Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't get port 80 forwarding working on 515E

Hi,

I can't get port forwarding working into a PIX515E.

This is what I have done and port 80 doesn't open.

name 203.144.238.79 WEBSVR

static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0

access-list PublicDMZ_access_in permit tcp host 192.168.10.17 any eq http

access-list outside_access_in permit tcp any host 192.168.10.17 eq http

I can telnet to the DMZ addresses on port 80 from the src of the internal Pix range from an upstream router.

Am I forgeting something.

Please help!

9 REPLIES
Cisco Employee

Re: Can't get port 80 forwarding working on 515E

please put in the following commands,

no access-list outside_access_in permit tcp any host 192.168.10.17 eq http

access-list outside_access_in permit tcp any host 203.144.238.79 eq http

cl xlate

From the outside,the traffic will come with dest. ip address as the public ip .In the existing access-list it's the private ip address,that's why it's not working.

plz do the changes and let us know if it work or not.

Regards,

Sushil

Green

Re: Can't get port 80 forwarding working on 515E

Dont forget to apply the acl

access-group outside_access_in in interface outside

New Member

Re: Can't get port 80 forwarding working on 515E

I have done that :)

New Member

Re: Can't get port 80 forwarding working on 515E

I Tried what was suggested before and I have done the follwoing and it still isn't working.

name 203.144.238.79 WEBSVR

no static (PublicDMZ,outside) 203.144.238.79 192.168.10.17 netmask 255.255.255.255 0 0

static (PublicDMZ,outside)tcp 203.144.238.79 www 192.168.10.17 www netmask 255.255.255.255 0 0

access-list outside_access_in permit tcp any host 203.144.238.79 eq http

There is any entry in the sh xlate table as

Global WEBSVR Local 192.168.10.17

Do I need to route the public range via the outside interface.

John

Green

Re: Can't get port 80 forwarding working on 515E

Is 203.144.238.79 also your outside interface address?

New Member

Re: Can't get port 80 forwarding working on 515E

ip address 203.144.238.70 255.255.255.0 is my WAN IP.

Re: Can't get port 80 forwarding working on 515E

It's unclear how your network is setup. Is your setup something like this.

Internet --- Router --- PIX --- PublicDMZ

If the WAN IP on the outside router is 203.144.238.70 then does it know how to route to 203.144.238.79. If it doesn't then you can add a static host route, /32 bit mask, to forward the traffic to the firewall.

If the setup is different or I misunderstood any part of your configuration then clarify that and posting the configuration would help.

HTH

Sundar

Cisco Employee

Re: Can't get port 80 forwarding working on 515E

Hi John,

Do you still have an access-group applied on the PublicDMZ interface ?

Remove it and then try.

If it works, then add the following entry in the ACL :

access-list PublicDMZ_access_in permit tcp host 192.168.10.17 eq 80 any

And then reapply the access-grup.

*Please rate if it helped.

-Kanishka

New Member

Re: Can't get port 80 forwarding working on 515E

Hi,

This is all fixed now. Thanks for all your replies.

I did the following:

static (PublicDMZ,outside) tcp 203.144.238.79 http 192.168.10.16 http netmask 255.255.255.255 0 0

access-list PublicDMZ_access_in permit tcp host 192.168.10.16 any eq http

access-list outside_access_in permit tcp any host 203.144.238.79 eq http

route outside 203.144.238.79 255.255.255.224 203.144.238.68 1

The 203.144.238.68 being the upstream router back to our network

153
Views
0
Helpful
9
Replies
CreatePlease login to create content