cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
570
Views
0
Helpful
3
Replies

Problems Configuring Pix 501 for SBS 2003

neden51420
Level 1
Level 1

I am new to cisco equipment. My company recently purchased a Pix 501 unlimited users firewall, it is connected to a cable internet connection with a dynamic ip address. The internet works great and so does the dhcp server.

I have a Windows small business server 2003 on our network. I need to configure the firewall to forward ports to the SBS server for remote web workplace.

Also about a week ago I lost connectivity to the PDM GUI through my web browser. Telnet and console work perfectly fine.

I am attaching my config file.

Any help will be appreciated. Thanks

Ed

1 Accepted Solution

Accepted Solutions

bigchoice75
Level 1
Level 1

Firt off, you do not have an access-group statement defined for any of your ACL's. This means you are blocking all inbound traffic. You also have your static statements incorrect. You can start by cleaning up your config then enter the correct commands, you should be able to paste this to your firewall in config mode:

no access-list acl-out permit gre host 192.168.1.1 host 192.168.1.1

no access-list acl_outside permit tcp any any eq www

no access-list acl_inside permit tcp any any eq www

no access-list inbound permit icmp any any

no access-list inbound permit tcp any host 24.50.241.113 eq https

no access-list acl-in permit gre host 192.168.1.1 host 192.168.1.1

no access-list outside_in permit tcp any host 24.50.241.113 eq www

no static (inside,outside) tcp interface www sbsserver www netmask 255.255.255.255 0 0

no static (inside,outside) tcp interface https sbsserver https netmask 255.255.255.255 0 0

no static (outside,inside) tcp interface www sbsserver www netmask 255.255.255.255 0 0

no static (outside,inside) tcp interface https sbsserver https netmask 255.255.255.255 0 0

static (inside,outside) tcp 24.50.241.113 80 192.168.1.69 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp 24.50.241.113 443 192.168.1.69 443 netmask 255.255.255.255 0 0

access-list OUT-IN permit tcp any host 24.50.241.113 eq https

access-list OUT-IN permit tcp any host 24.50.241.113 eq www

access-list OUT-IN permit icmp any any

access-group OUT-IN in interface outside

What ip are you trying to access your pdm from? the http config looks correct, unless your coming from an ip other than 192.168.1.x

let me know if this works

View solution in original post

3 Replies 3

bigchoice75
Level 1
Level 1

Firt off, you do not have an access-group statement defined for any of your ACL's. This means you are blocking all inbound traffic. You also have your static statements incorrect. You can start by cleaning up your config then enter the correct commands, you should be able to paste this to your firewall in config mode:

no access-list acl-out permit gre host 192.168.1.1 host 192.168.1.1

no access-list acl_outside permit tcp any any eq www

no access-list acl_inside permit tcp any any eq www

no access-list inbound permit icmp any any

no access-list inbound permit tcp any host 24.50.241.113 eq https

no access-list acl-in permit gre host 192.168.1.1 host 192.168.1.1

no access-list outside_in permit tcp any host 24.50.241.113 eq www

no static (inside,outside) tcp interface www sbsserver www netmask 255.255.255.255 0 0

no static (inside,outside) tcp interface https sbsserver https netmask 255.255.255.255 0 0

no static (outside,inside) tcp interface www sbsserver www netmask 255.255.255.255 0 0

no static (outside,inside) tcp interface https sbsserver https netmask 255.255.255.255 0 0

static (inside,outside) tcp 24.50.241.113 80 192.168.1.69 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp 24.50.241.113 443 192.168.1.69 443 netmask 255.255.255.255 0 0

access-list OUT-IN permit tcp any host 24.50.241.113 eq https

access-list OUT-IN permit tcp any host 24.50.241.113 eq www

access-list OUT-IN permit icmp any any

access-group OUT-IN in interface outside

What ip are you trying to access your pdm from? the http config looks correct, unless your coming from an ip other than 192.168.1.x

let me know if this works

That worked perfectly. Thank You very much for all your help. I can now access PDM from web browser also. I need to setup remote desktop using port 3389 now and a few others.

If you don't mind I have an additional question. I can not connect to our remote location's vpn. It's also a SBS, connecting to it with windows vpn client. I was able to before installing the firewall. I can connect but when verifying username and password it stops and returns an error. Is there something else that needs opened up on the firewall.

Once again thank you for your help.

the problem is that you are using PAT on your outside interface and the vpn uses GRE which is an IP protocol. PAT will not forward GRE. Does your other site have a firewall? if so, you can setup VPN tunnel to terminate between your PIX and other site's firewall. Let me know...and we'll figure something out.

Review Cisco Networking for a $25 gift card