paul_brinkman
asked on
Port Forwarding on Cisco PIX 501
I have added a web server to my internal network and I need to forward ports on my cisco 501 to my web server. I know I need to port forward FTP, HTTPS as well. I have added the lines below to my Pix configuration and did a "write mem" command. It doesn't appear to have worked. I added the commands below. The "N.N.N.N" represents my outside ip address which is Static.
access-list external permit tcp any host N.N.N.N eq ftp
access-list external permit tcp any host N.N.N.N eq www
access-list external permit tcp any host N.N.N.N eq https
static (inside,outside) tcp N.N.N.N ftp 192.168.2.8 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp N.N.N.N www 192.168.2.8 www netmask 255.255.255.255 0 0
static (inside,outside) tcp N.N.N.N https 192.168.2.8 https netmask 255.255.255.255 0 0
I had this problem several years ago when I had to change an ip address of my VPN network but I can't recall what I did to fix it. The write mem and a reboot doesn't seem to Fix it. I can see the commands I added when I run the show config command, but it's like they aren't enabled yet.
Thank you ahead of time for anyone you responds. I really appreciate your help.
access-list external permit tcp any host N.N.N.N eq ftp
access-list external permit tcp any host N.N.N.N eq www
access-list external permit tcp any host N.N.N.N eq https
static (inside,outside) tcp N.N.N.N ftp 192.168.2.8 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp N.N.N.N www 192.168.2.8 www netmask 255.255.255.255 0 0
static (inside,outside) tcp N.N.N.N https 192.168.2.8 https netmask 255.255.255.255 0 0
I had this problem several years ago when I had to change an ip address of my VPN network but I can't recall what I did to fix it. The write mem and a reboot doesn't seem to Fix it. I can see the commands I added when I run the show config command, but it's like they aren't enabled yet.
Thank you ahead of time for anyone you responds. I really appreciate your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Powering off Pix solved it , but the reponse was worthy of points
Then I thank you for the points :)
Next time (forgot to mention that), try a 'clear xlate'. That might help as well.
Next time (forgot to mention that), try a 'clear xlate'. That might help as well.
ASKER
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dotfB0k7qFhGxyio encrypted
passwd dotfB0k7qFhGxyio encrypted
hostname lorena
domain-name armsusa.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network ARMS-AUS
network-object 192.168.32.0 255.255.255.0
object-group network ARMS-USA
network-object 192.168.5.0 255.255.255.0
object-group network ARMS-PAUL
network-object 192.168.2.0 255.255.255.0
access-list internal permit ip any any
access-list external permit icmp any any echo-reply
access-list external permit icmp any any unreachable
access-list external permit icmp any any parameter-problem
access-list external permit icmp any any time-exceeded
access-list external permit gre any any
access-list external permit tcp any host 24.227.191.250 eq ftp
access-list external permit tcp any host 24.227.191.250 eq www
access-list external permit tcp any host 24.227.191.250 eq https
access-list IPSEC-AUS permit ip object-group ARMS-PAUL object-group ARMS-AUS
access-list IPSEC-USA permit ip object-group ARMS-PAUL object-group ARMS-USA
access-list NONAT permit ip object-group ARMS-PAUL object-group ARMS-AUS
access-list NONAT permit ip object-group ARMS-PAUL object-group ARMS-USA
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 24.227.191.250 255.255.255.252
ip address inside 192.168.2.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp 24.227.191.250 telnet 192.168.2.253 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.227.191.250 ftp 192.168.2.8 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.227.191.250 www 192.168.2.8 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.227.191.250 https 192.168.2.8 https netmask 255.255.255.255 0 0
access-group external in interface outside
access-group internal in interface inside
route outside 0.0.0.0 0.0.0.0 24.227.191.249 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.25 firewallbu09
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ARMS esp-3des esp-md5-hmac
crypto map ARMSCRYPTO 10 ipsec-isakmp
crypto map ARMSCRYPTO 10 match address IPSEC-AUS
crypto map ARMSCRYPTO 10 set peer 203.144.16.26
crypto map ARMSCRYPTO 10 set transform-set ARMS
crypto map ARMSCRYPTO 20 ipsec-isakmp
crypto map ARMSCRYPTO 20 match address IPSEC-USA
crypto map ARMSCRYPTO 20 set peer 24.234.49.7
crypto map ARMSCRYPTO 20 set transform-set ARMS
crypto map ARMSCRYPTO interface outside
isakmp enable outside
isakmp key ******** address 24.234.49.7 netmask 255.255.255.255
isakmp key ******** address 203.144.16.26 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.2.254 255.255.255.255 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 61.88.23.130 255.255.255.255 outside
ssh 203.13.70.60 255.255.255.255 outside
ssh 203.22.124.139 255.255.255.255 outside
ssh 205.158.199.130 255.255.255.255 outside
ssh 203.13.70.55 255.255.255.255 outside
ssh 202.169.17.210 255.255.255.255 outside
ssh 192.168.32.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.2.10-192.168.2.15 inside
dhcpd dns 24.93.40.36 24.93.40.37
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:5a547c7a11f