/29.  It's not the SBC hardware at all.  My Netgear VPN firewall works just fine behind the static DSL (and has for years), just not the PIX, which is to replace the tired old Netgear box.

Right now, I'm just trying to get my port 80 traffic forwarding to my server internally, i'll do the other 2 ports when I fix this problem.  Attached is the Show Config

I'll use CLI vs. the PDM if necessary...

Thanks.

Sky
Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname xxxxxx

domain-name xxxxxxx.xxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.0.10 Server

object-group service WWW-HTTP tcp-udp 

  port-object eq www 

access-list outside_access_in permit tcp any eq www host Server eq www 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 68.74.53.33 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.0.0 255.255.255.0 0 0

static (inside,outside) Server Server netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 68.74.53.38 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.2-192.168.0.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:b077e07d4879a25d122281e61c472982

: end

[OK]

Open in new window

0
Comment
Question by:CandSNetworking
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22648874
Your static looks a bit weird to me.
It should look like this:
static (inside,outside) tcp <WAN IP> www <SERVERNAME> www netmask 255.255.255.255 0 0
0
 

Author Comment

by:CandSNetworking
ID: 22649521
Greetings Jay,

Attached is the modified code.  Please look at all sections, as I changed a translation rule in a troubleshooting attempt.  I can't get to my website from the outside.  www.caserotti.org.

I also enabled my private network access to the telnet IF...

Please let me know if you have any other questions.

Thanks for your assistance.

Sky
Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxx encrypted

passwd xxxxxxxx encrypted

hostname xxxxxx

domain-name xxxxxxxxx.xxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.0.10 Server

access-list outside_access_in permit tcp interface outside eq www host 68.74.53.33 eq www 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 68.74.53.33 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.0.0 255.255.255.0 0 0

static (inside,outside) tcp 68.74.53.33 www Server www netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 68.74.53.38 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.2-192.168.0.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:a3fb160c45df40c39504a83e3a962661

: end

[OK]

Open in new window

0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22649679
The problem now seems to be in the access-list. You are permitting traffic from your interface to the interface.
In case of a website you would want to permit traffic from any origin to the server (and port) in question.
Remove the access-list rule you have (no access-list outside_access_in permit tcp interface outside eq www host 68.74.53.33 eq www)

 and try this instead

access-list outside_access_in permit tcp any host 68.74.53.33 eq www
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:CandSNetworking
ID: 22653991
I've made the changes you requested and still can't get to my internal website (which resides on 192.168.0.10) from the outside.  I still can't hit the webserver.

Attached is the usual show running config...

Sky
PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname xxxxxx

domain-name xxxxx.xxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.0.10 Server

access-list outside_access_in permit tcp any host 68.74.53.33 eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 68.74.53.33 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.0.0 255.255.255.0 0 0

static (inside,outside) tcp 68.74.53.33 www Server www netmask 255.255.255.255 0

 0

route outside 0.0.0.0 0.0.0.0 68.74.53.38 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.2-192.168.0.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:768f6e2e147af5c9b83072502de0318f

: end

Open in new window

0
 
LVL 8

Accepted Solution

by:
Jay_Gridley earned 500 total points
ID: 22656907
Because you removed the incorrect access-list your new access-list is now no longer applied to the interface.
Use the following command:
access-group outside_access_in in interface outside
0
 

Author Closing Comment

by:CandSNetworking
ID: 31503267
Jay,

You're obviously an industry expert.

Thanks for your quick and accurate response along with the explinations.  That's half the battle!

Sky
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now