Avatar of dan4132
dan4132
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Cisco PIX 515e, Port Forwarding

Hi there,
I can't access my web server from the outside.

I have followed guides and believe everything is correct. I am trying to get the PIX to port forward 80 to 192.168.1.7 on the inside. This is my config below:

hostname PIX
domain-name xapple.co.uk
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0
 description Interface to VM
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 description Interface to Firewall & Filter
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Ethernet2
 shutdown    
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xapple.co.uk
access-list outside_access_in extended permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.7 www netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 15
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 81.168.77.149 source outside prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:47b8277de6444f5b0273743931bb6899
: end
Cisco

Avatar of undefined
Last Comment
Ernie Beek

8/22/2022 - Mon
Ernie Beek

After a quick glance it seems to be ok. Only can't find an inspect http in your policy map.
Anything showing in the logs?

Also, on the outside, is the a router or something in between? And is that allowing port 80?
dan4132

ASKER
Do I need to enable the inspect for the http? Wasn't sure if I needed that or not.

Well on the firewall screen on the first page of the ADSM its saying that requests are going through... but when I surf to the outside IP Address at other customer sites nothing is coming back. I even tried at home and there is nothing coming up...

The pix is connected straight to the Internet.
Ernie Beek

Mmmm,

Does the webserver have the PIX as it's default gateway?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
dan4132

ASKER
Yep have checked that and that is all ok.

I have a feeling it might be an issue with my ISP. If I hook up the Old Router I get an IP and everything works fine no problem.

Now when I hook up the PIX I get a IP on a different subnet and its a x.x.x.254 address... When I do a Port Scan of this IP address it shows me that a telnet port is open.. But I don't have Telnet open on my outside interface... The IP is also resolving its name to something completely different when I do a nslookup.

So I think I may give them a call tomorrow to ask them what is going on..

I can get onto the Virgin Media HUB and where it usually has the WAN IP Address it just has ---.---.---.---

So I am guessing something is not right in this picture...

Its not that I have that option enabled auto set routes when it gets a DHCP address on my outside Interface is it?

All my client Machines can get out onto the net just fine with the PIX
ASKER CERTIFIED SOLUTION
Ernie Beek

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
dan4132

ASKER
Sorry when I said old router I meant the Cisco has replaced this.
So it used to be a Linksys Router to the VM line and then we would have the net and all the port forwarding was ok.
So I decided to replace the Linksys (old router) with the PIX.
The VM hub is in modem mode so everything runs direct to the PIX.
dan4132

ASKER
Just a quick update..

I cloned my MAC Address of the OLD Linksys Router to the Cisco PIX and now I have my Old IP Address back again!!

But I still can't access my web server... Strange. I am going to host a website from one of my machines to see if its the Server playing up!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
dan4132

ASKER
Well I finally got it all working.... Reboot did the trick

I am not sure why i can't use the MAC Address of the PIX. When I renew the DHCP address from VM they seem to give me a IP that is completely wrong.

So I cloned the MAC Address from my Old Router to the PIX and everything works fine now.

Thanks for your help on all of this! What a pain in the butt...
Ernie Beek

Good to see you got it working (had to get some sleep in between ;)

It looks like the MAC address is being cached somewhere (some ISPs tend to do that). But this is also a good way to resolve it :)

Thx 4 the points.