Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
2
Replies

What is wrong with this PIX 501 config?

jhoogerhuis
Level 1
Level 1

‎10-11-2002 12:05 AM - edited ‎02-20-2020 10:17 PM

I am experimenting with a Cisco PIX 501. In the future I want to connect about 35 to our central (now 3600) router using VPN tunnels.

First I want to understand the basic functions.

(I will ask the tunnel questions later)

This is what I want::

1. Do nat from in to outside

2. Forward some ports (WWW, SMTP, FTP NNTP and some other) to an internal

host.

Problems:

- Somehow only www forwarding seems to work.

- It looks like the PIX does not use "statefull inspection" because as soon

as I make a connection with a remote system, suddenly all protocols are

forwarded to my redirect system. (and all ports are open?)

This is what I do:

clear conf all

hostname MyHostinterface ethernet0 10baset

interface ethernet0 10baseT

ip address outside 123.187.1.204 255.255.248.0

route outside 0.0.0.0 0.0.0.0 123.187.0.1 1

ip address inside 172.16.4.43 255.255.255.248

nat 1 0.0.0.0 0.0.0.0

global 1 interface

http server enable

http 172.16.4.0 255.255.255.0

pdm loggin informational

access-list outside_in permit icmp any host 123.187.1.204

access-list outside_in permit tcp any host 123.187.1.204 eq 20

access-list outside_in permit tcp any host 123.187.1.204 eq 21

access-list outside_in permit tcp any host 123.187.1.204 eq 22

access-list outside_in permit tcp any host 123.187.1.204 eq 25

access-list outside_in permit tcp any host 123.187.1.204 eq 80

access-list outside_in permit tcp any host 123.187.1.204 eq 110

access-list outside_in permit tcp any host 123.187.1.204 eq 113

access-list outside_in permit tcp any host 123.187.1.204 eq 119

access-list outside_in permit tcp any host 123.187.1.204 eq 443

access-list inside_access_in permit ip any any

access-group outside_in in interface outside

access-group inside_access_in in interface inside

static tcp interface 20 172.16.4.41 20 netmask 255.255.255.255 0 0static tcp

interface 21 172.16.4.41 21 netmask 255.255.255.255 0 0static tcp interface

22 172.16.4.41 22 netmask 255.255.255.255 0 0static tcp interface 25

172.16.4.41 25 netmask 255.255.255.255 0 0static tcp interface 80

172.16.4.41 80 netmask 255.255.255.255 0 0static tcp interface 110

172.16.4.41 110 netmask 255.255.255.255 0 0static tcp interface 113

172.16.4.41 113 netmask 255.255.255.255 0 0static tcp interface 119

172.16.4.41 119 netmask 255.255.255.255 0 0static tcp interface 443

172.16.4.41 443 netmask 255.255.255.255 0 0

0 Helpful
2 Replies 2

s-doyle
Level 3
Level 3

‎10-17-2002 07:52 AM

PIX does stateful inspection.

May be few tips on this page will help you to fix your problem

http://www.cisco.com/warp/public/707/index.shtml#pix

0 Helpful

george.banaszak
Level 1
Level 1

‎10-30-2002 09:42 AM

In your access-list statements, you use 123.187.1.204 as a host, this is your PIX firewall's outside interface. This should be a host matched to 172.16.4.41 in a static statement.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card