topic Port forwarding on Pix 515E in Network Security

Port forwarding on Pix 515E

Mark Bracking — Mon, 11 Mar 2019 18:43:53 GMT

Port forwarding on Pix 515E

What I am trying to accomplish is to forward port 80 and port 443 to allow a Microsoft Small Business Server to access Remote Web Workplace.

Thank you for your help

Here is my config

PIX(config)# show run

: Saved

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password XJX9T/MNG54uoaTm encrypted

passwd XJX9T/MNG54uoaTm encrypted

hostname PIX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host 10.0.1.103 eq https

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside dhcp setroute

ip address inside 10.0.1.2 255.255.255.0

ip address dmz 172.16.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.100.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.0.1.0 255.255.255.0 inside

telnet 10.0.1.0 255.255.255.0 dmz

telnet timeout 3

ssh timeout 5

console timeout 0

dhcpd address 10.0.1.100-10.0.1.125 inside

dhcpd address 172.16.2.2-172.16.2.20 dmz

dhcpd dns 205.171.3.25 192.168.100.1

dhcpd wins 209.165.201.5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain sbssrv.com

dhcpd enable inside

dhcpd enable dmz

terminal width 80

banner login Enter your password to log in

Cryptochecksum:3a32247b0d6dd90b125f3873d0e30902

: end

networ setup DSL Router>PIX>DMZ>Server

IP Address

dhcpd address 172.16.2.2-172.16.2.20 dmz

DSL Router

174.21.215.27

Server 172.16.2.2 255.255.255.0

thanks again

Re: Port forwarding on Pix 515E

Nagaraja Thanthry — Thu, 23 Sep 2010 02:43:48 GMT

Hello,

Please try the following:

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

static (inside,outside) tcp interface 443 443 netmask 255.255.255.255

no access-list outside_access_in permit tcp any host 10.0.1.103 eq https

access-list outside_access_in permit tcp any interface outside eq https

access-list outside_access_in permit tcp any interface outside eq 80

Hope this helps.

Regards,

Re: Port forwarding on Pix 515E

Mark Bracking — Thu, 23 Sep 2010 17:32:06 GMT

This is the error message that I receive.

Remote Web Access to your server is blocked

Some routers may not work properly with your server. Visit the support Web site for your router manufacturer and ensure that your router has the most recent firmware.

Some internet providers (ISP) block ports 80 and 443 to prevent customers from remotely accessing services that are hosted on their networks. For more information, contact your ISP.

UPnP is not enabled on the router.

I tried the suggestions and they did not work. Does anyone of any other suggestions?

Thank you

Mark

Re: Port forwarding on Pix 515E

Allen P Chen — Thu, 23 Sep 2010 17:43:44 GMT

Hello,

Based on the IP address of the SBS (172.16.2.2), it resides behind the DMZ interface, correct? The static statements need to be changed as follows:

no static (inside,outside) tcp interface 80 172.16.2.2 80 netmask 255.255.255.255

no static (inside,outside) tcp interface 443 172.16.2.2 443 netmask 255.255.255.255

static (dmz,outside) tcp interface 80 172.16.2.2 80 netmask 255.255.255.255

static (dmz,outside) tcp interface 443 172.16.2.2 443 netmask 255.255.255.255

You can leave the ACL as follows, which is correct:

access-list outside_access_in permit tcp any interface outside eq https

access-list outside_access_in permit tcp any interface outside eq 80

Please give that a try, thanks.