Need Help with Static Translation and ACLs on PIX

Answered Question

I'm new to PIX firewalls and could use a bit of help. I've a PIX 501 that's been configured using the Startup Wizard and VPN Wizard. Internet connectivity is via PPPoE. All works fine with outbound traffic, and VPN works with remote access by client.

I'd like to allow Web traffic from the outside through the firewall to a host on the inside network.

I understand that the three commands I'd need are:

static (inside,outside) netmask 0 0

access-list 100 permit tcp any host eq www

access-group 100 in interface outside

I have defined my host in the PIX PDM as with a netmask of

The problem is, that when I create the static translation, I lose all outbound traffic and while I can ping both the firewall and the Web server (and still have Web access to the PIX for PDM), I no longer have http access to the Web server. Completing the ACLs and access-group command (all using the command-line tool, doesn't help restore outbound traffic.

I've also tried creating the static translation and ACLs using the PDM (instead of the command line tool) but get the same result-- as soon as I create the static translation, I can no longer get out past the firewall.

Can someone please take a look at my configuration and tell me if I've done something wrong? The attached config only includes the static translation, not the additional ACLs.

Many thanks in advance for any suggestions.


Correct Answer by acomiskey about 10 years 2 months ago

^^that access-list statement won't work (a typo i'm sure)

access-list outside-in permit tcp any host eq www

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
bahoosh Thu, 04/19/2007 - 05:20
User Badges:

it'll cost you an iphone :) ... j/k

is that 209.x.x.111 one of your public addresses?

looks to me your are using the ip address of the outside interface that you obtained from DSL provider and trying to use it for your webserver. You can do that but you've got to do port forwarding. it'll be something like this:

static (inside,outside) tcp interface 80 80 netmask

and make sure you use the word "interface" instead of an actual IP address, because most likely its DHCP and will change.

i would take out this line too :

no pdm location outside

Ha! Tell you what, as soon as I get one, I'll get you one, too! ;-)

Yes, I'm trying to do port forwarding, mapping the public IP on the outside interface to the IP of the host on the inside network. I understand needing to take out the pdm location reference since it's hard coded to an IP that might change, but should I replace it with another line instead? I'm not sure what the "pdm location" part of the config means. Can you tell me?

Regarding the "static (inside,outside)" command, the reading I'd done to allow traffic from the outside (lower security) to the inside (high security interface) is that you needed the static translation and ACLs. What's the difference with the command you suggest?

Finally, when I type the command exactly as shown, it errors with an "invalid global address" message. ???


bahoosh Thu, 04/19/2007 - 09:25
User Badges:

yes, you can take out all pdm commands ... pdm or pix device manager (AKA pix device mangler) is to configure your pix through a gui interface. But I recommend not doing anything through pdm specially in 6.x code. You can take all pdm commands out and you'd be fine.

since you only have one publicly routable ip address (your outside interface ip) you have to use port forwarding to be able to host a service on your netowrk such a webserver.

do this:

no static (inside,outside) server netmask 0 0

static (inside,outside) tcp interface www server www netmask 0 0

access-l outside-in permit tcp any host server eq www

access-g outside-in in int outside

Correct Answer
acomiskey Thu, 04/19/2007 - 09:55
User Badges:
  • Green, 3000 points or more

^^that access-list statement won't work (a typo i'm sure)

access-list outside-in permit tcp any host eq www

Many, many thanks, "bahoosh" and "acomiskey", for helping a "noob in need". ;-)

I've appreciated your suggestions and have a better understanding of how to use static translations and ACLs for port forwarding.

For the sake of others who may have the same question, here are the commands I used (with the being the IP addressed assigned to my outside interface and the "server" being the name assigned to the defined host on the inside network):

static (inside,outside) tcp interface www server www netmask 0 0

access-list outside-in permit tcp any host eq www

access-group outside-in in interface outside

clear xlate




This Discussion