cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1893
Views
8
Helpful
13
Replies

PIX 501 6.3(5) PDM 3.0(4) Port forwarding and PDM access

franzsyntax
Level 1
Level 1

I have two problems with my newly bought PIX 501 (Newbie).

1. How do a forward an outside port to an inside IP and port? eg. outside IP is 192.168.2.105 and the IP that i want to receive traffic on is 192.168.1.2 and the port is 10000 TCP, how to do this, been fighting for 4 days now :-) PLEASSSEEEE take me out of my misery :-)

2. Tha original version of the PIX software was 6.1, and PDM was very low, i found out that getting upgrades for this PIX would take some time because i had to register with Cisco for some speciel account. Now, i don't know if this would have cost me or not, and i don't care, i am willing to pay (not to much :-) ), but i found out that my previous office had an upgrade CD lying, and i upgraded the PIX to the versions mentioned in the title, so how is it i cant connect to the PDM via explorer? Do i need ned keys? Please help me, i am turning very grey here.

1 Accepted Solution

Accepted Solutions

Yes, you are being clear. The problem is you cannot U-turn/hairpin on a pix 501. Therefore you must use another method if you want to hit your internal webserver with a domain name which resolves to a public ip.

DNS doctoring is one option I posted above but this does not work with port translation. See the link I referenced above. Second option is to use an internal dns server which resolves your website to its private address. Another option would be to edit your machines hosts file to include yourwebsite.com and it's internal private ip address.

View solution in original post

13 Replies 13

acomiskey
Level 10
Level 10

1.

static (inside,outside) tcp 192.168.2.105 10000 192.168.1.2 10000 netmask 255.255.255.255

Hi!

Don't forget to allow incoming traffic on the outside acl! Something like:

access-list acl_outside permit tcp any host 192.168.2.105 eq 10000

access-group acl_outside in interface outside

Regards,

JP

Thanx both, now that works. But that leaves me with a new problem, hehe, loopback. I cant see my own server, eg no loopback. And i stille remain with the problem for PDM, not so important now that i got the other stuff to work.

Hi!

I don't understand the loopback problem?! Can you explain better?

About the PDM, in order to have access to it, and other Cisco software stuff, you have to do a Maintenaince Contrat with a Cisco Partner.

Regards,

JP

I can't see my own webserver if i use the domain name, only if i go through a proxy server on my internet provider. I can address the server using it's internal IP address. Remember i am on the same inside as the webserver. About PDM, doughhh, seems like a lot of trouble for a Firewall that almost only work as a router :-), but still, would be nice to have the PDM working.

If you want to use the domain name to hit your webserver and you are using an external dns server which is providing you with the public ip address, you must use dns doctoring. The pix will change the ip address in the reply from the dns server from the public ip to the private ip, allowing you to access it.

static (inside,outside) tcp 192.168.2.105 10000 192.168.1.2 10000 netmask 255.255.255.255 dns

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Good one 'acomiskey'!

Note: the PIX, if you don't desable it, is inspecting the traffic going trough it so it isn't just doing routing!

Regards,

JP

Thanks jean, but I just remembered that "DNS rewrite is not compatible with static Port Address Translation". It only works like this unfortunately...

static (inside,outside) 192.168.2.105 192.168.1.2 netmask 255.255.255.255 dns

Sorry the late reply.

Won't that routing affect how the traffic coming from outside to the server gets routed?

Remember that 192.168.2.105 to 192.168.1.2 works now, but addressing the 192.168.1.2 from 192.168.1.3 via domain names does not work. Am i being clear enough?

Yes, you are being clear. The problem is you cannot U-turn/hairpin on a pix 501. Therefore you must use another method if you want to hit your internal webserver with a domain name which resolves to a public ip.

DNS doctoring is one option I posted above but this does not work with port translation. See the link I referenced above. Second option is to use an internal dns server which resolves your website to its private address. Another option would be to edit your machines hosts file to include yourwebsite.com and it's internal private ip address.

Doouughhhh, man, i feel as dumb as a door right now. How could i forget that hosts file, offcourse, i think i will find a solid wall and bang my head into it a couple of times, it can't do no damage, i should have thought of that. Thanx for the hint.

Franz thanx you

Updating the hosts file is 'OK' for one user, how about if you have 50 users and to make the things worst 10-15 guests (with thier own laptops) everyday. We are not hosting the internal DNS.

Any other options for a poor fellow like me ?

Get a dmz so you can do this...

static (DMZ,inside) netmask 255.255.255.255

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: