Can't get port 80 forwarding working on 515E

cameronjohn · ‎03-08-2007

Hi,

I can't get port forwarding working into a PIX515E.

This is what I have done and port 80 doesn't open.

name 203.144.238.79 WEBSVR

static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0

access-list PublicDMZ_access_in permit tcp host 192.168.10.17 any eq http

access-list outside_access_in permit tcp any host 192.168.10.17 eq http

I can telnet to the DMZ addresses on port 80 from the src of the internal Pix range from an upstream router.

Am I forgeting something.

Please help!

suschoud · ‎03-08-2007

please put in the following commands,

no access-list outside_access_in permit tcp any host 192.168.10.17 eq http

access-list outside_access_in permit tcp any host 203.144.238.79 eq http

cl xlate

From the outside,the traffic will come with dest. ip address as the public ip .In the existing access-list it's the private ip address,that's why it's not working.

plz do the changes and let us know if it work or not.

Regards,

Sushil

acomiskey · ‎03-08-2007

Dont forget to apply the acl

access-group outside_access_in in interface outside

cameronjohn · ‎03-08-2007

I have done that :)

cameronjohn · ‎03-08-2007

I Tried what was suggested before and I have done the follwoing and it still isn't working.

name 203.144.238.79 WEBSVR

no static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0

static (PublicDMZ,outside)tcp 203.144.238.79 www 192.168.10.17 www netmask 255.255.255.255 0 0

access-list outside_access_in permit tcp any host 203.144.238.79 eq http

There is any entry in the sh xlate table as

Global WEBSVR Local 192.168.10.17

Do I need to route the public range via the outside interface.

John

acomiskey · ‎03-08-2007

Is 203.144.238.79 also your outside interface address?

cameronjohn · ‎03-08-2007

ip address 203.144.238.70 255.255.255.0 is my WAN IP.

sundar.palaniappan · ‎03-08-2007

It's unclear how your network is setup. Is your setup something like this.

Internet --- Router --- PIX --- PublicDMZ

If the WAN IP on the outside router is 203.144.238.70 then does it know how to route to 203.144.238.79. If it doesn't then you can add a static host route, /32 bit mask, to forward the traffic to the firewall.

If the setup is different or I misunderstood any part of your configuration then clarify that and posting the configuration would help.

HTH

Sundar

kaachary · ‎03-08-2007

Hi John,

Do you still have an access-group applied on the PublicDMZ interface ?

Remove it and then try.

If it works, then add the following entry in the ACL :

access-list PublicDMZ_access_in permit tcp host 192.168.10.17 eq 80 any

And then reapply the access-grup.

*Please rate if it helped.

-Kanishka

cameronjohn · ‎03-09-2007

Hi,

This is all fixed now. Thanks for all your replies.

I did the following:

static (PublicDMZ,outside) tcp 203.144.238.79 http 192.168.10.16 http netmask 255.255.255.255 0 0

access-list PublicDMZ_access_in permit tcp host 192.168.10.16 any eq http

access-list outside_access_in permit tcp any host 203.144.238.79 eq http

route outside 203.144.238.79 255.255.255.224 203.144.238.68 1

The 203.144.238.68 being the upstream router back to our network