topic Re: Cisco PIX501 inbound deny in Network Security

Cisco PIX501 inbound deny

cliffjacobson — Mon, 11 Mar 2019 09:02:41 GMT

I'm trying to translate port 8080 on the external interface to port 80 on the host and ran the following commands. h.h.h.h is the host I want to have http traffic go to and y.y.y.y is the static outside address of the PIX. The first command is from the PDM, the second is from a best guess as using the CLI to make it work.

-----------------------------------

name h.h.h.h webserver

pdm location h.h.h.h 255.255.255.255 inside

static (inside,outside) h.h.h.h h.h.h.h netmask 255.255.255.255 0 0

access-list inbound_web permit tcp any host webserver eq 8080

static (inside,outside) tcp y.y.y.y 8080 h.h.h.h 80 netmask 255.255.255.255

access-group inbound_web in interface outside

wr mem

clear xlate

-----------------------------------

Here's what the log shows:

106023: Deny tcp src outside:68.155.176.163/2817 dst inside:y.y.y.y/8080 by access-group "inbound_web"

-----------------------------------

Now, is the log entry telling me something when there is the word "inside" next to the external IP address?????

Thanks in advance!

Re: Cisco PIX501 inbound deny

fzamora — Thu, 30 Nov 2006 04:10:57 GMT

Hi,

If your webserver is h.h.h.h, your ACL is wrong.

You are not allowing traffic to the public IP address (y.y.y.y)

Please check below:

h.h.h.h = webserver internal IP address

y.y.y.y = webserver public IP address

Now you want to redirect incoming traffic over port 8080 from the outside to go to the internal host over port 80

static (inside,outside) tcp y.y.y.y 8080 h.h.h.h 80 netmask 255.255.255.255

Now the ACL

access-list inbound permit tcp any host y.y.y.y eq 8080

access-group inbound in interface outside

Hope it helps,

Franco Zamora

Re: Cisco PIX501 inbound deny

jgervia_2 — Thu, 30 Nov 2006 04:15:24 GMT

Hello,

Your access list isn't correct.

If h.h.h.h is an internal IP address, and y.y.y.y is an external IP address, the packet that hits the ACL will be destined for y.y.y.y. (ACL is checked before NAT occurs)

You have the name 'webserver' set up to be h.h.h.h. Change it to be y.y.y.y (if you're not using that name elsewhere) and it should fix itself.

--Jason

Please rate this message if it helped solve some or all of your issue.

Re: Cisco PIX501 inbound deny

cliffjacobson — Thu, 30 Nov 2006 06:30:26 GMT

Worked great, thanks!

Re: Cisco PIX501 inbound deny

fzamora — Thu, 30 Nov 2006 14:17:49 GMT

Hi,

I'm happy to hear that! Please remember to rate my post!

Have a nice day!

Franco Zamora