PIX is so difficult

Unanswered Question
Sep 27th, 2007

Maybe I just don't really get what is going on but why is it that the PIXs seem so hard to configure? I use netgear, linksys, juniper, and many other firwalls and they are so easy to configure. When it comes to the pix I cant even figure out how to forward traffic on port 80 to the webserver. On the other devices it takes me all of 2 minutes to accomplish this. I am even using asdm and it doesnt make any sense.

Am I missing something or do I just need to get some more training. I love the switches and routers and have no problems with them but the firewalls are killing me.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Fernando_Meza Thu, 09/27/2007 - 17:20

Hi ...

Yes .. you probably need more training to understand the "language" of the PIXes and agree .. sometimes even the ASDM is not so user friendly. I would say if you get to understand PIXes, then using other firewalls is very simple but it is not true the other way around. Anyway .. if you need to access a webserver from the Internet you need to create a static nat

static (inside,outside) Public-Web-IP Private-Web-IP netmask

*the above assumes that your Web Server is behind the inside interface.

then you need to allow that access by creating an access list and apply it to the outside interface

access-list Outside-IN permit tcp any host Public-Web-IP eq 80

access-group Outside-IN in interface Outside

I hope it helps .. please rate it if it does !!!

m.volodko Mon, 10/01/2007 - 00:34

afair, with asdm it's impossible. When you will try to do this you will got a message something like: "asdm do not support this configuration".

It's true for version up to 7.2 of software.

Well, just do it in cli.

jfgobin01 Mon, 10/01/2007 - 02:39

Hello there,

Well, like every system, it is a bit hard at first.

When you say "forward traffic on port 80", do you mean "On port 80 on the IP of the firewall ? "

If this is, it would be something like :

"static (inside,outside) tcp interface 80 80" with eventually some options (max number of connections, embryonics ...). And don't forget the ACL.

Have a look :


m.volodko Mon, 10/01/2007 - 05:18

I guess that you want forward some tcp port from outside interface to some port inside.

In this case it will be something like:

static (inside,outside) tcp ext_IP 25 int_IP 25 netmask

This example for smtp (port 25). Just change IPs and ports and try it :)


This Discussion