Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4934
Views
0
Helpful
3
Replies

Port forwarding on Pix 515E

Mark Bracking
Level 1
Level 1

‎09-22-2010 07:28 PM - edited ‎03-11-2019 11:43 AM

Port forwarding on Pix 515E

Hi

What I am trying to accomplish is to forward port 80 and port 443 to allow a Microsoft Small Business Server to access Remote Web Workplace.

Thank you for your help

Here is my config

PIX(config)# show run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password XJX9T/MNG54uoaTm encrypted

passwd XJX9T/MNG54uoaTm encrypted

hostname PIX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host 10.0.1.103 eq https

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside dhcp setroute

ip address inside 10.0.1.2 255.255.255.0

ip address dmz 172.16.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.100.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.0.1.0 255.255.255.0 inside

telnet 10.0.1.0 255.255.255.0 dmz

telnet timeout 3

ssh timeout 5

console timeout 0

dhcpd address 10.0.1.100-10.0.1.125 inside

dhcpd address 172.16.2.2-172.16.2.20 dmz

dhcpd dns 205.171.3.25 192.168.100.1

dhcpd wins 209.165.201.5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain sbssrv.com

dhcpd enable inside

dhcpd enable dmz

terminal width 80

banner login Enter your password to log in

Cryptochecksum:3a32247b0d6dd90b125f3873d0e30902

: end

networ setup DSL Router>PIX>DMZ>Server

IP Address

dhcpd address 172.16.2.2-172.16.2.20 dmz

DSL Router

174.21.215.27

Server 172.16.2.2 255.255.255.0

thanks again

Labels:
0 Helpful
3 Replies 3

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-22-2010 07:43 PM

Hello,

Please try the following:

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

static (inside,outside) tcp interface 443 443 netmask 255.255.255.255

no access-list outside_access_in permit tcp any host 10.0.1.103 eq https

access-list outside_access_in permit tcp any interface outside eq https

access-list outside_access_in permit tcp any interface outside eq 80

Hope this helps.

Regards,

NT

0 Helpful

Mark Bracking
Level 1
Level 1
In response to Nagaraja Thanthry

‎09-23-2010 10:32 AM

This is the error message that I receive.

Remote Web Access to your server is blocked

Some routers may not work properly with your server. Visit the support Web site for your router manufacturer and ensure that your router has the most recent firmware.

Some internet providers (ISP) block ports 80 and 443 to prevent customers from remotely accessing services that are hosted on their networks. For more information, contact your ISP.

UPnP is not enabled on the router.

I tried the suggestions and they did not work. Does anyone of any other suggestions?

Thank you

Mark

0 Helpful

Allen P Chen
Level 5
Level 5
In response to Mark Bracking

‎09-23-2010 10:43 AM

Hello,

Based on the IP address of the SBS (172.16.2.2), it resides behind the DMZ interface, correct?  The static statements need to be changed as follows:

no static (inside,outside) tcp interface 80 172.16.2.2 80 netmask 255.255.255.255

no static (inside,outside) tcp interface 443 172.16.2.2 443 netmask 255.255.255.255

static (dmz,outside) tcp interface 80 172.16.2.2 80 netmask 255.255.255.255

static (dmz,outside) tcp interface 443 172.16.2.2 443 netmask 255.255.255.255

You can leave the ACL as follows, which is correct:

access-list outside_access_in permit tcp any interface outside eq https

access-list outside_access_in permit tcp any interface outside eq 80

Please give that a try, thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card