PIX 501 Port Forward

Unanswered Question
Oct 24th, 2007

Hello all,

I am having a problem with port forwarding on my 501. This is what I have entered:

static (inside,outside) tcp interface https 172.17.x.x https netmask 255.255.255.255 0 0

access-list acl_outside permit tcp any interface outside eq https

access-group acl_outside in interface outside

I am running 6.3(5)

The firewall is basically factory defaults, I have configured 1 ezvpn and is essentially the only use of this firewall, so I don't think that will cause a problem, but who knows.

Here is my running config.

PIX501# show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname PIX501

domain-name ----

clock timezone MST -7

clock summer-time MDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_outside permit tcp any interface outside eq https

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 209.x.x.x 255.255.255.240

ip address inside 172.17.x.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 172.17.x.x 255.255.255.255 inside

pdm location 172.17.x.x 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface https 172.17.x.x https netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

route outside 0.0.0.0 0.0.0.0 209.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server 129.6.15.28 source outside prefer

http server enable

http 172.17.x.x 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 172.17.x.x 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpnclient server 216.x.x.x

vpnclient mode client-mode

vpnclient vpngroup ---- password ********

vpnclient username ---- password ********

vpnclient enable

terminal width 80

Cryptochecksum:********

: end

Thanks a million.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Patrick Iseli Wed, 10/24/2007 - 10:14

The configuration is good. This is not the problem.

1.) Has your webserver the PIX IP as default gateway ?

2.) what do you see in the logs when you try to connect from the outside.

# shows log from the PIX buffer

show log

# enables logging to the buffer

logg on

logg buff info

3.) Have you cleared the translation table after changing the static ?

clear xlate

Note that this will reset all connections.

sincerely

Patrick

Actions

Login or Register to take actions

This Discussion

Posted October 24, 2007 at 8:43 AM
Stats:
Replies:1 Avg. Rating:
Views:255 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446