Solved

Port Forwarding issues with PIX 501

Posted on 2008-10-05
6
257 Views
Last Modified: 2012-05-05
I simply want to allow my clients (192.168.0.x) to the internet behind my PIX 501 and forward port 80, 25, and 443 traffic from the outside to my internal server (192.168.0.10).   I'm trying to use the PDM, but their nomenclature does not always make sense.

DHCP is provided by my SBS server.  I'm using one of my Static IPs.  My SBC DSL modem is bridged to be the default gateway address (68.74.53.38).  The PIX outside IF is 68.74.53.33/29.  It's not the SBC hardware at all.  My Netgear VPN firewall works just fine behind the static DSL (and has for years), just not the PIX, which is to replace the tired old Netgear box.

Right now, I'm just trying to get my port 80 traffic forwarding to my server internally, i'll do the other 2 ports when I fix this problem.  Attached is the Show Config

I'll use CLI vs. the PDM if necessary...

Thanks.

Sky
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname xxxxxx
domain-name xxxxxxx.xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.10 Server
object-group service WWW-HTTP tcp-udp 
  port-object eq www 
access-list outside_access_in permit tcp any eq www host Server eq www 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 68.74.53.33 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.0.0 255.255.255.0 0 0
static (inside,outside) Server Server netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.74.53.38 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:b077e07d4879a25d122281e61c472982
: end
[OK]

Open in new window

0
Comment
Question by:CandSNetworking
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22648874
Your static looks a bit weird to me.
It should look like this:
static (inside,outside) tcp <WAN IP> www <SERVERNAME> www netmask 255.255.255.255 0 0
0
 

Author Comment

by:CandSNetworking
ID: 22649521
Greetings Jay,

Attached is the modified code.  Please look at all sections, as I changed a translation rule in a troubleshooting attempt.  I can't get to my website from the outside.  www.caserotti.org.

I also enabled my private network access to the telnet IF...

Please let me know if you have any other questions.

Thanks for your assistance.

Sky
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname xxxxxx
domain-name xxxxxxxxx.xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.10 Server
access-list outside_access_in permit tcp interface outside eq www host 68.74.53.33 eq www 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 68.74.53.33 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp 68.74.53.33 www Server www netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.74.53.38 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:a3fb160c45df40c39504a83e3a962661
: end
[OK]

Open in new window

0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22649679
The problem now seems to be in the access-list. You are permitting traffic from your interface to the interface.
In case of a website you would want to permit traffic from any origin to the server (and port) in question.
Remove the access-list rule you have (no access-list outside_access_in permit tcp interface outside eq www host 68.74.53.33 eq www)

 and try this instead

access-list outside_access_in permit tcp any host 68.74.53.33 eq www
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:CandSNetworking
ID: 22653991
I've made the changes you requested and still can't get to my internal website (which resides on 192.168.0.10) from the outside.  I still can't hit the webserver.

Attached is the usual show running config...

Sky
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxxx encrypted
hostname xxxxxx
domain-name xxxxx.xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.10 Server
access-list outside_access_in permit tcp any host 68.74.53.33 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 68.74.53.33 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.0.0 255.255.255.0 0 0
static (inside,outside) tcp 68.74.53.33 www Server www netmask 255.255.255.255 0
 0
route outside 0.0.0.0 0.0.0.0 68.74.53.38 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:768f6e2e147af5c9b83072502de0318f
: end

Open in new window

0
 
LVL 8

Accepted Solution

by:
Jay_Gridley earned 500 total points
ID: 22656907
Because you removed the incorrect access-list your new access-list is now no longer applied to the interface.
Use the following command:
access-group outside_access_in in interface outside
0
 

Author Closing Comment

by:CandSNetworking
ID: 31503267
Jay,

You're obviously an industry expert.

Thanks for your quick and accurate response along with the explinations.  That's half the battle!

Sky
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Supervisor upgrade to 2T 3 67
Radius Debug Error 16 93
using BGP Attributes 2 89
ASA Tunnel 18 32
How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question