Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
4
Replies

port redirection on 501

cclark
Level 1
Level 1

‎07-29-2003 01:19 PM - edited ‎03-09-2019 04:14 AM

I have a PIX 501 connected to broadband connection. I want to provide web/ftp services froma server on the internal network. I have setup port redirection, ACL's, and NAT per TAC docs, but I can not connect to the services. Thank you and here's the config.

PIX Version 6.1(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

names

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any echo-reply

access-list 102 permit tcp any any eq ftp

access-list 102 permit tcp any any eq www

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.0.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ftp 192.168.0.1 ftp netmask 255.255.255.255 0 0

access-group 102 in interface outside

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.5 255.255.255.255 inside

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎07-29-2003 05:16 PM

Obviously you'd need a similar static command for the www redirection.

Other than that the config looks OK, what do you get whne you try and connect either with FTP or HTTP. Enable syslogging on the PIX with:

> logging on

> logging buffer debug

Then try a connection and do a "sho log" to see what the syslog shows. This will give you the best indication of what's going wrong. If you see nothing in the log, then check with your ISP to see if they're filtering all the low port numbers out, some ISP's don't want you running web servers unless you pay extra.

0 Helpful

cclark
Level 1
Level 1
In response to gfullage

‎07-29-2003 05:34 PM

I fixed it! My ACL's were wrong becuase my FTP was not on port 21. I thought I could use 'ftp' in my ACL b/c I had changed the port with fixup.I could not (and still can't) view my website on my public IP, but the rest of the world can. I remember reading something about this being normal, but it's not a huge deal anyway. I really appreciate you looking in to this. Thanks again for your help.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to cclark

‎07-29-2003 08:47 PM

Glad to hear it's working.

If you want to browse to your web site using it's public address, try adding the "dns" option to your port 80 static command. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026694 for details.

Or you can use the "alias" command, but this has been superceded by the static dns option I described above. The alias command also limits your ability to use PDM, but here are its details anyway:

http://www.cisco.com/warp/public/110/alias.html

0 Helpful

cclark
Level 1
Level 1
In response to gfullage

‎07-30-2003 05:52 AM

Great, I'll try it and thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents