How to setup port forwarding in PIX 501?

Discussion in 'Cisco' started by signal, Apr 28, 2006.

  1. signal

    signal Guest

    Hello,

    I have a webserver in inside network with IP: 192.168.1.99 . The
    outside IP of PIX 501 is 71.155.211.233 and inside IP of PIX 501 is
    192.168.1.1 . what to do if I want my webserver visible from public
    internet? I need HTTP://71.155.211.233 will be directed to my website
    on the webserver.

    Thanks a lot!

    Charlie
     
    signal, Apr 28, 2006
    #1
    1. Advertising

  2. signal

    Merv Guest

    port forwarding is called port redirection in PIX parlance

    see

    ttp://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1096820
     
    Merv, Apr 28, 2006
    #2
    1. Advertising

  3. signal

    signal Guest

    Thank you Merv!

    Command:

    ip address outside 71.155.211.233 255.255.255.0

    ip address inside 192.168.1.1 255.255.255.0

    static (inside,outside) tcp interface www 192.168.1.99 www netmask
    255.255.255.255 0 0

    Am I doing right?

    Thanks a lot!

    Charlie
     
    signal, Apr 29, 2006
    #3
  4. signal

    puppy Guest

    Charlie,
    I think everything is correct, except I dont think the interface is
    needed. This should do

    static (inside,outside) tcp www 192.168.1.99 www netmask
    255.255.255.255 0 0

    This link might help in configuring the pix firewall for the average
    stuff:

    http://www.secmanager.com/cisco_pix_firewall_configuration_reference


    Thank you
    James.
     
    puppy, Apr 29, 2006
    #4
  5. signal

    Merv Guest

    I believe that static is okay.


    You will also need an an access-list to permit the traffic as it is
    coming from outside

    access-list WEBSERVER permit tcp any host 71.155.211.233 eq 80

    access-group WEBSERVER in interface outside
     
    Merv, Apr 29, 2006
    #5
  6. In article <>,
    puppy <> wrote:
    >Charlie,
    >I think everything is correct,


    Please quote context. Please see here for information on how to
    do so from Google Groups: http://cfaj.freeshell.org/google/

    >except I dont think the interface is
    >needed. This should do


    >static (inside,outside) tcp www 192.168.1.99 www netmask 255.255.255.255 0 0


    That syntax is not valid for any PIX software release.

    static PAT *must* be of one of these forms:

    static (INTERFACE1,INTERFACE2) PROTOCOL IPADDRESS2 PORT2 IPADDRESS1 PORT1 netmask NETMASK

    static (INTERFACE1,INTERFACE2) PROTOCOL interface PORT2 IPADDRESS1 PORT1 netmask NETMASK

    static (INTERFACE1,INTERFACE2) PROTOCOL IPADDRESS2 access-list ACCESSLIST

    There are also some forms in which the interface and addresses are reversed.


    Although the official syntax would allow for the possibility of (e.g.)

    static (INTERFACE1,INTERFACE2) PROTOCOL interface PORT2 interface PORT1 netmask NETMASK

    in practice using 'interface' twice cannot work in either standard or reversed NAT.
     
    Walter Roberson, Apr 29, 2006
    #6
  7. signal

    puppy Guest

    Rob,
    Thanks for the correction. My bad, I did remove that previous post. And
    thanks again for the how to reply to Google Groups:
    http://cfaj.freeshell.org/google/.

    Hope this is correct format, if it is not, let me know what is wrong
    and I will correct the format of replies. Kind of new to google groups.

    Thank you
    James
     
    puppy, Apr 30, 2006
    #7
  8. signal

    signal Guest

    Thanks Merv and Rob,

    Here is the multiple line command i have:

    ip address outside 71.155.211.233 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    static (inside,outside) tcp interface www 192.168.1.99 www netmask
    255.255.255.255 0 0
    access-list WEBSERVER permit tcp any host 71.155.211.233 eq 80
    access-group WEBSERVER in interface outside

    Will this work?
    Thanks again.

    Charlie
     
    signal, May 2, 2006
    #8
  9. In article <>,
    signal <> wrote:

    >Thanks Merv and Rob,


    Who is Rob?


    >Here is the multiple line command i have:


    >ip address outside 71.155.211.233 255.255.255.0
    >ip address inside 192.168.1.1 255.255.255.0
    >static (inside,outside) tcp interface www 192.168.1.99 www netmask
    >255.255.255.255 0 0
    >access-list WEBSERVER permit tcp any host 71.155.211.233 eq 80
    >access-group WEBSERVER in interface outside


    >Will this work?


    No, substitute

    access-list WEBSERVER permit tcp any interface eq www
     
    Walter Roberson, May 2, 2006
    #9
  10. signal

    signal Guest

    It returns the following error message:

    Result of firewall command: "access-list 192.168.1.99 permit tcp any
    interface eq www "

    interface <eq> does not exist
    Usage: [no] access-list compiled
    [no] access-list deny-flow-max <n>
    [no] access-list alert-interval <secs>
    [no] access-list <id> object-group-search
    [no] access-list <id> compiled
    [no] access-list <id> [line <line-num>] remark <text>
    [no] access-list <id> [line <line-num>] deny|permit
    <protocol>|object-group <protocol_obj_grp_id>
    <sip> <smask> | interface <if_name> | object-group
    <network_obj_grp_id>
    [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
    <dip> <dmask> | interface <if_name> | object-group
    <network_obj_grp_id>
    [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
    [log [disable|default] | [<level>] [interval <secs>]]
    [no] access-list <id> [line <line-num>] deny|permit icmp
    <sip> <smask> | interface <if_name> | object-group
    <network_obj_grp_id>
    <dip> <dmask> | interface <if_name> | object-group
    <network_obj_grp_id>
    [<icmp_type> | object-group <icmp_type_obj_grp_id>]
    [log [disable|default] | [<level>] [interval <secs>]]
    Restricted ACLs for route-map use:
    [no] access-list <id> deny|permit {any | <prefix> <mask> | host
    <address>}
    Command failed

    Result of firewall command: "access-group 192.168.1.99 in interface
    outside"

    ERROR: access-list <192.168.1.99> does not exist
    Usage: [no] access-group <access-list> in interface <if_name>
    [per-user-override]
    Command failed

    it seems "eq" is not accepted in the syntax..
    Sorry for the headaches caused..

    Thanks.

    Charlie
     
    signal, May 3, 2006
    #10
  11. signal

    Merv Guest

    > It returns the following error message:

    > Result of firewall command: "access-list 192.168.1.99 permit tcp any interface eq www "



    Did you already have a name command for WEBSERVER in your config ?

    Anyways try this instead:

    ip address outside 71.155.211.233 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    static (inside,outside) tcp interface www 192.168.1.99 www netmask
    255.255.255.255 0 0
    access-list WEB_SERVER_ACL permit tcp any interface eq www
    access-group WEB_SERVER_ACL in interface outside
     
    Merv, May 3, 2006
    #11
  12. signal

    signal Guest

    Merv wrote:
    > > It returns the following error message:

    >
    > > Result of firewall command: "access-list 192.168.1.99 permit tcp any interface eq www "

    >
    >
    > Did you already have a name command for WEBSERVER in your config ?


    Yes. I named 192.168.1.99 as WEBSERVER

    > Anyways try this instead:
    >
    > ip address outside 71.155.211.233 255.255.255.0
    > ip address inside 192.168.1.1 255.255.255.0
    > static (inside,outside) tcp interface www 192.168.1.99 www netmask
    > 255.255.255.255 0 0
    > access-list WEB_SERVER_ACL permit tcp any interface eq www

    Error message returned for this command: interface <eq> doesn't exist
    all the first three commands work fine but I am stuck by creating an
    access-list.. Thanks Merv.

    > access-group WEB_SERVER_ACL in interface outside
     
    signal, May 5, 2006
    #12
  13. In article <>,
    signal <> wrote:

    >> access-list WEB_SERVER_ACL permit tcp any interface eq www


    >Error message returned for this command: interface <eq> doesn't exist


    access-list WEB_SERVER_ACL permit tcp any interface outside eq www
     
    Walter Roberson, May 5, 2006
    #13
  14. signal

    signal Guest

    now everything is working perfectly. Thanks Walter and Merv for the
    greatest help!
     
    signal, May 16, 2006
    #14
  15. signal

    yadap

    Joined:
    May 5, 2006
    Messages:
    6
    similer solution required

    Hii all ...


    similer configuration is required for cisco 1721 router with IOS version 12.4(1a)
     
    yadap, May 18, 2006
    #15
  16. signal

    signal Guest

    For future reader's reference, here is what I did for setting up port
    forwarding in PIX 501.

    ip address outside 71.155.211.233 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    static (inside,outside) tcp interface www 192.168.1.99 www netmask
    255.255.255.255 0 0
    access-list WEB_SERVER_ACL permit tcp any interface outside eq www
    access-group WEB_SERVER_ACL in interface outside
     
    signal, May 31, 2006
    #16
  17. signal

    crescentvn

    Joined:
    Mar 17, 2008
    Messages:
    1
    Hi signal, I do exactly the same as you said, but it's not working.
    If you're still there, can you help me to solve this problem.
    Thanks


     
    crescentvn, Mar 17, 2008
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kirk Goins

    Port forwarding on a PIX 501 at 6.3

    Kirk Goins, Dec 19, 2003, in forum: Cisco
    Replies:
    5
    Views:
    12,525
  2. Paul Hutchings
    Replies:
    6
    Views:
    5,041
  3. Robert McIntosh

    Port Forwarding and PIX 501

    Robert McIntosh, Sep 2, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,159
    Walter Roberson
    Sep 4, 2004
  4. Graeme Geldenhuys
    Replies:
    2
    Views:
    4,379
    Graeme Geldenhuys
    Apr 14, 2005
  5. Sascha E. Pollok

    Quick help: PIX 501 and Port Forwarding

    Sascha E. Pollok, Aug 9, 2006, in forum: Cisco
    Replies:
    3
    Views:
    3,562
    Sascha E. Pollok
    Aug 9, 2006
Loading...

Share This Page