03-08-2007 06:43 AM - edited 03-11-2019 02:43 AM
Hi,
I can't get port forwarding working into a PIX515E.
This is what I have done and port 80 doesn't open.
name 203.144.238.79 WEBSVR
static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0
access-list PublicDMZ_access_in permit tcp host 192.168.10.17 any eq http
access-list outside_access_in permit tcp any host 192.168.10.17 eq http
I can telnet to the DMZ addresses on port 80 from the src of the internal Pix range from an upstream router.
Am I forgeting something.
Please help!
03-08-2007 06:46 AM
please put in the following commands,
no access-list outside_access_in permit tcp any host 192.168.10.17 eq http
access-list outside_access_in permit tcp any host 203.144.238.79 eq http
cl xlate
From the outside,the traffic will come with dest. ip address as the public ip .In the existing access-list it's the private ip address,that's why it's not working.
plz do the changes and let us know if it work or not.
Regards,
Sushil
03-08-2007 06:51 AM
Dont forget to apply the acl
access-group outside_access_in in interface outside
03-08-2007 06:53 AM
I have done that :)
03-08-2007 07:30 AM
I Tried what was suggested before and I have done the follwoing and it still isn't working.
name 203.144.238.79 WEBSVR
no static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0
static (PublicDMZ,outside)tcp 203.144.238.79 www 192.168.10.17 www netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any host 203.144.238.79 eq http
There is any entry in the sh xlate table as
Global WEBSVR Local 192.168.10.17
Do I need to route the public range via the outside interface.
John
03-08-2007 07:43 AM
Is 203.144.238.79 also your outside interface address?
03-08-2007 01:56 PM
ip address 203.144.238.70 255.255.255.0 is my WAN IP.
03-08-2007 02:25 PM
It's unclear how your network is setup. Is your setup something like this.
Internet --- Router --- PIX --- PublicDMZ
If the WAN IP on the outside router is 203.144.238.70 then does it know how to route to 203.144.238.79. If it doesn't then you can add a static host route, /32 bit mask, to forward the traffic to the firewall.
If the setup is different or I misunderstood any part of your configuration then clarify that and posting the configuration would help.
HTH
Sundar
03-08-2007 03:46 PM
Hi John,
Do you still have an access-group applied on the PublicDMZ interface ?
Remove it and then try.
If it works, then add the following entry in the ACL :
access-list PublicDMZ_access_in permit tcp host 192.168.10.17 eq 80 any
And then reapply the access-grup.
*Please rate if it helped.
-Kanishka
03-09-2007 03:25 AM
Hi,
This is all fixed now. Thanks for all your replies.
I did the following:
static (PublicDMZ,outside) tcp 203.144.238.79 http 192.168.10.16 http netmask 255.255.255.255 0 0
access-list PublicDMZ_access_in permit tcp host 192.168.10.16 any eq http
access-list outside_access_in permit tcp any host 203.144.238.79 eq http
route outside 203.144.238.79 255.255.255.224 203.144.238.68 1
The 203.144.238.68 being the upstream router back to our network
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: