Cisco PIX 501 port forwarding trouble

Discussion in 'Cisco' started by maciekish, Sep 24, 2006.

  1. maciekish

    maciekish Guest

    Hi!
    Im trying to forward http traffic from my outside dsl interface to
    inside http server but it doesnt work. I get nothing about the
    forwarding in the log and the connection just closes when i try to
    access my webserver form the outside.

    I have been fiddling around with this for a few hours now and im not
    feeling any more lucky after trying google. This is my config at the
    moment:

    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password * encrypted
    passwd * encrypted
    hostname pix
    domain-name maciekish.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.100 Mainframe
    access-list outside_access_in permit tcp host XXX.XXX.XXX.XXX eq www
    host Mainframe eq www
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location Mainframe 255.255.255.255 inside
    pdm location XXX.XXX.XXX.XXX 255.255.255.255 outside
    pdm location 85.226.42.0 255.255.254.0 outside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (outside,inside) tcp Mainframe www XXX.XXX.XXX.XXX www netmask
    255.255.255.255 0 0
    static (inside,outside) Mainframe Mainframe netmask 255.255.255.255 0 0

    access-group outside_access_in in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:3501796baa4656a6b0bc05cfd7a8f4a4
    : end
    [OK]
     
    maciekish, Sep 24, 2006
    #1
    1. Advertisements

  2. maciekish

    none Guest


    Use these instead:

    name 192.168.1.100 Mainframe
    access-list outside_access_in permit tcp any interface outside eq www
    static (inside,outside) tcp interface www Mainframe www netmask
    255.255.255.255 0 0
     
    none, Sep 24, 2006
    #2
    1. Advertisements

  3. maciekish

    maciekish Guest

    thanks for a quick response but it still doesnt work. here is the PDM
    log when trying to connect to the web server.
    http://img95.imageshack.us/my.php?image=pixfx7.jpg

    in the log i noticed that external:80 is trying to translate to
    mainframe:3389 or something like that. shouldnt it be external:xxxx to
    mainframe:80 ?
     
    maciekish, Sep 25, 2006
    #3
  4. maciekish

    maciekish Guest

    let me just clarify that my webserver works if i port forward from a
    netgear instead of the pix so the problem is only the pix configuration
    as i am upgrading from the netgear.
     
    maciekish, Sep 25, 2006
    #4
  5. maciekish

    none Guest


    Did you remove all of your statements that I showed above mine? Did you
    do a "clear xlate" after that? Can your webserver browse the Internet
    through the PIX?
     
    none, Sep 25, 2006
    #5
  6. maciekish

    maciekish Guest

    Did you remove all of your statements that I showed above mine? Did you
    i did a configuration reset on the pix before inputing your commands. i
    did not do a clear xlate, is it very important?
    The webserver can access the internet thru the pix.
    thanks for helping me out!
     
    maciekish, Sep 25, 2006
    #6
  7. maciekish

    maciekish Guest

    ok, now i did this:

    config reset
    clear xlate
    input your 3 commands
    still not working (not even if i input the direct ip, i know dns takes
    time to update and i cannot test this from inside the lan)

    if i connect my netgear without even restarting the server it works
    without any problem.
     
    maciekish, Sep 25, 2006
    #7
  8. maciekish

    maciekish Guest

    this is the current configuration:

    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password * encrypted
    passwd * encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.100 Mainframe
    access-list outside_access_in permit tcp any interface outside eq www
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface www Mainframe www netmask
    255.255.255.255 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:e4baea15124c584a29f6774de961e983
    : end
    [OK]
     
    maciekish, Sep 25, 2006
    #8
  9. maciekish

    Brian V Guest

    You need to apply the access list

    access-group outside_access_in in interface outside
     
    Brian V, Sep 25, 2006
    #9
  10. maciekish

    maciekish Guest

    You need to apply the access list
    that was the finishing touch! thank you both very much!!
     
    maciekish, Sep 25, 2006
    #10
  11. maciekish

    none Guest

    I see further in the thread you needed to apply the access list to the
    outside interface - if you had just removed the commands using the "no"
    form of them rather than doing a "config reset" then you would have still
    had the access list applied to the interface - that's how you learn.

    The "clear xlate" command is needed if you change any NAT statements.
     
    none, Sep 26, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.