07-24-2003 08:54 AM - edited 03-09-2019 04:11 AM
I have the following:
ISP DSL PPPoe --- (outside)PIX501(inside) --- my webserver
I need to set up the PIX to forward traffic coming in from internet to outside port 80 into webserver port 80.
But on the translation rules, the outside interface show as 127.0.0.1 instead of the interface IP assigned with the PPPoe.
I have that config working when the DSL is with fixed IP. can anyone tell why here it doesn't work with DSL over PPPoe ???
thanks.
07-24-2003 01:46 PM
Hello,
You don't need a static ip so long the PIX gets the dynamic ip from the dhcp server on ISP. To verify, if pix got the dynamic ip, you can execute show interface on the pix. Anyway, the config needed on the pix is as follows -
static (inside,outside) tcp interface www 10.1.1.5 www netmask 255.255.255.255
Here keyword interface would be replaced with the dynamically assigned outside interface ip address and you need to replcae 10.1.1.5 with your actual web server ip address. Then you need to create the ACL on outside interface and in the ACL, you can define interface as destination.
Regards,
Mynul
07-25-2003 01:32 PM
1. listed below PIX 501 config.
2. my network config is:
- I have one box - a web server - 10.100.100.100 - it's behind the PIX and it is permitted to go outside (Internet etc').
I have a dns2go service running on the webserver. if you are not familiar with it, it is used where dsl/cable is using dynamic IP. it is working fine.
so if you go to http://dpdemo2.dns2go.com you should get to 10.100.100.100 and it has some test page that should come up.
it works from inside http://10.100.100.100
3. I want traffic from Internet to be directed to port 80 on 10.100.100.100.
I used PDM and added the following on the PIX:
static (inside,outside) tcp interface www 10.100.100.100 www netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any eq www any eq www
access-group outside_access_in in interface outside
BUT I STILL CAN'T GET TO WEBSERVER FROM INTERNET.
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DvgG2ZzvLdD3UYnW encrypted
passwd xxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_outbound_nat0_acl permit ip any 10.100.100.192 255.255.255.224
access-list outside_access_in permit tcp any eq www any eq www
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply outside
icmp permit any router-solicitation outside
icmp permit any traceroute outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.100.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool01 10.100.100.200-10.100.100.220
pdm location 10.100.100.192 255.255.255.224 outside
pdm location 10.100.100.100 255.255.255.255 inside
pdm location 10.100.120.192 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.100.100.100 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.100.100.100 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname vze4sr8m
vpdn group pppoe_group ppp authentication pap
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool01
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username digitallp password *********
vpdn username digitalsj password *********
vpdn username digitalka password *********
vpdn username vze4sr8m password *********
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:xxxxxx
: end
[OK]
07-28-2003 11:44 PM
Yous should not limit the source port of the incoming traffic from the Internet to tcp port 80.
Requesting computers has dynamic ports assignment as the source and the destination as tcp port 80 to come to your web server.
You should change your access list not to restrict the source port of the incoming tcp port.
Change your access-list to:
access-list outside_access_in permit tcp any any eq www
Change your static configuration also not to restrict the source port of the incoming traffic to tcp 80.
07-29-2003 06:58 AM
regarding the change on the access-list - I did it.
regarding the static config - it has to be port 80 on inside interface to port 80 on outside interface, since it is a static port mapping. I do it on other pix's and it works fine.
the problem is that from some reason the thing still doesn't work.
the system is accessible from the internet: you can go to https://dpdemo2.dns2go.com and get the PDM login screen.
what's more strange is that when I open the translation rule with PDM, it shows the external interface IP as 127.0.0.1.
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DvgG2ZzvLdD3UYnW encrypted
passwd xxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_outbound_nat0_acl permit ip any 10.100.100.192 255.255.255.224
access-list outside_access_in permit tcp any any eq www
access-list outside_cryptomap_dyn_20 permit ip any 10.100.100.192 255.255.255.224
pager lines 24
logging on
logging console informational
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply outside
icmp permit any router-solicitation outside
icmp permit any traceroute outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.100.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool01 10.100.100.200-10.100.100.220
pdm location 10.100.100.192 255.255.255.224 outside
pdm location 10.100.100.100 255.255.255.255 inside
pdm location 10.100.120.192 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.100.100.100 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.100.100.100 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup digitallp address-pool VPNPool01
vpngroup digitallp idle-time 1800
vpngroup digitallp password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname vze4sr8m
vpdn group pppoe_group ppp authentication pap
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool01
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username digitallp password *********
vpdn username digitalsj password *********
vpdn username digitalka password *********
vpdn username vze4sr8m password *********
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:xxxxx
: end
[OK]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide