Start Free Trial
Come for the solution, stay for everything else.
Start Free Trial
Cisco PIX 515e, Port Forwarding
I can't access my web server from the outside.
I have followed guides and believe everything is correct. I am trying to get the PIX to port forward 80 to 192.168.1.7 on the inside. This is my config below:
enable password xxx encrypted
passwd xxx encrypted
description Interface to VM
ip address dhcp setroute
description Interface to Firewall & Filter
ip address 192.168.1.254 255.255.255.0
no ip address
ftp mode passive
dns server-group DefaultDNS
access-list outside_access_in extended permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.7 www netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 15
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 22.214.171.124 source outside prefer
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
8/22/2022 - Mon
After a quick glance it seems to be ok. Only can't find an inspect http in your policy map.
Anything showing in the logs?
Also, on the outside, is the a router or something in between? And is that allowing port 80?
Do I need to enable the inspect for the http? Wasn't sure if I needed that or not.
Well on the firewall screen on the first page of the ADSM its saying that requests are going through... but when I surf to the outside IP Address at other customer sites nothing is coming back. I even tried at home and there is nothing coming up...
The pix is connected straight to the Internet.
Does the webserver have the PIX as it's default gateway?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
Yep have checked that and that is all ok.
I have a feeling it might be an issue with my ISP. If I hook up the Old Router I get an IP and everything works fine no problem.
Now when I hook up the PIX I get a IP on a different subnet and its a x.x.x.254 address... When I do a Port Scan of this IP address it shows me that a telnet port is open.. But I don't have Telnet open on my outside interface... The IP is also resolving its name to something completely different when I do a nslookup.
So I think I may give them a call tomorrow to ask them what is going on..
I can get onto the Virgin Media HUB and where it usually has the WAN IP Address it just has ---.---.---.---
So I am guessing something is not right in this picture...
Its not that I have that option enabled auto set routes when it gets a DHCP address on my outside Interface is it?
All my client Machines can get out onto the net just fine with the PIX
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today
7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Sorry when I said old router I meant the Cisco has replaced this.
So it used to be a Linksys Router to the VM line and then we would have the net and all the port forwarding was ok.
So I decided to replace the Linksys (old router) with the PIX.
The VM hub is in modem mode so everything runs direct to the PIX.
Just a quick update..
I cloned my MAC Address of the OLD Linksys Router to the Cisco PIX and now I have my Old IP Address back again!!
But I still can't access my web server... Strange. I am going to host a website from one of my machines to see if its the Server playing up!
to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Well I finally got it all working.... Reboot did the trick
I am not sure why i can't use the MAC Address of the PIX. When I renew the DHCP address from VM they seem to give me a IP that is completely wrong.
So I cloned the MAC Address from my Old Router to the PIX and everything works fine now.
Thanks for your help on all of this! What a pain in the butt...
Good to see you got it working (had to get some sleep in between ;)
It looks like the MAC address is being cached somewhere (some ISPs tend to do that). But this is also a good way to resolve it :)
Thx 4 the points.
Plans and Pricing
Certified Expert Program
© 1996-2022 Experts Exchange, LLC. All rights reserved. Covered by US Patent