IIS 6 and PIX 501

Paul.Lane · ‎05-21-2004

I'm sorry I posted this on the wrong board.

I have a cable modem that plugs into my PIX 501. I'm running 6.3(1) on the PIX.

How do I go about creating a NAT to allow outside [specifically my work office] to connect to the web server I have at my house?

I added these two lines to the config on my PIX:

static (inside,outside) xxx.xxx.xx.xx xxx.xxx.x.xx 255.255.255.255 [this one to NAT the outside INT of the cable modem to the invalid IP of the web server]

and this rule to test it [I added this rule the tried to access the web server from my work]:

access-list 101 permit tcp any host xxx.xxx.xx.xx eq www

When I "wr mem", I can't browse out from my internal network and I can't get to my website from outside.

Any help would be appreciated.

mostiguy · ‎05-22-2004

static (inside, outside) tcp interface www 1.2.3.4 www netmask 255.255.255.255

forwards port 80 from the outside interface to the port 80 in inside host 1.2.3.4

Paul.Lane · ‎05-22-2004

I still can't get it to work. All I want to do is setup a website behind the PIX. I'm using IIS 6.0 behind the PIX 501. I using a cable modem and use the

outside interface IP I get from the cable modem folks. [It's DHCP]

Here is a copy of my config from the home pix:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable passwordxxxx

passwd xxxx

hostname homepix

domain-name xxxxxx.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit tcp any host xx.xx.xx.xx eq pptp

access-list 101 permit gre any host xx.xx.xx.xx

access-list 102 permit tcp any host xx.xx.xx.xx eq www

pager lines 24

logging on

logging host inside 192.168.1.10

logging host inside 192.168.1.12

logging host inside 192.168.1.19

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.10 255.255.255.255 inside

pdm location 192.168.1.12 255.255.255.255 inside

pdm location 192.168.1.19 255.255.255.255 inside

pdm location 192.168.1.2 255.255.255.255 inside

pdm location 10.10.11.0 255.255.255.192 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xx.xx.xx.xx www 192.168.1.15 www netmask 255.255.2

55.255 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

telnet 192.168.1.2 255.255.255.255 inside

telnet 192.168.1.12 255.255.255.255 inside

telnet 192.168.1.19 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn username Lane password ********

vpdn enable outside

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

homepix#

mostiguy · ‎05-22-2004

you do not have an access group command that binds the access lsit to the outside interface

Paul.Lane · ‎05-22-2004

Thanks!