See also:

Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Thanks for the reply, I cleared the xlate and it repopulated, but still nothing. Here is my config:

I have everything open at the moment on all ports

nameif ethernet0 outside security0

nameif ethernet1 consultant security30

nameif ethernet2 support security10

nameif ethernet3 slavenetwork security20

static (support,slavenetwork) tcp 64.45.175.xxx www 172.16.5.37 www netmask 255.

255.255.255 0 0

The slavenetwork is the one that has the public IP and support is the network that has the web server.

Adam,

Could you please post your pix config, make sure to take out any sensitive info.

Thanks

Jay

Sure, here is the full config:

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

nameif ethernet0 outside security0

nameif ethernet1 consultant security30

nameif ethernet2 support security10

nameif ethernet3 slavenetwork security20

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_out permit tcp any any eq telnet

access-list acl_out permit udp any any eq 23

access-list acl_out permit tcp any any

access-list acl_out permit ip any any

access-list acl_out permit udp any any

access-list acl_out permit tcp any any eq ssh

access-list acl_prinetwork permit icmp any any

access-list acl_prinetwork permit tcp any any eq telnet

access-list acl_prinetwork permit udp any any eq 23

access-list acl_prinetwork permit udp any any

access-list acl_prinetwork permit tcp any any

access-list acl_prinetwork permit ip any any

access-list acl_prinetwork permit tcp any any eq ssh

access-list acl_prinetwork permit tcp any any eq www

access-list 1 permit ip 172.16.4.64 255.255.255.192 172.16.5.0 255.255.255.192

access-list acl_slavenetwork permit udp any any eq dnsix

access-list acl_slavenetwork permit tcp any any eq www

access-list acl_slavenetwork permit tcp any any

access-list acl_slavenetwork permit ip any any

access-list acl_slavenetwork permit udp any any

access-list outside_in permit ip host 172.16.4.0 172.16.5.0 255.255.255.192

pager lines 24

icmp permit any outside

icmp permit any consultant

icmp permit any support

icmp permit any slavenetwork

mtu outside 1500

mtu consultant 1500

mtu support 1500

mtu slavenetwork 150

ip address outside 172.16.4.66 255.255.255.192

ip address consultant 172.16.4.193 255.255.255.192

ip address support 172.16.5.1 255.255.255.192

ip address slavenetwork 64.45.175.172 255.255.255.248

arp timeout 14400

global (outside) 1 172.16.5.0

global (support) 1 172.16.5.0

static (support,slavenetwork) tcp 64.45.175.xxx www 172.16.5.37 www netmask 255.

255.255.255 0 0

static (support,outside) 172.16.5.0 172.16.5.0 netmask 255.255.255.192 0 0

static (outside,support) 172.16.4.64 172.16.4.64 netmask 255.255.255.192 0 0

static (consultant,outside) 172.16.4.192 172.16.4.192 netmask 255.255.255.192 0

0

access-group acl_out in interface outside

access-group acl_prinetwork in interface support

access-group acl_slavenetwork in interface slavenetwork

conduit permit tcp host 64.45.175.xxx eq www any

route outside 0.0.0.0 0.0.0.0 172.16.4.65 1

route support 64.45.175.yyy 255.255.255.qqq 172.16.5.1 1

The ACL will be cleaned up when everything that I need to work, works.

Remove that line:

conduit permit tcp host 64.45.175.xxx eq www any

Do not mix statics and conduits.

Verify that the "route support 64.45.175.yyy 255.255.255.qqq 172.16.5.1 1 " is correct.

Otherwise you will have a routing problem with your PIX "ip address slavenetwork 64.45.175.172 255.255.255.248"

CLEAR XLATE again

sincerely

Patrick

Still no luck. I think the problem could be that I am basically setting up the firewall with two outside ports. But I can't seem to get it to work on my main outside port, that one is connected to a 2621 router, while the slavenetwork port is connected directly to the backbone.

Please could you tell us what exactly you want to do. I have seen that you have not configured any outbound connectivity.

What do you want to to do outbound and inbound.

You are have configured !

global (outside) 1 172.16.5.0

global (support) 1 172.16.5.0

This cannot be right because instead of 172.16.5.0 there sould be the interface IP or one of the network range IP of the same interface (outside or support).

They cannot be the same.To connect from the inside to an outside interface you need the "nat" command.

I think there is a mixup in the nat configuration.

See: Establish connectivity

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1112434

sincerely

Patrick

I want to be able to access a webserver that is internal externally. Basically, I want to place an IP on my browser and be taken to the website.

My outside connection is connected to a router and the router has an interface that has a public IP. For whatever reason I cant figure out how to make this work.

So, I have an extra interface that I am not using on the firewall, and the way the office is wired, I can actually use that port as another external port. I want that external port, which has a different IP then the routers IP, be the IP that I type in the browser to get the website.

The webserver is off of a Solaris box, so it is running off of Apache.

Ok we got closer in your problem. You have a routing problem !!!!

[ISP - Internet]------[Router-PIX]-----[Insise Network]

Your public IP range is split of into 2 ranges right.

One on the routers outside interface direction to the ISP and another range on the inside ethernet interface of the router leading to the outside pix interface.

To get your web server working you should forget about a second interface on the PIX use the PIX outside interface and port redirect it to the interface that has the web server on it.

sincerely

Patrick

..One step forward, two steps back

I can't really do that. I only have two public IPs, one is being used as the outbound port on the router.

Everything else, is assigned a private IP, even the connection between the router and firewall has a public IP.

That is where I am having problems. Due to how the VPN is set up currently, I can't change the IPs on the router.

Port forwarding works with just one public IP !

You forward all traffic comming in to the pix outside public IP on port 80 to an inside private IP to port 80 !!

alright I changed it to:

static (support,outside) 172.16.4.65 (the port on the router connected to the firewall) 80 172.16.5.37 80 netmask 255.255.255.255

still have nothing

Thanks for the help by the way.

How is the router configured ?

Can you give me an idea what are IPs on the router and the NAT configuration ?

Following your config example:

Router outside IP is Public 64.x.z.y

Router inside is: 172.16.4.x

Router PAT all inside traffic to router public IP.

PIX outside is: 172.16.4.65

Default router on pix is 172.16.4.x

The router should forward port 80 of your public IP to the private IP port 80.