03-08-2007 06:43 AM - edited 03-11-2019 02:43 AM
Hi,
I can't get port forwarding working into a PIX515E.
This is what I have done and port 80 doesn't open.
name 203.144.238.79 WEBSVR
static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0
access-list PublicDMZ_access_in permit tcp host 192.168.10.17 any eq http
access-list outside_access_in permit tcp any host 192.168.10.17 eq http
I can telnet to the DMZ addresses on port 80 from the src of the internal Pix range from an upstream router.
Am I forgeting something.
Please help!
03-08-2007 06:46 AM
please put in the following commands,
no access-list outside_access_in permit tcp any host 192.168.10.17 eq http
access-list outside_access_in permit tcp any host 203.144.238.79 eq http
cl xlate
From the outside,the traffic will come with dest. ip address as the public ip .In the existing access-list it's the private ip address,that's why it's not working.
plz do the changes and let us know if it work or not.
Regards,
Sushil
03-08-2007 06:51 AM
Dont forget to apply the acl
access-group outside_access_in in interface outside
03-08-2007 06:53 AM
I have done that :)
03-08-2007 07:30 AM
I Tried what was suggested before and I have done the follwoing and it still isn't working.
name 203.144.238.79 WEBSVR
no static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0
static (PublicDMZ,outside)tcp 203.144.238.79 www 192.168.10.17 www netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any host 203.144.238.79 eq http
There is any entry in the sh xlate table as
Global WEBSVR Local 192.168.10.17
Do I need to route the public range via the outside interface.
John
03-08-2007 07:43 AM
Is 203.144.238.79 also your outside interface address?
03-08-2007 01:56 PM
ip address 203.144.238.70 255.255.255.0 is my WAN IP.
03-08-2007 02:25 PM
It's unclear how your network is setup. Is your setup something like this.
Internet --- Router --- PIX --- PublicDMZ
If the WAN IP on the outside router is 203.144.238.70 then does it know how to route to 203.144.238.79. If it doesn't then you can add a static host route, /32 bit mask, to forward the traffic to the firewall.
If the setup is different or I misunderstood any part of your configuration then clarify that and posting the configuration would help.
HTH
Sundar
03-08-2007 03:46 PM
Hi John,
Do you still have an access-group applied on the PublicDMZ interface ?
Remove it and then try.
If it works, then add the following entry in the ACL :
access-list PublicDMZ_access_in permit tcp host 192.168.10.17 eq 80 any
And then reapply the access-grup.
*Please rate if it helped.
-Kanishka
03-09-2007 03:25 AM
Hi,
This is all fixed now. Thanks for all your replies.
I did the following:
static (PublicDMZ,outside) tcp 203.144.238.79 http 192.168.10.16 http netmask 255.255.255.255 0 0
access-list PublicDMZ_access_in permit tcp host 192.168.10.16 any eq http
access-list outside_access_in permit tcp any host 203.144.238.79 eq http
route outside 203.144.238.79 255.255.255.224 203.144.238.68 1
The 203.144.238.68 being the upstream router back to our network
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide