Port forwarding on Pix 515E

Unanswered Question
Sep 22nd, 2010
User Badges:

Port forwarding on Pix 515E

Hi

What I am trying to accomplish is to forward port 80 and port 443 to allow a Microsoft Small Business Server to access Remote Web Workplace.

Thank you for your help

Here is my config

PIX(config)# show run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password XJX9T/MNG54uoaTm encrypted

passwd XJX9T/MNG54uoaTm encrypted

hostname PIX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host 10.0.1.103 eq https

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside dhcp setroute

ip address inside 10.0.1.2 255.255.255.0

ip address dmz 172.16.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.100.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.0.1.0 255.255.255.0 inside

telnet 10.0.1.0 255.255.255.0 dmz

telnet timeout 3

ssh timeout 5

console timeout 0

dhcpd address 10.0.1.100-10.0.1.125 inside

dhcpd address 172.16.2.2-172.16.2.20 dmz

dhcpd dns 205.171.3.25 192.168.100.1

dhcpd wins 209.165.201.5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain sbssrv.com

dhcpd enable inside

dhcpd enable dmz

terminal width 80

banner login Enter your password to log in

Cryptochecksum:3a32247b0d6dd90b125f3873d0e30902

: end

networ setup DSL Router>PIX>DMZ>Server

IP Address

dhcpd address 172.16.2.2-172.16.2.20 dmz

DSL Router



174.21.215.27

Server 172.16.2.2 255.255.255.0


thanks again

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Wed, 09/22/2010 - 19:43
User Badges:
  • Cisco Employee,

Hello,


Please try the following:


static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

static (inside,outside) tcp interface 443 443 netmask 255.255.255.255


no access-list outside_access_in permit tcp any host 10.0.1.103 eq https

access-list outside_access_in permit tcp any interface outside eq https

access-list outside_access_in permit tcp any interface outside eq 80


Hope this helps.


Regards,


NT

Mark Bracking Thu, 09/23/2010 - 10:32
User Badges:

This is the error message that I receive.


Remote Web Access to your server is blocked


Some routers may not work properly with your server. Visit the support Web site for your router manufacturer and ensure that your router has the most recent firmware.


Some internet providers (ISP) block ports 80 and 443 to prevent customers from remotely accessing services that are hosted on their networks. For more information, contact your ISP.


UPnP is not enabled on the router.


I tried the suggestions and they did not work. Does anyone of any other suggestions?


Thank you

Mark

Allen P Chen Thu, 09/23/2010 - 10:43
User Badges:
  • Cisco Employee,

Hello,


Based on the IP address of the SBS (172.16.2.2), it resides behind the DMZ interface, correct?  The static statements need to be changed as follows:


no static (inside,outside) tcp interface 80 172.16.2.2 80 netmask 255.255.255.255

no static (inside,outside) tcp interface 443 172.16.2.2 443 netmask 255.255.255.255


static (dmz,outside) tcp interface 80 172.16.2.2 80 netmask 255.255.255.255

static (dmz,outside) tcp interface 443 172.16.2.2 443 netmask 255.255.255.255


You can leave the ACL as follows, which is correct:


access-list outside_access_in permit tcp any interface outside eq https

access-list outside_access_in permit tcp any interface outside eq 80


Please give that a try, thanks.

Actions

This Discussion

Related Content