How to setup port forwarding in PIX 501?

Discussion in 'Cisco' started by signal, Apr 28, 2006.

  1. signal

    signal Guest

    Hello,

    I have a webserver in inside network with IP: 192.168.1.99 . The
    outside IP of PIX 501 is 71.155.211.233 and inside IP of PIX 501 is
    192.168.1.1 . what to do if I want my webserver visible from public
    internet? I need HTTP://71.155.211.233 will be directed to my website
    on the webserver.

    Thanks a lot!

    Charlie
     
    signal, Apr 28, 2006
    #1
    1. Advertisements

  2. signal

    Merv Guest

    Merv, Apr 28, 2006
    #2
    1. Advertisements

  3. signal

    signal Guest

    Thank you Merv!

    Command:

    ip address outside 71.155.211.233 255.255.255.0

    ip address inside 192.168.1.1 255.255.255.0

    static (inside,outside) tcp interface www 192.168.1.99 www netmask
    255.255.255.255 0 0

    Am I doing right?

    Thanks a lot!

    Charlie
     
    signal, Apr 29, 2006
    #3
  4. signal

    puppy Guest

    Charlie,
    I think everything is correct, except I dont think the interface is
    needed. This should do

    static (inside,outside) tcp www 192.168.1.99 www netmask
    255.255.255.255 0 0

    This link might help in configuring the pix firewall for the average
    stuff:

    http://www.secmanager.com/cisco_pix_firewall_configuration_reference


    Thank you
    James.
     
    puppy, Apr 29, 2006
    #4
  5. signal

    Merv Guest

    I believe that static is okay.


    You will also need an an access-list to permit the traffic as it is
    coming from outside

    access-list WEBSERVER permit tcp any host 71.155.211.233 eq 80

    access-group WEBSERVER in interface outside
     
    Merv, Apr 29, 2006
    #5
  6. Please quote context. Please see here for information on how to
    do so from Google Groups: http://cfaj.freeshell.org/google/
    That syntax is not valid for any PIX software release.

    static PAT *must* be of one of these forms:

    static (INTERFACE1,INTERFACE2) PROTOCOL IPADDRESS2 PORT2 IPADDRESS1 PORT1 netmask NETMASK

    static (INTERFACE1,INTERFACE2) PROTOCOL interface PORT2 IPADDRESS1 PORT1 netmask NETMASK

    static (INTERFACE1,INTERFACE2) PROTOCOL IPADDRESS2 access-list ACCESSLIST

    There are also some forms in which the interface and addresses are reversed.


    Although the official syntax would allow for the possibility of (e.g.)

    static (INTERFACE1,INTERFACE2) PROTOCOL interface PORT2 interface PORT1 netmask NETMASK

    in practice using 'interface' twice cannot work in either standard or reversed NAT.
     
    Walter Roberson, Apr 29, 2006
    #6
  7. signal

    puppy Guest

    Rob,
    Thanks for the correction. My bad, I did remove that previous post. And
    thanks again for the how to reply to Google Groups:
    http://cfaj.freeshell.org/google/.

    Hope this is correct format, if it is not, let me know what is wrong
    and I will correct the format of replies. Kind of new to google groups.

    Thank you
    James
     
    puppy, Apr 30, 2006
    #7
  8. signal

    signal Guest

    Thanks Merv and Rob,

    Here is the multiple line command i have:

    ip address outside 71.155.211.233 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    static (inside,outside) tcp interface www 192.168.1.99 www netmask
    255.255.255.255 0 0
    access-list WEBSERVER permit tcp any host 71.155.211.233 eq 80
    access-group WEBSERVER in interface outside

    Will this work?
    Thanks again.

    Charlie
     
    signal, May 2, 2006
    #8
  9. Who is Rob?

    No, substitute

    access-list WEBSERVER permit tcp any interface eq www
     
    Walter Roberson, May 2, 2006
    #9
  10. signal

    signal Guest

    It returns the following error message:

    Result of firewall command: "access-list 192.168.1.99 permit tcp any
    interface eq www "

    interface <eq> does not exist
    Usage: [no] access-list compiled
    [no] access-list deny-flow-max <n>
    [no] access-list alert-interval <secs>
    [no] access-list <id> object-group-search
    [no] access-list <id> compiled
    [no] access-list <id> [line <line-num>] remark <text>
    [no] access-list <id> [line <line-num>] deny|permit
    <protocol>|object-group <protocol_obj_grp_id>
    <sip> <smask> | interface <if_name> | object-group
    <network_obj_grp_id>
    [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
    <dip> <dmask> | interface <if_name> | object-group
    <network_obj_grp_id>
    [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
    [log [disable|default] | [<level>] [interval <secs>]]
    [no] access-list <id> [line <line-num>] deny|permit icmp
    <sip> <smask> | interface <if_name> | object-group
    <network_obj_grp_id>
    <dip> <dmask> | interface <if_name> | object-group
    <network_obj_grp_id>
    [<icmp_type> | object-group <icmp_type_obj_grp_id>]
    [log [disable|default] | [<level>] [interval <secs>]]
    Restricted ACLs for route-map use:
    [no] access-list <id> deny|permit {any | <prefix> <mask> | host
    <address>}
    Command failed

    Result of firewall command: "access-group 192.168.1.99 in interface
    outside"

    ERROR: access-list <192.168.1.99> does not exist
    Usage: [no] access-group <access-list> in interface <if_name>
    [per-user-override]
    Command failed

    it seems "eq" is not accepted in the syntax..
    Sorry for the headaches caused..

    Thanks.

    Charlie
     
    signal, May 3, 2006
    #10
  11. signal

    Merv Guest

    It returns the following error message:

    Did you already have a name command for WEBSERVER in your config ?

    Anyways try this instead:

    ip address outside 71.155.211.233 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    static (inside,outside) tcp interface www 192.168.1.99 www netmask
    255.255.255.255 0 0
    access-list WEB_SERVER_ACL permit tcp any interface eq www
    access-group WEB_SERVER_ACL in interface outside
     
    Merv, May 3, 2006
    #11
  12. signal

    signal Guest

    Yes. I named 192.168.1.99 as WEBSERVER
    Error message returned for this command: interface <eq> doesn't exist
    all the first three commands work fine but I am stuck by creating an
    access-list.. Thanks Merv.
     
    signal, May 5, 2006
    #12
  13. [/QUOTE]
    access-list WEB_SERVER_ACL permit tcp any interface outside eq www
     
    Walter Roberson, May 5, 2006
    #13
  14. signal

    signal Guest

    now everything is working perfectly. Thanks Walter and Merv for the
    greatest help!
     
    signal, May 16, 2006
    #14
  15. signal

    yadap

    Joined:
    May 5, 2006
    Messages:
    6
    Likes Received:
    0
    similer solution required

    Hii all ...


    similer configuration is required for cisco 1721 router with IOS version 12.4(1a)
     
    yadap, May 18, 2006
    #15
  16. signal

    signal Guest

    For future reader's reference, here is what I did for setting up port
    forwarding in PIX 501.

    ip address outside 71.155.211.233 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    static (inside,outside) tcp interface www 192.168.1.99 www netmask
    255.255.255.255 0 0
    access-list WEB_SERVER_ACL permit tcp any interface outside eq www
    access-group WEB_SERVER_ACL in interface outside
     
    signal, May 31, 2006
    #16
  17. signal

    crescentvn

    Joined:
    Mar 17, 2008
    Messages:
    1
    Likes Received:
    0
    Hi signal, I do exactly the same as you said, but it's not working.
    If you're still there, can you help me to solve this problem.
    Thanks


     
    crescentvn, Mar 17, 2008
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.