topic Can't get port 80 forwarding working on 515E in Network Security

Can't get port 80 forwarding working on 515E

cameronjohn — Mon, 11 Mar 2019 09:43:36 GMT

Hi,

I can't get port forwarding working into a PIX515E.

This is what I have done and port 80 doesn't open.

name 203.144.238.79 WEBSVR

static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0

access-list PublicDMZ_access_in permit tcp host 192.168.10.17 any eq http

access-list outside_access_in permit tcp any host 192.168.10.17 eq http

I can telnet to the DMZ addresses on port 80 from the src of the internal Pix range from an upstream router.

Am I forgeting something.

Please help!

Re: Can't get port 80 forwarding working on 515E

suschoud — Thu, 08 Mar 2007 14:46:08 GMT

please put in the following commands,

no access-list outside_access_in permit tcp any host 192.168.10.17 eq http

access-list outside_access_in permit tcp any host 203.144.238.79 eq http

cl xlate

From the outside,the traffic will come with dest. ip address as the public ip .In the existing access-list it's the private ip address,that's why it's not working.

plz do the changes and let us know if it work or not.

Regards,

Sushil

Re: Can't get port 80 forwarding working on 515E

acomiskey — Thu, 08 Mar 2007 14:51:43 GMT

Dont forget to apply the acl

access-group outside_access_in in interface outside

Re: Can't get port 80 forwarding working on 515E

cameronjohn — Thu, 08 Mar 2007 14:53:36 GMT

I have done that 🙂

Re: Can't get port 80 forwarding working on 515E

cameronjohn — Thu, 08 Mar 2007 15:30:59 GMT

I Tried what was suggested before and I have done the follwoing and it still isn't working.

name 203.144.238.79 WEBSVR

no static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0

static (PublicDMZ,outside)tcp 203.144.238.79 www 192.168.10.17 www netmask 255.255.255.255 0 0

access-list outside_access_in permit tcp any host 203.144.238.79 eq http

There is any entry in the sh xlate table as

Global WEBSVR Local 192.168.10.17

Do I need to route the public range via the outside interface.

John

Re: Can't get port 80 forwarding working on 515E

acomiskey — Thu, 08 Mar 2007 15:43:02 GMT

Is 203.144.238.79 also your outside interface address?

Re: Can't get port 80 forwarding working on 515E

cameronjohn — Thu, 08 Mar 2007 21:56:40 GMT

ip address 203.144.238.70 255.255.255.0 is my WAN IP.

Re: Can't get port 80 forwarding working on 515E

sundar.palaniappan — Thu, 08 Mar 2007 22:25:26 GMT

It's unclear how your network is setup. Is your setup something like this.

Internet --- Router --- PIX --- PublicDMZ

If the WAN IP on the outside router is 203.144.238.70 then does it know how to route to 203.144.238.79. If it doesn't then you can add a static host route, /32 bit mask, to forward the traffic to the firewall.

If the setup is different or I misunderstood any part of your configuration then clarify that and posting the configuration would help.

HTH

Sundar

Re: Can't get port 80 forwarding working on 515E

kaachary — Thu, 08 Mar 2007 23:46:07 GMT

Hi John,

Do you still have an access-group applied on the PublicDMZ interface ?

Remove it and then try.

If it works, then add the following entry in the ACL :

access-list PublicDMZ_access_in permit tcp host 192.168.10.17 eq 80 any

And then reapply the access-grup.

*Please rate if it helped.

-Kanishka

Re: Can't get port 80 forwarding working on 515E

cameronjohn — Fri, 09 Mar 2007 11:25:44 GMT

Hi,

This is all fixed now. Thanks for all your replies.

I did the following:

static (PublicDMZ,outside) tcp 203.144.238.79 http 192.168.10.16 http netmask 255.255.255.255 0 0

access-list PublicDMZ_access_in permit tcp host 192.168.10.16 any eq http

access-list outside_access_in permit tcp any host 203.144.238.79 eq http

route outside 203.144.238.79 255.255.255.224 203.144.238.68 1

The 203.144.238.68 being the upstream router back to our network