1. Home
  2. Cisco Systems
  3. Quick help: PIX 501 and Port Forwarding

Quick help: PIX 501 and Port Forwarding

Folks,

can someone help me out here quickly, please? PIX 501 running an old 6.2(2). It has a single outside public address that should be used (beside management of the PIX) for mapping some external ports to the inside interface:

nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 10baset interface ethernet1 10full icmp permit any outside icmp permit any inside ip address outside xx.xx.100.50 255.255.255.192 ip address inside 192.168.1.254 255.255.255.0 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask

255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 xx.xx.100.1 1

Shouldnt that do it? It does not work. I get a timeout when connecting from the external network and do not see packets arriving at the internal server 192.168.1.51. I do see translation when doing sh xlate:

1 in use, 8 most used PAT Global xx.xx.100.50(80) Local 192.168.1.51(80)

Anyone?

Thanks! Sascha

Reply to
Sascha E. Pollok
Loading thread data ...

Instead of static (inside,outside) tcp xx.xx.100.50 www 192.168.1.51 www netmask

255.255.255.255 0 0

You should use: static (inside,outside) tcp interface www 192.168.1.51 www netmask

255.255.255.255 0 0

You could also have ACL issues, but where you didn't post your full config we can't determine that.

Reply to
Brian V

Brian,

thanks for your reply.

No ACL issues. I have removed all ACLs from the interfaces. There is definitely nothing left. Although your suggestion looks reasonable, it still does not work. Same effect. I heard that there is a bug in this software version which causes the following warning when configuring global (outside) 1 interface:

pix(config)# global (outside) 1 interface Warning: Start and End addresses overlap with broadcast address. outside interface address added to PAT pool

I dont know if this bug maybe also causes trouble with the NAT configuration I am trying to run? I also did clear xlate and even tried reload after applying your suggested change.

Also: it is maybe interesting to mention that I do not see any packets when doing "debug packet inside". Even when doing a ping to the inside host at 192.168.1.51 I do not see icmp echo request/reply packets.

Any more ideas, please? :-)

thanks Sascha

Reply to
Sascha E. Pollok

Argh.. I just found it. Apparently the PIX does not forward any static-NATed packets when there is no ACL on the outside interface. It does work even if this ACL is permit ip any any.

Thanks! Sascha

Reply to
Sascha E. Pollok

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.