PIX 501 6.3(5) PDM 3.0(4) Port forwarding and PDM access

Answered Question
May 28th, 2007

I have two problems with my newly bought PIX 501 (Newbie).

1. How do a forward an outside port to an inside IP and port? eg. outside IP is 192.168.2.105 and the IP that i want to receive traffic on is 192.168.1.2 and the port is 10000 TCP, how to do this, been fighting for 4 days now :-) PLEASSSEEEE take me out of my misery :-)

2. Tha original version of the PIX software was 6.1, and PDM was very low, i found out that getting upgrades for this PIX would take some time because i had to register with Cisco for some speciel account. Now, i don't know if this would have cost me or not, and i don't care, i am willing to pay (not to much :-) ), but i found out that my previous office had an upgrade CD lying, and i upgraded the PIX to the versions mentioned in the title, so how is it i cant connect to the PDM via explorer? Do i need ned keys? Please help me, i am turning very grey here.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 6 months ago

Yes, you are being clear. The problem is you cannot U-turn/hairpin on a pix 501. Therefore you must use another method if you want to hit your internal webserver with a domain name which resolves to a public ip.

DNS doctoring is one option I posted above but this does not work with port translation. See the link I referenced above. Second option is to use an internal dns server which resolves your website to its private address. Another option would be to edit your machines hosts file to include yourwebsite.com and it's internal private ip address.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
acomiskey Mon, 05/28/2007 - 13:15

1.

static (inside,outside) tcp 192.168.2.105 10000 192.168.1.2 10000 netmask 255.255.255.255

jean.l.pierre Mon, 05/28/2007 - 14:32

Hi!

Don't forget to allow incoming traffic on the outside acl! Something like:

access-list acl_outside permit tcp any host 192.168.2.105 eq 10000

access-group acl_outside in interface outside

Regards,

JP

franzsyntax Mon, 05/28/2007 - 21:42

Thanx both, now that works. But that leaves me with a new problem, hehe, loopback. I cant see my own server, eg no loopback. And i stille remain with the problem for PDM, not so important now that i got the other stuff to work.

jean.l.pierre Tue, 05/29/2007 - 02:18

Hi!

I don't understand the loopback problem?! Can you explain better?

About the PDM, in order to have access to it, and other Cisco software stuff, you have to do a Maintenaince Contrat with a Cisco Partner.

Regards,

JP

franzsyntax Tue, 05/29/2007 - 02:57

I can't see my own webserver if i use the domain name, only if i go through a proxy server on my internet provider. I can address the server using it's internal IP address. Remember i am on the same inside as the webserver. About PDM, doughhh, seems like a lot of trouble for a Firewall that almost only work as a router :-), but still, would be nice to have the PDM working.

acomiskey Tue, 05/29/2007 - 04:39

If you want to use the domain name to hit your webserver and you are using an external dns server which is providing you with the public ip address, you must use dns doctoring. The pix will change the ip address in the reply from the dns server from the public ip to the private ip, allowing you to access it.

static (inside,outside) tcp 192.168.2.105 10000 192.168.1.2 10000 netmask 255.255.255.255 dns

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

jean.l.pierre Tue, 05/29/2007 - 05:26

Good one 'acomiskey'!

Note: the PIX, if you don't desable it, is inspecting the traffic going trough it so it isn't just doing routing!

Regards,

JP

acomiskey Tue, 05/29/2007 - 05:42

Thanks jean, but I just remembered that "DNS rewrite is not compatible with static Port Address Translation". It only works like this unfortunately...

static (inside,outside) 192.168.2.105 192.168.1.2 netmask 255.255.255.255 dns

franzsyntax Sat, 06/02/2007 - 23:06

Sorry the late reply.

Won't that routing affect how the traffic coming from outside to the server gets routed?

Remember that 192.168.2.105 to 192.168.1.2 works now, but addressing the 192.168.1.2 from 192.168.1.3 via domain names does not work. Am i being clear enough?

Correct Answer
acomiskey Sun, 06/03/2007 - 11:21

Yes, you are being clear. The problem is you cannot U-turn/hairpin on a pix 501. Therefore you must use another method if you want to hit your internal webserver with a domain name which resolves to a public ip.

DNS doctoring is one option I posted above but this does not work with port translation. See the link I referenced above. Second option is to use an internal dns server which resolves your website to its private address. Another option would be to edit your machines hosts file to include yourwebsite.com and it's internal private ip address.

franzsyntax Tue, 06/05/2007 - 23:03

Doouughhhh, man, i feel as dumb as a door right now. How could i forget that hosts file, offcourse, i think i will find a solid wall and bang my head into it a couple of times, it can't do no damage, i should have thought of that. Thanx for the hint.

Franz thanx you

san_jivus Wed, 06/06/2007 - 10:03

Updating the hosts file is 'OK' for one user, how about if you have 50 users and to make the things worst 10-15 guests (with thier own laptops) everyday. We are not hosting the internal DNS.

Any other options for a poor fellow like me ?

acomiskey Wed, 06/06/2007 - 10:17

Get a dmz so you can do this...

static (DMZ,inside) netmask 255.255.255.255

Actions

This Discussion