07-29-2003 01:19 PM - edited 03-09-2019 04:14 AM
I have a PIX 501 connected to broadband connection. I want to provide web/ftp services froma server on the internal network. I have setup port redirection, ACL's, and NAT per TAC docs, but I can not connect to the services. Thank you and here's the config.
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
names
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any echo-reply
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq www
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.0.1 ftp netmask 255.255.255.255 0 0
access-group 102 in interface outside
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.5 255.255.255.255 inside
07-29-2003 05:16 PM
Obviously you'd need a similar static command for the www redirection.
Other than that the config looks OK, what do you get whne you try and connect either with FTP or HTTP. Enable syslogging on the PIX with:
> logging on
> logging buffer debug
Then try a connection and do a "sho log" to see what the syslog shows. This will give you the best indication of what's going wrong. If you see nothing in the log, then check with your ISP to see if they're filtering all the low port numbers out, some ISP's don't want you running web servers unless you pay extra.
07-29-2003 05:34 PM
I fixed it! My ACL's were wrong becuase my FTP was not on port 21. I thought I could use 'ftp' in my ACL b/c I had changed the port with fixup.I could not (and still can't) view my website on my public IP, but the rest of the world can. I remember reading something about this being normal, but it's not a huge deal anyway. I really appreciate you looking in to this. Thanks again for your help.
07-29-2003 08:47 PM
Glad to hear it's working.
If you want to browse to your web site using it's public address, try adding the "dns" option to your port 80 static command. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026694 for details.
Or you can use the "alias" command, but this has been superceded by the static dns option I described above. The alias command also limits your ability to use PDM, but here are its details anyway:
07-30-2003 05:52 AM
Great, I'll try it and thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide