Need Help with Static Translation and ACLs on PIX

Answered Question

I'm new to PIX firewalls and could use a bit of help. I've a PIX 501 that's been configured using the Startup Wizard and VPN Wizard. Internet connectivity is via PPPoE. All works fine with outbound traffic, and VPN works with remote access by client.

I'd like to allow Web traffic from the outside through the firewall to a host on the inside network.

I understand that the three commands I'd need are:

static (inside,outside) 209.xxx.xxx.111 192.168.1.10 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host 209.xxx.xxx.111 eq www

access-group 100 in interface outside

I have defined my host in the PIX PDM as 192.168.1.10 with a netmask of 255.255.255.255.

The problem is, that when I create the static translation, I lose all outbound traffic and while I can ping both the firewall and the Web server (and still have Web access to the PIX for PDM), I no longer have http access to the Web server. Completing the ACLs and access-group command (all using the command-line tool, doesn't help restore outbound traffic.

I've also tried creating the static translation and ACLs using the PDM (instead of the command line tool) but get the same result-- as soon as I create the static translation, I can no longer get out past the firewall.

Can someone please take a look at my configuration and tell me if I've done something wrong? The attached config only includes the static translation, not the additional ACLs.

Many thanks in advance for any suggestions.

--Tim

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 7 months ago

^^that access-list statement won't work (a typo i'm sure)

access-list outside-in permit tcp any host 209.xxx.xxx.111 eq www

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
bahoosh Thu, 04/19/2007 - 05:20

it'll cost you an iphone :) ... j/k

is that 209.x.x.111 one of your public addresses?

looks to me your are using the ip address of the outside interface that you obtained from DSL provider and trying to use it for your webserver. You can do that but you've got to do port forwarding. it'll be something like this:

static (inside,outside) tcp interface 80 192.168.1.10 80 netmask

255.255.255.255

and make sure you use the word "interface" instead of an actual IP address, because most likely its DHCP and will change.

i would take out this line too :

no pdm location 209.xxx.xxx.111 255.255.255.255 outside

Ha! Tell you what, as soon as I get one, I'll get you one, too! ;-)

Yes, I'm trying to do port forwarding, mapping the public IP on the outside interface to the IP of the host on the inside network. I understand needing to take out the pdm location reference since it's hard coded to an IP that might change, but should I replace it with another line instead? I'm not sure what the "pdm location" part of the config means. Can you tell me?

Regarding the "static (inside,outside)" command, the reading I'd done to allow traffic from the outside (lower security) to the inside (high security interface) is that you needed the static translation and ACLs. What's the difference with the command you suggest?

Finally, when I type the command exactly as shown, it errors with an "invalid global address 192.168.1.10" message. ???

--Tim

bahoosh Thu, 04/19/2007 - 09:25

yes, you can take out all pdm commands ... pdm or pix device manager (AKA pix device mangler) is to configure your pix through a gui interface. But I recommend not doing anything through pdm specially in 6.x code. You can take all pdm commands out and you'd be fine.

since you only have one publicly routable ip address (your outside interface ip) you have to use port forwarding to be able to host a service on your netowrk such a webserver.

do this:

no static (inside,outside) 209.xxx.xxx.111 server netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www server www netmask

255.255.255.255 0 0

access-l outside-in permit tcp any host server eq www

access-g outside-in in int outside

Correct Answer
acomiskey Thu, 04/19/2007 - 09:55

^^that access-list statement won't work (a typo i'm sure)

access-list outside-in permit tcp any host 209.xxx.xxx.111 eq www

Many, many thanks, "bahoosh" and "acomiskey", for helping a "noob in need". ;-)

I've appreciated your suggestions and have a better understanding of how to use static translations and ACLs for port forwarding.

For the sake of others who may have the same question, here are the commands I used (with the 209.xxx.xxx.151 being the IP addressed assigned to my outside interface and the "server" being the name assigned to the defined host on the inside network):

static (inside,outside) tcp interface www server www netmask 255.255.255.255 0 0

access-list outside-in permit tcp any host 209.xxx.xxx.151 eq www

access-group outside-in in interface outside

clear xlate

Cheers,

Tim

Actions

This Discussion