Can't get port 80 forwarding working on 515E

Unanswered Question
Mar 8th, 2007
User Badges:

Hi,


I can't get port forwarding working into a PIX515E.


This is what I have done and port 80 doesn't open.


name 203.144.238.79 WEBSVR


static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0


access-list PublicDMZ_access_in permit tcp host 192.168.10.17 any eq http


access-list outside_access_in permit tcp any host 192.168.10.17 eq http


I can telnet to the DMZ addresses on port 80 from the src of the internal Pix range from an upstream router.

Am I forgeting something.


Please help!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Thu, 03/08/2007 - 06:46
User Badges:
  • Gold, 750 points or more

please put in the following commands,


no access-list outside_access_in permit tcp any host 192.168.10.17 eq http


access-list outside_access_in permit tcp any host 203.144.238.79 eq http


cl xlate


From the outside,the traffic will come with dest. ip address as the public ip .In the existing access-list it's the private ip address,that's why it's not working.


plz do the changes and let us know if it work or not.


Regards,

Sushil


acomiskey Thu, 03/08/2007 - 06:51
User Badges:
  • Green, 3000 points or more

Dont forget to apply the acl


access-group outside_access_in in interface outside

cameronjohn Thu, 03/08/2007 - 07:30
User Badges:

I Tried what was suggested before and I have done the follwoing and it still isn't working.


name 203.144.238.79 WEBSVR


no static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0


static (PublicDMZ,outside)tcp 203.144.238.79 www 192.168.10.17 www netmask 255.255.255.255 0 0


access-list outside_access_in permit tcp any host 203.144.238.79 eq http


There is any entry in the sh xlate table as

Global WEBSVR Local 192.168.10.17


Do I need to route the public range via the outside interface.


John



acomiskey Thu, 03/08/2007 - 07:43
User Badges:
  • Green, 3000 points or more

Is 203.144.238.79 also your outside interface address?

sundar.palaniappan Thu, 03/08/2007 - 14:25
User Badges:
  • Green, 3000 points or more

It's unclear how your network is setup. Is your setup something like this.


Internet --- Router --- PIX --- PublicDMZ


If the WAN IP on the outside router is 203.144.238.70 then does it know how to route to 203.144.238.79. If it doesn't then you can add a static host route, /32 bit mask, to forward the traffic to the firewall.


If the setup is different or I misunderstood any part of your configuration then clarify that and posting the configuration would help.


HTH


Sundar



kaachary Thu, 03/08/2007 - 15:46
User Badges:
  • Cisco Employee,

Hi John,


Do you still have an access-group applied on the PublicDMZ interface ?


Remove it and then try.


If it works, then add the following entry in the ACL :



access-list PublicDMZ_access_in permit tcp host 192.168.10.17 eq 80 any


And then reapply the access-grup.


*Please rate if it helped.


-Kanishka

cameronjohn Fri, 03/09/2007 - 03:25
User Badges:

Hi,


This is all fixed now. Thanks for all your replies.


I did the following:


static (PublicDMZ,outside) tcp 203.144.238.79 http 192.168.10.16 http netmask 255.255.255.255 0 0

access-list PublicDMZ_access_in permit tcp host 192.168.10.16 any eq http

access-list outside_access_in permit tcp any host 203.144.238.79 eq http



route outside 203.144.238.79 255.255.255.224 203.144.238.68 1


The 203.144.238.68 being the upstream router back to our network


Actions

This Discussion