05-21-2004 04:55 PM
I have a cable modem that plugs into my PIX 501. I'm running 6.3(1) on the PIX.
How do I go about creating a NAT to allow outside [specifically my work office] to connect to the web server I have at my house?
I added these two lines to the config on my PIX:
static (inside,outside) xxx.xxx.xx.xx xxx.xxx.x.xx 255.255.255.255 [this one to NAT the outside INT of the cable modem to the invalid IP of the web server]
and this rule to test it [I added this rule the tried to access the web server from my work]:
access-list 101 permit tcp any host xxx.xxx.xx.xx eq www
When I "wr mem", I can't browse out from my internal network and I can't get to my website from outside.
Any help would be appreciated.
05-24-2004 10:59 PM
You need to set up a port tatic, rather than a one-to-one static like you have. Setting up a one-to-one static with the outside IP address will kill all outbound traffic from your PC's, cause when it returns to the PIX the PIX just passes all that traffic through the web server, which didn't initiate the traffic in the first place and drops it.
Do the following and you should be good to go:
static (inside,outside) tcp interface 80 x.x.x.x 80 netmask 255.255.255.255
access-list inbound permit tcp any interface outside eq www
access-group inbound in interface outside
Note the use of the "interface" keyword in both the static command and the access-list, this just says use whatever IP address is on the outside interface in place of it in the command. Any traffic comig in on TCP/80 for the outside IP address of your 501 will be sent through to TCP/80 on x.x.x.x which is your internal web servers IP address.
05-25-2004 06:05 AM
Thanks that worked!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide