05-28-2007 10:51 AM - edited 03-11-2019 03:21 AM
I have two problems with my newly bought PIX 501 (Newbie).
1. How do a forward an outside port to an inside IP and port? eg. outside IP is 192.168.2.105 and the IP that i want to receive traffic on is 192.168.1.2 and the port is 10000 TCP, how to do this, been fighting for 4 days now :-) PLEASSSEEEE take me out of my misery :-)
2. Tha original version of the PIX software was 6.1, and PDM was very low, i found out that getting upgrades for this PIX would take some time because i had to register with Cisco for some speciel account. Now, i don't know if this would have cost me or not, and i don't care, i am willing to pay (not to much :-) ), but i found out that my previous office had an upgrade CD lying, and i upgraded the PIX to the versions mentioned in the title, so how is it i cant connect to the PDM via explorer? Do i need ned keys? Please help me, i am turning very grey here.
Solved! Go to Solution.
06-03-2007 11:21 AM
Yes, you are being clear. The problem is you cannot U-turn/hairpin on a pix 501. Therefore you must use another method if you want to hit your internal webserver with a domain name which resolves to a public ip.
DNS doctoring is one option I posted above but this does not work with port translation. See the link I referenced above. Second option is to use an internal dns server which resolves your website to its private address. Another option would be to edit your machines hosts file to include yourwebsite.com and it's internal private ip address.
05-28-2007 01:15 PM
1.
static (inside,outside) tcp 192.168.2.105 10000 192.168.1.2 10000 netmask 255.255.255.255
05-28-2007 02:32 PM
Hi!
Don't forget to allow incoming traffic on the outside acl! Something like:
access-list acl_outside permit tcp any host 192.168.2.105 eq 10000
access-group acl_outside in interface outside
Regards,
JP
05-28-2007 09:42 PM
Thanx both, now that works. But that leaves me with a new problem, hehe, loopback. I cant see my own server, eg no loopback. And i stille remain with the problem for PDM, not so important now that i got the other stuff to work.
05-29-2007 02:18 AM
Hi!
I don't understand the loopback problem?! Can you explain better?
About the PDM, in order to have access to it, and other Cisco software stuff, you have to do a Maintenaince Contrat with a Cisco Partner.
Regards,
JP
05-29-2007 02:57 AM
I can't see my own webserver if i use the domain name, only if i go through a proxy server on my internet provider. I can address the server using it's internal IP address. Remember i am on the same inside as the webserver. About PDM, doughhh, seems like a lot of trouble for a Firewall that almost only work as a router :-), but still, would be nice to have the PDM working.
05-29-2007 04:39 AM
If you want to use the domain name to hit your webserver and you are using an external dns server which is providing you with the public ip address, you must use dns doctoring. The pix will change the ip address in the reply from the dns server from the public ip to the private ip, allowing you to access it.
static (inside,outside) tcp 192.168.2.105 10000 192.168.1.2 10000 netmask 255.255.255.255 dns
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
05-29-2007 05:26 AM
Good one 'acomiskey'!
Note: the PIX, if you don't desable it, is inspecting the traffic going trough it so it isn't just doing routing!
Regards,
JP
05-29-2007 05:42 AM
Thanks jean, but I just remembered that "DNS rewrite is not compatible with static Port Address Translation". It only works like this unfortunately...
static (inside,outside) 192.168.2.105 192.168.1.2 netmask 255.255.255.255 dns
06-02-2007 11:06 PM
Sorry the late reply.
Won't that routing affect how the traffic coming from outside to the server gets routed?
Remember that 192.168.2.105 to 192.168.1.2 works now, but addressing the 192.168.1.2 from 192.168.1.3 via domain names does not work. Am i being clear enough?
06-03-2007 11:21 AM
Yes, you are being clear. The problem is you cannot U-turn/hairpin on a pix 501. Therefore you must use another method if you want to hit your internal webserver with a domain name which resolves to a public ip.
DNS doctoring is one option I posted above but this does not work with port translation. See the link I referenced above. Second option is to use an internal dns server which resolves your website to its private address. Another option would be to edit your machines hosts file to include yourwebsite.com and it's internal private ip address.
06-05-2007 11:03 PM
Doouughhhh, man, i feel as dumb as a door right now. How could i forget that hosts file, offcourse, i think i will find a solid wall and bang my head into it a couple of times, it can't do no damage, i should have thought of that. Thanx for the hint.
Franz thanx you
06-06-2007 10:03 AM
Updating the hosts file is 'OK' for one user, how about if you have 50 users and to make the things worst 10-15 guests (with thier own laptops) everyday. We are not hosting the internal DNS.
Any other options for a poor fellow like me ?
06-06-2007 10:17 AM
Get a dmz so you can do this...
static (DMZ,inside)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide