Link to home
Start Free TrialLog in
Avatar of dan4132
dan4132Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco PIX 515e, Port Forwarding

Hi there,
I can't access my web server from the outside.

I have followed guides and believe everything is correct. I am trying to get the PIX to port forward 80 to on the inside. This is my config below:

hostname PIX
enable password xxx encrypted
passwd xxx encrypted
interface Ethernet0
 description Interface to VM
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Ethernet1
 description Interface to Firewall & Filter
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 no nameif
 no security-level
 no ip address
ftp mode passive
dns server-group DefaultDNS
access-list outside_access_in extended permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101
static (inside,outside) tcp interface www www netmask
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 15
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server source outside prefer
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
service-policy global_policy global
prompt hostname context
: end
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

After a quick glance it seems to be ok. Only can't find an inspect http in your policy map.
Anything showing in the logs?

Also, on the outside, is the a router or something in between? And is that allowing port 80?
Avatar of dan4132


Do I need to enable the inspect for the http? Wasn't sure if I needed that or not.

Well on the firewall screen on the first page of the ADSM its saying that requests are going through... but when I surf to the outside IP Address at other customer sites nothing is coming back. I even tried at home and there is nothing coming up...

The pix is connected straight to the Internet.

Does the webserver have the PIX as it's default gateway?
Avatar of dan4132


Yep have checked that and that is all ok.

I have a feeling it might be an issue with my ISP. If I hook up the Old Router I get an IP and everything works fine no problem.

Now when I hook up the PIX I get a IP on a different subnet and its a x.x.x.254 address... When I do a Port Scan of this IP address it shows me that a telnet port is open.. But I don't have Telnet open on my outside interface... The IP is also resolving its name to something completely different when I do a nslookup.

So I think I may give them a call tomorrow to ask them what is going on..

I can get onto the Virgin Media HUB and where it usually has the WAN IP Address it just has ---.---.---.---

So I am guessing something is not right in this picture...

Its not that I have that option enabled auto set routes when it gets a DHCP address on my outside Interface is it?

All my client Machines can get out onto the net just fine with the PIX
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dan4132


Sorry when I said old router I meant the Cisco has replaced this.
So it used to be a Linksys Router to the VM line and then we would have the net and all the port forwarding was ok.
So I decided to replace the Linksys (old router) with the PIX.
The VM hub is in modem mode so everything runs direct to the PIX.
Avatar of dan4132


Just a quick update..

I cloned my MAC Address of the OLD Linksys Router to the Cisco PIX and now I have my Old IP Address back again!!

But I still can't access my web server... Strange. I am going to host a website from one of my machines to see if its the Server playing up!
Avatar of dan4132


Well I finally got it all working.... Reboot did the trick

I am not sure why i can't use the MAC Address of the PIX. When I renew the DHCP address from VM they seem to give me a IP that is completely wrong.

So I cloned the MAC Address from my Old Router to the PIX and everything works fine now.

Thanks for your help on all of this! What a pain in the butt...
Good to see you got it working (had to get some sleep in between ;)

It looks like the MAC address is being cached somewhere (some ISPs tend to do that). But this is also a good way to resolve it :)

Thx 4 the points.