Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
4
Helpful
17
Replies

PIX 501 - How to use public (WAN) IP for Dynamic NAT to inside server?

bregimand
Level 1
Level 1

‎10-29-2004 12:10 PM - edited ‎02-20-2020 11:43 PM

I've tried several forum suggestions, PDM & command line changes to no avail. I have 1 Small Business Server behind a PIX 501 & I need to forward 5-6 ports (web, smtp, pptp, ftp, termsvcs, dns)to the SBS (192.168.10.11). The 1 public IP is the WAN port of the PIX. Think of this as a DSL/Cable connection with a small bus. server behind it. I'm having a very hard time with both the PDM & command line configs. Please help!!!

PIX 6.3(3) - PDM 3.0(1)

As you can see, I've also tried an object-group with the needed ports.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.10.11 GeckoSBS

object-group service SBS tcp

port-object eq www

port-object eq pptp

port-object eq ftp-data

port-object eq pop3

port-object eq https

port-object eq ftp

port-object eq smtp

access-list outside_access_in permit tcp any host 10.20.30.2 eq www

access-list outside_access_in permit tcp any host 10.20.30.2 eq smtp

access-list outside_access_in permit tcp any host 10.20.30.2 eq pptp

access-list outside_access_in permit tcp any host 10.20.30.2 eq ftp

access-list outside_access_in permit tcp any host 10.20.30.2 eq 3389

access-list outside_access_in permit udp any host 10.20.30.2 eq tftp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 10.20.30.2 255.255.255.252

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.255 inside

pdm location GeckoSBS 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www GeckoSBS www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp GeckoSBS smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pptp GeckoSBS pptp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp GeckoSBS ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 GeckoSBS 3389 netmask 255.255.255.255 0 0

static (inside,outside) udp interface tftp GeckoSBS tftp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.20.30.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:00:00 sip 0:00:00 sip_media 0:00:00

timeout uauth 0:05:00 absolute

ntp server 140.221.8.88 source outside

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

0 Helpful
17 Replies 17

ggriffin
Level 1
Level 1

‎11-10-2004 07:28 AM

Bregimand,

Would you be so kind as to post, or email me your final config? I have the exact same scenario and I am having a difficult time getting port 443 through for secure webmail on the sbs server.

I'd love to compare my config with yours. Feel free to email me at ggriffin@nucentric.com. Thanks in advance!!!!

Gary

0 Helpful

lr.moore
Level 1
Level 1
In response to ggriffin

‎11-10-2004 10:14 AM

Gary,

If you want to port-forward tcp port 443 using the interface IP, you must disable the PIX PDM GUI http server:

no http server enable

0 Helpful

bregimand
Level 1
Level 1
In response to lr.moore

‎11-10-2004 11:54 AM

Correct, I have disabled http management on the outside interface. The management of the PIX is now done after establishing a VPN tunnel & terminal services on a LAN machine.

I've been reading that even SSH from the outside is not recommended. Anyone have any success enabling SSH on the WAN side?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card