PIX 7.2/8.0 port redirect problem

Unanswered Question
Oct 22nd, 2007
User Badges:

Dear Sir,

i have PIX configured to allow internal users to access the internet, and to allow external users to access internal FTP, HTTP and email

the problem is that external users cannot access HTTP and FTP

and the mails cannot recieved

from outside


this is my configuration

hostname pixfirewall


enable password 8Ry2YjIyt7RRXU24 encrypted


names


!


interface Ethernet0


nameif outside


security-level 0


ip address ********


!


interface Ethernet1


nameif inside


security-level 100


ip address 192.168.1.1 255.255.255.0


!


passwd 2KFQnbNIdI.2KYOU encrypted


no ftp mode passive


access-list access-in extended permit tcp any any eq ftp


access-list access-in extended permit icmp any any


access-list access-in extended permit tcp any any eq 3389


access-list access-in extended permit tcp any any eq smtp

access-list access-in extended permit tcp any any eq http


pager lines 24


<--- More --->

logging enable


mtu inside 1500


mtu outside 1500


icmp unreachable rate-limit 1 burst-size 1


no asdm history enable


arp timeout 14400


global (outside) 10 interface


nat (inside) 10 192.168.1.0 255.255.255.0


static (inside,outside) tcp ***** ftp 192.168.1.2 ftp netmask 255.255.255.255


static (inside,outside) tcp **** http 192.168.1.2 http netmask 255.255.255.255



static (inside,outside) tcp **** smtp 192.168.1.2 smtp netmask 255.255.255.255




access-group access-in in interface outside


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout uauth 0:05:00 absolute


dynamic-access-policy-record DfltAccessPolicy


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart


no crypto isakmp nat-traversal


telnet timeout 5


ssh timeout 5


console timeout 0


<--- More --->

threat-detection basic-threat


threat-detection statistics access-list


!


class-map inspection_default


match default-inspection-traffic


!


!


policy-map type inspect dns preset_dns_map


parameters


message-length maximum 512


policy-map global_policy


class inspection_default


inspect dns preset_dns_map


inspect ftp


inspect h323 h225


inspect h323 ras


inspect netbios


inspect rsh


inspect rtsp


inspect skinny


inspect esmtp


inspect sqlnet


inspect sunrpc


inspect tftp


<--- More --->

inspect sip


inspect xdmcp


policy-map global_poliy


class inspection_default


!

service-policy global_policy global

prompt hostname context


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
acomiskey Mon, 10/22/2007 - 04:45
User Badges:
  • Green, 3000 points or more

Try this if the public address you are using is also the outside interface address...


static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255


static (inside,outside) tcp interface http 192.168.1.2 http netmask 255.255.255.255


static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255


Actions

This Discussion