cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
887
Views
8
Helpful
4
Replies

Cisco PIX501 inbound deny

cliffjacobson
Level 1
Level 1

I'm trying to translate port 8080 on the external interface to port 80 on the host and ran the following commands. h.h.h.h is the host I want to have http traffic go to and y.y.y.y is the static outside address of the PIX. The first command is from the PDM, the second is from a best guess as using the CLI to make it work.

-----------------------------------

name h.h.h.h webserver

pdm location h.h.h.h 255.255.255.255 inside

static (inside,outside) h.h.h.h h.h.h.h netmask 255.255.255.255 0 0

access-list inbound_web permit tcp any host webserver eq 8080

static (inside,outside) tcp y.y.y.y 8080 h.h.h.h 80 netmask 255.255.255.255

access-group inbound_web in interface outside

wr mem

clear xlate

-----------------------------------

Here's what the log shows:

106023: Deny tcp src outside:68.155.176.163/2817 dst inside:y.y.y.y/8080 by access-group "inbound_web"

-----------------------------------

Now, is the log entry telling me something when there is the word "inside" next to the external IP address?????

Thanks in advance!

4 Replies 4

fzamora
Cisco Employee
Cisco Employee

Hi,

If your webserver is h.h.h.h, your ACL is wrong.

You are not allowing traffic to the public IP address (y.y.y.y)

Please check below:

h.h.h.h = webserver internal IP address

y.y.y.y = webserver public IP address

Now you want to redirect incoming traffic over port 8080 from the outside to go to the internal host over port 80

static (inside,outside) tcp y.y.y.y 8080 h.h.h.h 80 netmask 255.255.255.255

Now the ACL

access-list inbound permit tcp any host y.y.y.y eq 8080

access-group inbound in interface outside

Hope it helps,

Franco Zamora

Worked great, thanks!

Hi,

I'm happy to hear that! Please remember to rate my post!

Have a nice day!

Franco Zamora

jgervia_2
Level 1
Level 1

Hello,

Your access list isn't correct.

If h.h.h.h is an internal IP address, and y.y.y.y is an external IP address, the packet that hits the ACL will be destined for y.y.y.y. (ACL is checked before NAT occurs)

You have the name 'webserver' set up to be h.h.h.h. Change it to be y.y.y.y (if you're not using that name elsewhere) and it should fix itself.

--Jason

Please rate this message if it helped solve some or all of your issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: