PIX 7.2/8.0 port redirect problem

Unanswered Question
Oct 22nd, 2007

Dear Sir,

i have PIX configured to allow internal users to access the internet, and to allow external users to access internal FTP, HTTP and email

the problem is that external users cannot access HTTP and FTP

and the mails cannot recieved

from outside

this is my configuration

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address ********

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

no ftp mode passive

access-list access-in extended permit tcp any any eq ftp

access-list access-in extended permit icmp any any

access-list access-in extended permit tcp any any eq 3389

access-list access-in extended permit tcp any any eq smtp

access-list access-in extended permit tcp any any eq http

pager lines 24

<--- More --->

logging enable

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.1.0 255.255.255.0

static (inside,outside) tcp ***** ftp 192.168.1.2 ftp netmask 255.255.255.255

static (inside,outside) tcp **** http 192.168.1.2 http netmask 255.255.255.255

static (inside,outside) tcp **** smtp 192.168.1.2 smtp netmask 255.255.255.255

access-group access-in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

<--- More --->

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

<--- More --->

inspect sip

inspect xdmcp

policy-map global_poliy

class inspection_default

!

service-policy global_policy global

prompt hostname context

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
acomiskey Mon, 10/22/2007 - 04:45

Try this if the public address you are using is also the outside interface address...

static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255

static (inside,outside) tcp interface http 192.168.1.2 http netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255

Actions

This Discussion