https://community.cisco.com/t5/network-security/pix-501-and-web-server/m-p/371153#M550011 <P>I have a new Pix 501 that I'm attempting to setup. I have a web server with the address below and need to open the follwing ports: I'm a newbie to Cisco routers and would appreciate any help.</P><P></P><P>PORTS:</P><P>25 E-mails sent out from IRM bridge server</P><P>80 HTTP internet traffic</P><P>443 Secure Internet (HTTPS)</P><P>3389 Terminal Service for RDP support</P><P>522, 389, 1503, 1720, 1731 Any workstation that will connect to RDP</P><P>w/Netmeeting</P><P></P><P>cisco router IP: 192.168.0.1</P><P></P><P>Internal Server 192.168.0.9</P><P></P><P></P><P>External IP 67-52-89.90</P><P></P> Fri, 21 Feb 2020 08:02:28 GMT larrykopesky 2020-02-21T08:02:28Z https://community.cisco.com/t5/network-security/pix-501-and-web-server/m-p/371153#M550011 <P>I have a new Pix 501 that I'm attempting to setup. I have a web server with the address below and need to open the follwing ports: I'm a newbie to Cisco routers and would appreciate any help.</P><P></P><P>PORTS:</P><P>25 E-mails sent out from IRM bridge server</P><P>80 HTTP internet traffic</P><P>443 Secure Internet (HTTPS)</P><P>3389 Terminal Service for RDP support</P><P>522, 389, 1503, 1720, 1731 Any workstation that will connect to RDP</P><P>w/Netmeeting</P><P></P><P>cisco router IP: 192.168.0.1</P><P></P><P>Internal Server 192.168.0.9</P><P></P><P></P><P>External IP 67-52-89.90</P><P></P> Fri, 21 Feb 2020 08:02:28 GMT https://community.cisco.com/t5/network-security/pix-501-and-web-server/m-p/371153#M550011 larrykopesky 2020-02-21T08:02:28Z https://community.cisco.com/t5/network-security/pix-501-and-web-server/m-p/371154#M550014 <HTML><HEAD></HEAD><BODY><P>Hi, Larry</P><P></P><P>Try this setup. This should be the settings for your HyperTerminal session (with the console cable) to the PIX:</P><P>Bits per seconds: 9600</P><P>Data bits: 8</P><P>Parity: none</P><P>Stop bits: 1</P><P>Flow control: Hardware</P><P></P><P>Once there, enter these commands:</P><P>enable</P><P><PASSWORD prompt=""></PASSWORD></P><P>configure terminal</P><P>interface ethernet0 100full</P><P>interface ethernet1 100full</P><P>nameif ethernet0 security0</P><P>nameif ethernet1 security100</P><P>ip address outside 67.52.89.90 255.255.255.x (your netmask)</P><P>ip address inside 192.168.0.1 255.255.255.0</P><P>route outside 0.0.0.0 0.0.0.0 <YOUR_GATEWAY_IP></YOUR_GATEWAY_IP></P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>global (outside) 1 interface</P><P>static (inside,outside) tcp interface 25 192.168.0.9 25</P><P></P><P>static (inside,outside) tcp interface 80 192.168.0.9 80</P><P>static (inside,outside) tcp interface 443 192.168.0.9 443</P><P>static (inside,outside) tcp interface 3389 192.168.0.9 3389</P><P>access-list inbound permit tcp any interface outside eq 25</P><P>access-list inbound permit tcp any interface outside eq 80</P><P>access-list inbound permit tcp any interface outside eq 443</P><P>access-list inbound permit tcp any interface outside eq 3389</P><P>access-group inbound in interface outside</P><P>write memory</P><P></P><P>I'm not sure of the need of opening TCP ports 522, 389, 1503, 1720 and 1731 since I believe that you would be already connected to the server via RDP (?). Well, anyway, if you need to open those ports, then just add the proper "static" and "access-list" statements (just follow the syntax provided).</P><P></P><P>Hope that helps!</P><P></P><P>Federico Rodriguez</P><P></P></BODY></HTML> Tue, 29 Mar 2005 01:00:08 GMT https://community.cisco.com/t5/network-security/pix-501-and-web-server/m-p/371154#M550014 fedrodri 2005-03-29T01:00:08Z https://community.cisco.com/t5/network-security/pix-501-and-web-server/m-p/371155#M550016 <HTML><HEAD></HEAD><BODY><P>Hi Federico,</P><P>Thanks for your reply. I ran the commands as you indicated but I still cannot access the web server or terminal services. One thing I forgot to mention is that there is an internal server at 192.168.0.98 that is providing DNS. Do I need to change anything on the cisco? Also I ran the following: What am I doing wrong? Please advise.</P><P>Thanks,</P><P>larry</P><P></P><P>show static</P><P>static (inside,outside) tcp interface smtp 192.168.0.9 smtp netmask </P><P>255.255.255.255 0 0</P><P>static (inside,outside) tcp interface 522 192.168.0.9 522 netmask </P><P>255.255.255.255 0 0</P><P>static (inside,outside) tcp interface ldap 192.168.0.9 ldap netmask </P><P>255.255.255.255 0 0</P><P>static (inside,outside) tcp interface 1503 192.168.0.9 1503 netmask </P><P>255.255.255.255 0 0</P><P>static (inside,outside) tcp interface h323 192.168.0.9 h323 netmask </P><P>255.255.255.255 0 0</P><P>static (inside,outside) tcp interface 1731 192.168.0.9 1721 netmask </P><P>255.255.255.255 0 0</P><P>static (inside,outside) tcp interface www 192.168.0.9 www netmask </P><P>255.255.255.255 0 0</P><P>static (inside,outside) tcp interface https 192.168.0.9 https netmask </P><P>255.255.255.255 0 0</P><P>static (inside,outside) tcp interface 3389 192.168.0.9 3389 netmask </P><P>255.255.255.255 0 0</P><P></P><P></P><P>show xlate:</P><P>PAT Global 67.52.89.90(1154) Local 192.168.0.11(1232)</P><P>PAT Global 67.52.89.90(1153) Local 192.168.0.11(1231)</P><P>PAT Global 67.52.89.90(1152) Local 192.168.0.11(1230)</P><P>PAT Global 67.52.89.90(1160) Local 192.168.0.11(1237)</P><P>PAT Global 67.52.89.90(1037) Local 192.168.0.98(1074)</P><P>PAT Global 67.52.89.90(1051) Local 192.168.0.11(1136)</P><P>PAT Global 67.52.89.90(1151) Local 192.168.0.11(1229)</P><P>PAT Global 67.52.89.90(1150) Local 192.168.0.11(1228)</P><P></P></BODY></HTML> Thu, 31 Mar 2005 10:16:38 GMT https://community.cisco.com/t5/network-security/pix-501-and-web-server/m-p/371155#M550016 larrykopesky 2005-03-31T10:16:38Z https://community.cisco.com/t5/network-security/pix-501-and-web-server/m-p/371156#M550017 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Do you mean that you cannot access the server via RDP or HTTP/HTTPS from inside using its public IP, or did you meant to say tha you cannot access it from the outside world... I guess it is the first one because if I open the web browser and try to go to 67.52.89.90 (next time remember to 'x'-it out, not to show your IPs!), and I get redirected to /startup.asp with some bogus output, but this tells me that this is being redirected or port address translated correctly by the PIX. I assume that if one port is translated correctly, then the rest of the ports are as well!</P><P></P><P>OK, so if you are trying to access the server with its public IP, that's not going to be possible at all. See the following link:</P><P></P><P>-- Cisco Secure PIX Firewall Frequently Asked Questions:</P><P>Q. Can I operate the PIX in a "one armed" configuration?</P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/pixfaq.shtml" target="_blank">http://www.cisco.com/warp/public/110/pixfaq.shtml</A></P><P></P><P>You cannot also try to access it by domain name (with the DNS-rewrite or DNS-Doctoring featuring), since DNS-Doctoring requires a one-to-one translation, which you don't have.</P><P></P><P>I hope that helps. Let me know if you have any questions.</P><P></P><P>Bes regards,</P><P></P><P>Federico Rodriguez</P><P></P></BODY></HTML> Thu, 31 Mar 2005 18:35:21 GMT https://community.cisco.com/t5/network-security/pix-501-and-web-server/m-p/371156#M550017 fedrodri 2005-03-31T18:35:21Z