Solved

Port Forwarding on Cisco PIX 501

Posted on 2011-09-16
6
643 Views
Last Modified: 2012-08-13
I have added a web server to my internal network and I need to forward ports on my cisco 501 to my web server.  I know I need to port forward FTP, HTTPS as well.   I have added  the lines below to my Pix configuration and did a "write mem"  command.   It doesn't appear to have worked.  I added the commands below.  The "N.N.N.N" represents my outside ip address which is Static.

access-list external permit tcp any host N.N.N.N  eq ftp
access-list external permit tcp any host N.N.N.N eq www
access-list external permit tcp any host N.N.N.N eq https

static (inside,outside) tcp N.N.N.N ftp 192.168.2.8 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp N.N.N.N  www 192.168.2.8 www netmask 255.255.255.255 0 0
static (inside,outside) tcp N.N.N.N https 192.168.2.8 https netmask 255.255.255.255 0 0

I had this problem several years ago when I had to change an ip address of my VPN network but I can't recall what I did to fix it.   The write mem and a reboot doesn't seem to Fix it.  I can see the commands I added when I run the show config command, but it's like they aren't enabled yet.
Thank you ahead of time for anyone you responds.  I really appreciate your help.
0
Comment
Question by:paul_brinkman
  • 3
  • 2
6 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 334 total points
Comment Utility
Could you show us a more complete config to have a look at?
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 166 total points
Comment Utility
AS ernie said, a Config would help.  

You could also provide a snippet from a SHOW LOGGING output after an attempt to hit these services from outside.  
0
 

Author Comment

by:paul_brinkman
Comment Utility
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dotfB0k7qFhGxyio encrypted
passwd dotfB0k7qFhGxyio encrypted
hostname lorena
domain-name armsusa.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network ARMS-AUS
  network-object 192.168.32.0 255.255.255.0
object-group network ARMS-USA
  network-object 192.168.5.0 255.255.255.0
object-group network ARMS-PAUL
  network-object 192.168.2.0 255.255.255.0
access-list internal permit ip any any
access-list external permit icmp any any echo-reply
access-list external permit icmp any any unreachable
access-list external permit icmp any any parameter-problem
access-list external permit icmp any any time-exceeded
access-list external permit gre any any
access-list external permit tcp any host 24.227.191.250 eq ftp
access-list external permit tcp any host 24.227.191.250 eq www
access-list external permit tcp any host 24.227.191.250 eq https
access-list IPSEC-AUS permit ip object-group ARMS-PAUL object-group ARMS-AUS
access-list IPSEC-USA permit ip object-group ARMS-PAUL object-group ARMS-USA
access-list NONAT permit ip object-group ARMS-PAUL object-group ARMS-AUS
access-list NONAT permit ip object-group ARMS-PAUL object-group ARMS-USA
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 24.227.191.250 255.255.255.252
ip address inside 192.168.2.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp 24.227.191.250 telnet 192.168.2.253 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.227.191.250 ftp 192.168.2.8 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.227.191.250 www 192.168.2.8 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.227.191.250 https 192.168.2.8 https netmask 255.255.255.255 0 0
access-group external in interface outside
access-group internal in interface inside
route outside 0.0.0.0 0.0.0.0 24.227.191.249 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.25 firewallbu09
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ARMS esp-3des esp-md5-hmac
crypto map ARMSCRYPTO 10 ipsec-isakmp
crypto map ARMSCRYPTO 10 match address IPSEC-AUS
crypto map ARMSCRYPTO 10 set peer 203.144.16.26
crypto map ARMSCRYPTO 10 set transform-set ARMS
crypto map ARMSCRYPTO 20 ipsec-isakmp
crypto map ARMSCRYPTO 20 match address IPSEC-USA
crypto map ARMSCRYPTO 20 set peer 24.234.49.7
crypto map ARMSCRYPTO 20 set transform-set ARMS
crypto map ARMSCRYPTO interface outside
isakmp enable outside
isakmp key ******** address 24.234.49.7 netmask 255.255.255.255
isakmp key ******** address 203.144.16.26 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.2.254 255.255.255.255 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 61.88.23.130 255.255.255.255 outside
ssh 203.13.70.60 255.255.255.255 outside
ssh 203.22.124.139 255.255.255.255 outside
ssh 205.158.199.130 255.255.255.255 outside
ssh 203.13.70.55 255.255.255.255 outside
ssh 202.169.17.210 255.255.255.255 outside
ssh 192.168.32.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.2.10-192.168.2.15 inside
dhcpd dns 24.93.40.36 24.93.40.37
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:5a547c7a11f3dbf28aa08a16123f639e
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 334 total points
Comment Utility
As far as I van see (from my phone) the config looks good. Did you check the inside host? Does it have the pix as default gateway, is there a firewall in place, is it listening on the correct ports?
0
 

Author Closing Comment

by:paul_brinkman
Comment Utility
Powering off Pix solved it , but the reponse was worthy of points
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Then I thank you for the points :)

Next time (forgot to mention that), try a 'clear xlate'. That might help as well.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Join & Write a Comment

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now