1. Home
  2. Cisco Systems
  3. PIX Port Forwarding Problem

PIX Port Forwarding Problem

I've been trying for some time to get my PIX 515 firewall to allow HTTP requests to pass through and go to a web server hosted on my internal network.Unfortunately I have not managed to get this working - even after reading numerous articles.The scenario is that the outside interface is connected to a cable modem and the WAN IP address is assigned through DHCP by my ISP.My PIX config is shown below, I want www requests to my dynamic IP address to be passed through to an internal web server at 192.168.1.150?Can anyone see what is wrong with my configuration?asdm image flash:/asdm-501.bin no asdm history enable : Saved : PIX Version 7.0(1) names name 192.168.1.0 ctu name 192.168.1.150 srv.bauer ! interface Ethernet0 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! hostname pixfirewall domain-name ctu.local ftp mode passive dns retries 2 dns timeout 2 dns domain-lookup inside dns name-server srv.bauer access-list acl_out extended deny icmp any any access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit tcp any interface outside eq www access-list outside_access_in extended permit icmp any any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 no failover monitor-interface outside monitor-interface inside icmp deny any echo outside asdm image flash:/asdm-501.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface www srv.bauer www netmask

255.255.255.255 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 192.168.100.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http ctu 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.50-192.168.1.149 inside dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect pptp inspect http : end Thanks in advance
Reply to
Cisco Newbie
Loading thread data ...

Easiest way to troubleshoot any configuration - look at the log. What does it say when somebody tries to connect to your website? It will give you a direction, where to look.

Good luck,

Mike

formatting link

Reply to
CiscoHeadsetAdapter.com

This series of commands accomplishes the task on my PIX 501. It should also on your 515.

static (inside,outside) tcp interface 80 192.168.1.150 access-list outside_access_in permit tcp any interface outside eq 80 clear xlate clear arp clear local write mem

Reply to
MyndPhlyp

This is what he has as well!

Reply to
Julian Dragut

The log I get when trynig to access my web site is as follows:

6|Dec 31 2005 10:55:44|305012: Teardown dynamic TCP translation from inside:srv.bauer/57517 to outside:xx.xx.xx.xx/5998 duration 0:00:30 6|Dec 31 2005 10:55:44|305012: Teardown dynamic TCP translation from inside:srv.bauer/57516 to outside:xx.xx.xx.xx/5997 duration 0:00:30 6|Dec 31 2005 10:55:43|305012: Teardown dynamic TCP translation from inside:srv.bauer/57515 to outside:xx.xx.xx.xx/5996 duration 0:00:30 6|Dec 31 2005 10:55:43|305012: Teardown dynamic TCP translation from inside:srv.bauer/57514 to outside:xx.xx.xx.xx/5995 duration 0:00:30 6|Dec 31 2005 10:55:42|305012: Teardown dynamic TCP translation from inside:srv.bauer/57513 to outside:xx.xx.xx.xx/5994 duration 0:00:30 3|Dec 31 2005 10:55:35|710003: TCP access denied by ACL from 192.168.1.50/2988 to inside:xx.xx.xx.xx/80 6|Dec 31 2005 10:55:33|305012: Teardown dynamic TCP translation from inside:192.168.1.50/2984 to outside:xx.xx.xx.xx/5993 duration 0:00:30 6|Dec 31 2005 10:55:33|305012: Teardown dynamic UDP translation from inside:srv.bauer/1031 to outside:xx.xx.xx.xx/1033 duration 0:00:30 4|Dec 31 2005 10:55:32|106023: Deny tcp src outside:64.152.4.80/80 dst inside:xx.xx.xx.xx/5985 by access-group "outside_access_in" 6|Dec 31 2005 10:55:29|609002: Teardown local-host outside:64.233.183.99 duration 0:00:00 6|Dec 31 2005 10:55:29|302014: Teardown TCP connection 5264 for outside:64.233.183.99/80 to inside:192.168.1.52/1423 duration 0:00:00 bytes 2272 TCP FINs 3|Dec 31 2005 10:55:29|710003: UDP access denied by ACL from 221.10.254.31/33275 to outside:xx.xx.xx.xx/1027 5|Dec 31 2005 10:55:29|304001: 192.168.1.52 Accessed URL 64.233.183.99:/ 6|Dec 31 2005 10:55:29|302013: Built outbound TCP connection 5264 for outside:64.233.183.99/80 (64.233.183.99/80) to inside:192.168.1.52/1423 (xx.xx.xx.xx/6001) 6|Dec 31 2005 10:55:29|305011: Built dynamic TCP translation from inside:192.168.1.52/1423 to outside:xx.xx.xx.xx/6001 6|Dec 31 2005 10:55:29|609001: Built local-host outside:64.233.183.99 3|Dec 31 2005 10:55:28|710003: TCP access denied by ACL from 192.168.1.50/2988 to inside:xx.xx.xx.xx/80 3|Dec 31 2005 10:55:26|710003: TCP access denied by ACL from 192.168.1.50/2988 to inside:xx.xx.xx.xx/80

I've replaced my WAN IP with xx.xx.xx.xx

Thanks

Reply to
Cisco Newbie

The PIX thinks that you are attempting to access the http service of the PIX itself, rather than passing along the request to the inside machine.

As I recall you are running PIX 7; I don't know much about PIX 7. In PIX 6.3, messages such as those are artifacts: the PIX thinks the connection has been torn down but then it sees the final packet or two from the remote host clearing down the connection, and it logs them as if the remote host is trying to create a new connection. This situation was handled better in earlier PIX versions and I had hoped it would be returned to something more sensible in PIX 7.

Hmmm, that's odd. In PIX 6, you can only get local-hosts associated with inner interfaces, unless you happen to exchange interface names (which the PIX warns about.) Looking at the PIX 7.0 documentation, I see that local-host has an expanded role, but it I'm having a bit of difficulty in working from the examples back to what the new local-host conception is.

I would have expected those last two to be reversed, the TCP translation built before the outbound TCP connection. Perhaps the processing order has changed in 7.0.

Reply to
Walter Roberson

Do you know how to stop the PIX thinking the request is trying to access the internal HTTP service?

Reply to
Cisco Newbie

Please test your configuration FROM OUTSIDE. You can't expext the PIX to nat your inside address to an outside one and renat the same connection instantanously from outside to inside.

Reply to
Lutz Donnerhacke

What they're trying to say is:

Cannot come in through the same door you went out!!!

JD

Reply to
Julian Dragut

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.