How to setup port forwarding in PIX 501?

Hello,

I have a webserver in inside network with IP: 192.168.1.99 . The outside IP of PIX 501 is 71.155.211.233 and inside IP of PIX 501 is

192.168.1.1 . what to do if I want my webserver visible from public internet? I need HTTP://71.155.211.233 will be directed to my website on the webserver.

Thanks a lot!

Charlie

Reply to
signal
Loading thread data ...

port forwarding is called port redirection in PIX parlance

see

ttp://

formatting link

Reply to
Merv

Thank you Merv!

Command:

ip address outside 71.155.211.233 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

static (inside,outside) tcp interface www 192.168.1.99 www netmask

255.255.255.255 0 0

Am I doing right?

Thanks a lot!

Charlie

Reply to
signal

Charlie, I think everything is correct, except I dont think the interface is needed. This should do

static (inside,outside) tcp www 192.168.1.99 www netmask

255.255.255.255 0 0

This link might help in configuring the pix firewall for the average stuff:

formatting link

Thank you James.

Reply to
puppy

I believe that static is okay.

You will also need an an access-list to permit the traffic as it is coming from outside

access-list WEBSERVER permit tcp any host 71.155.211.233 eq 80

access-group WEBSERVER in interface outside

Reply to
Merv

Please quote context. Please see here for information on how to do so from Google Groups:

formatting link

That syntax is not valid for any PIX software release.

static PAT *must* be of one of these forms:

static (INTERFACE1,INTERFACE2) PROTOCOL IPADDRESS2 PORT2 IPADDRESS1 PORT1 netmask NETMASK

static (INTERFACE1,INTERFACE2) PROTOCOL interface PORT2 IPADDRESS1 PORT1 netmask NETMASK

static (INTERFACE1,INTERFACE2) PROTOCOL IPADDRESS2 access-list ACCESSLIST

There are also some forms in which the interface and addresses are reversed.

Although the official syntax would allow for the possibility of (e.g.)

static (INTERFACE1,INTERFACE2) PROTOCOL interface PORT2 interface PORT1 netmask NETMASK

in practice using 'interface' twice cannot work in either standard or reversed NAT.

Reply to
Walter Roberson

Rob, Thanks for the correction. My bad, I did remove that previous post. And thanks again for the how to reply to Google Groups:

formatting link
Hope this is correct format, if it is not, let me know what is wrong and I will correct the format of replies. Kind of new to google groups.

Thank you James

Reply to
puppy

Thanks Merv and Rob,

Here is the multiple line command i have:

ip address outside 71.155.211.233 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 static (inside,outside) tcp interface www 192.168.1.99 www netmask

255.255.255.255 0 0 access-list WEBSERVER permit tcp any host 71.155.211.233 eq 80 access-group WEBSERVER in interface outside

Will this work? Thanks again.

Charlie

Reply to
signal

Who is Rob?

No, substitute

access-list WEBSERVER permit tcp any interface eq www

Reply to
Walter Roberson

It returns the following error message:

Result of firewall command: "access-list 192.168.1.99 permit tcp any interface eq www "

interface does not exist Usage: [no] access-list compiled [no] access-list deny-flow-max [no] access-list alert-interval [no] access-list object-group-search [no] access-list compiled [no] access-list [line ] remark [no] access-list [line ] deny|permit |object-group | interface | object-group

[ [] | object-group ] | interface | object-group [ [] | object-group ] [log [disable|default] | [] [interval ]] [no] access-list [line ] deny|permit icmp | interface | object-group

| interface | object-group

[ | object-group ] [log [disable|default] | [] [interval ]] Restricted ACLs for route-map use: [no] access-list deny|permit {any | | host } Command failed

Result of firewall command: "access-group 192.168.1.99 in interface outside"

ERROR: access-list does not exist Usage: [no] access-group in interface [per-user-override] Command failed

it seems "eq" is not accepted in the syntax.. Sorry for the headaches caused..

Thanks.

Charlie

Reply to
signal

Did you already have a name command for WEBSERVER in your config ?

Anyways try this instead:

ip address outside 71.155.211.233 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 static (inside,outside) tcp interface www 192.168.1.99 www netmask

255.255.255.255 0 0 access-list WEB_SERVER_ACL permit tcp any interface eq www access-group WEB_SERVER_ACL in interface outside
Reply to
Merv

interface eq www "

Yes. I named 192.168.1.99 as WEBSERVER

Error message returned for this command: interface doesn't exist all the first three commands work fine but I am stuck by creating an access-list.. Thanks Merv.

Reply to
signal

access-list WEB_SERVER_ACL permit tcp any interface outside eq www

Reply to
Walter Roberson

now everything is working perfectly. Thanks Walter and Merv for the greatest help!

Reply to
signal

For future reader's reference, here is what I did for setting up port forwarding in PIX 501.

ip address outside 71.155.211.233 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 static (inside,outside) tcp interface www 192.168.1.99 www netmask

255.255.255.255 0 0 access-list WEB_SERVER_ACL permit tcp any interface outside eq www access-group WEB_SERVER_ACL in interface outside
Reply to
signal

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.