Solved

Port Forwarding issues with PIX 501

Posted on 2008-10-05
6
254 Views
Last Modified: 2012-05-05
I simply want to allow my clients (192.168.0.x) to the internet behind my PIX 501 and forward port 80, 25, and 443 traffic from the outside to my internal server (192.168.0.10).   I'm trying to use the PDM, but their nomenclature does not always make sense.

DHCP is provided by my SBS server.  I'm using one of my Static IPs.  My SBC DSL modem is bridged to be the default gateway address (68.74.53.38).  The PIX outside IF is 68.74.53.33/29.  It's not the SBC hardware at all.  My Netgear VPN firewall works just fine behind the static DSL (and has for years), just not the PIX, which is to replace the tired old Netgear box.

Right now, I'm just trying to get my port 80 traffic forwarding to my server internally, i'll do the other 2 ports when I fix this problem.  Attached is the Show Config

I'll use CLI vs. the PDM if necessary...

Thanks.

Sky
Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname xxxxxx

domain-name xxxxxxx.xxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.0.10 Server

object-group service WWW-HTTP tcp-udp 

  port-object eq www 

access-list outside_access_in permit tcp any eq www host Server eq www 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 68.74.53.33 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.0.0 255.255.255.0 0 0

static (inside,outside) Server Server netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 68.74.53.38 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.2-192.168.0.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:b077e07d4879a25d122281e61c472982

: end

[OK]

Open in new window

0
Comment
Question by:CandSNetworking
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22648874
Your static looks a bit weird to me.
It should look like this:
static (inside,outside) tcp <WAN IP> www <SERVERNAME> www netmask 255.255.255.255 0 0
0
 

Author Comment

by:CandSNetworking
ID: 22649521
Greetings Jay,

Attached is the modified code.  Please look at all sections, as I changed a translation rule in a troubleshooting attempt.  I can't get to my website from the outside.  www.caserotti.org.

I also enabled my private network access to the telnet IF...

Please let me know if you have any other questions.

Thanks for your assistance.

Sky
Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxx encrypted

passwd xxxxxxxx encrypted

hostname xxxxxx

domain-name xxxxxxxxx.xxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.0.10 Server

access-list outside_access_in permit tcp interface outside eq www host 68.74.53.33 eq www 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 68.74.53.33 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.0.0 255.255.255.0 0 0

static (inside,outside) tcp 68.74.53.33 www Server www netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 68.74.53.38 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.2-192.168.0.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:a3fb160c45df40c39504a83e3a962661

: end

[OK]

Open in new window

0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22649679
The problem now seems to be in the access-list. You are permitting traffic from your interface to the interface.
In case of a website you would want to permit traffic from any origin to the server (and port) in question.
Remove the access-list rule you have (no access-list outside_access_in permit tcp interface outside eq www host 68.74.53.33 eq www)

 and try this instead

access-list outside_access_in permit tcp any host 68.74.53.33 eq www
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:CandSNetworking
ID: 22653991
I've made the changes you requested and still can't get to my internal website (which resides on 192.168.0.10) from the outside.  I still can't hit the webserver.

Attached is the usual show running config...

Sky
PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname xxxxxx

domain-name xxxxx.xxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.0.10 Server

access-list outside_access_in permit tcp any host 68.74.53.33 eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 68.74.53.33 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.0.0 255.255.255.0 0 0

static (inside,outside) tcp 68.74.53.33 www Server www netmask 255.255.255.255 0

 0

route outside 0.0.0.0 0.0.0.0 68.74.53.38 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.2-192.168.0.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:768f6e2e147af5c9b83072502de0318f

: end

Open in new window

0
 
LVL 8

Accepted Solution

by:
Jay_Gridley earned 500 total points
ID: 22656907
Because you removed the incorrect access-list your new access-list is now no longer applied to the interface.
Use the following command:
access-group outside_access_in in interface outside
0
 

Author Closing Comment

by:CandSNetworking
ID: 31503267
Jay,

You're obviously an industry expert.

Thanks for your quick and accurate response along with the explinations.  That's half the battle!

Sky
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now