Pix 501 and web server

larrykopesky · ‎03-28-2005

I have a new Pix 501 that I'm attempting to setup. I have a web server with the address below and need to open the follwing ports: I'm a newbie to Cisco routers and would appreciate any help.

PORTS:

25 E-mails sent out from IRM bridge server

80 HTTP internet traffic

443 Secure Internet (HTTPS)

3389 Terminal Service for RDP support

522, 389, 1503, 1720, 1731 Any workstation that will connect to RDP

w/Netmeeting

cisco router IP: 192.168.0.1

Internal Server 192.168.0.9

External IP 67-52-89.90

fedrodri · ‎03-28-2005

Hi, Larry

Try this setup. This should be the settings for your HyperTerminal session (with the console cable) to the PIX:

Bits per seconds: 9600

Data bits: 8

Parity: none

Stop bits: 1

Flow control: Hardware

Once there, enter these commands:

enable

configure terminal

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 security0

nameif ethernet1 security100

ip address outside 67.52.89.90 255.255.255.x (your netmask)

ip address inside 192.168.0.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

static (inside,outside) tcp interface 25 192.168.0.9 25

static (inside,outside) tcp interface 80 192.168.0.9 80

static (inside,outside) tcp interface 443 192.168.0.9 443

static (inside,outside) tcp interface 3389 192.168.0.9 3389

access-list inbound permit tcp any interface outside eq 25

access-list inbound permit tcp any interface outside eq 80

access-list inbound permit tcp any interface outside eq 443

access-list inbound permit tcp any interface outside eq 3389

access-group inbound in interface outside

write memory

I'm not sure of the need of opening TCP ports 522, 389, 1503, 1720 and 1731 since I believe that you would be already connected to the server via RDP (?). Well, anyway, if you need to open those ports, then just add the proper "static" and "access-list" statements (just follow the syntax provided).

Hope that helps!

Federico Rodriguez

larrykopesky · ‎03-31-2005

Hi Federico,

Thanks for your reply. I ran the commands as you indicated but I still cannot access the web server or terminal services. One thing I forgot to mention is that there is an internal server at 192.168.0.98 that is providing DNS. Do I need to change anything on the cisco? Also I ran the following: What am I doing wrong? Please advise.

Thanks,

larry

show static

static (inside,outside) tcp interface smtp 192.168.0.9 smtp netmask

255.255.255.255 0 0

static (inside,outside) tcp interface 522 192.168.0.9 522 netmask

255.255.255.255 0 0

static (inside,outside) tcp interface ldap 192.168.0.9 ldap netmask

255.255.255.255 0 0

static (inside,outside) tcp interface 1503 192.168.0.9 1503 netmask

255.255.255.255 0 0

static (inside,outside) tcp interface h323 192.168.0.9 h323 netmask

255.255.255.255 0 0

static (inside,outside) tcp interface 1731 192.168.0.9 1721 netmask

255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.0.9 www netmask

255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.0.9 https netmask

255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.0.9 3389 netmask

255.255.255.255 0 0

show xlate:

PAT Global 67.52.89.90(1154) Local 192.168.0.11(1232)

PAT Global 67.52.89.90(1153) Local 192.168.0.11(1231)

PAT Global 67.52.89.90(1152) Local 192.168.0.11(1230)

PAT Global 67.52.89.90(1160) Local 192.168.0.11(1237)

PAT Global 67.52.89.90(1037) Local 192.168.0.98(1074)

PAT Global 67.52.89.90(1051) Local 192.168.0.11(1136)

PAT Global 67.52.89.90(1151) Local 192.168.0.11(1229)

PAT Global 67.52.89.90(1150) Local 192.168.0.11(1228)

fedrodri · ‎03-31-2005

Hi,

Do you mean that you cannot access the server via RDP or HTTP/HTTPS from inside using its public IP, or did you meant to say tha you cannot access it from the outside world... I guess it is the first one because if I open the web browser and try to go to 67.52.89.90 (next time remember to 'x'-it out, not to show your IPs!), and I get redirected to /startup.asp with some bogus output, but this tells me that this is being redirected or port address translated correctly by the PIX. I assume that if one port is translated correctly, then the rest of the ports are as well!

OK, so if you are trying to access the server with its public IP, that's not going to be possible at all. See the following link:

-- Cisco Secure PIX Firewall Frequently Asked Questions:

Q. Can I operate the PIX in a "one armed" configuration?

http://www.cisco.com/warp/public/110/pixfaq.shtml

You cannot also try to access it by domain name (with the DNS-rewrite or DNS-Doctoring featuring), since DNS-Doctoring requires a one-to-one translation, which you don't have.

I hope that helps. Let me know if you have any questions.

Bes regards,

Federico Rodriguez