Re: IIS 6.0 web site and PIX 501

Paul.Lane · ‎05-21-2004

I have a cable modem that plugs into my PIX 501. I'm running 6.3(1) on the PIX.

How do I go about creating a NAT to allow outside [specifically my work office] to connect to the web server I have at my house?

I added these two lines to the config on my PIX:

static (inside,outside) xxx.xxx.xx.xx xxx.xxx.x.xx 255.255.255.255 [this one to NAT the outside INT of the cable modem to the invalid IP of the web server]

and this rule to test it [I added this rule the tried to access the web server from my work]:

access-list 101 permit tcp any host xxx.xxx.xx.xx eq www

When I "wr mem", I can't browse out from my internal network and I can't get to my website from outside.

Any help would be appreciated.

gfullage · ‎05-24-2004

You need to set up a port tatic, rather than a one-to-one static like you have. Setting up a one-to-one static with the outside IP address will kill all outbound traffic from your PC's, cause when it returns to the PIX the PIX just passes all that traffic through the web server, which didn't initiate the traffic in the first place and drops it.

Do the following and you should be good to go:

static (inside,outside) tcp interface 80 x.x.x.x 80 netmask 255.255.255.255

access-list inbound permit tcp any interface outside eq www

access-group inbound in interface outside

Note the use of the "interface" keyword in both the static command and the access-list, this just says use whatever IP address is on the outside interface in place of it in the command. Any traffic comig in on TCP/80 for the outside IP address of your 501 will be sent through to TCP/80 on x.x.x.x which is your internal web servers IP address.

Paul.Lane · ‎05-25-2004

Thanks that worked!