Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco PIX501 inbound deny

I'm trying to translate port 8080 on the external interface to port 80 on the host and ran the following commands. h.h.h.h is the host I want to have http traffic go to and y.y.y.y is the static outside address of the PIX. The first command is from the PDM, the second is from a best guess as using the CLI to make it work.

-----------------------------------

name h.h.h.h webserver

pdm location h.h.h.h 255.255.255.255 inside

static (inside,outside) h.h.h.h h.h.h.h netmask 255.255.255.255 0 0

access-list inbound_web permit tcp any host webserver eq 8080

static (inside,outside) tcp y.y.y.y 8080 h.h.h.h 80 netmask 255.255.255.255

access-group inbound_web in interface outside

wr mem

clear xlate

-----------------------------------

Here's what the log shows:

106023: Deny tcp src outside:68.155.176.163/2817 dst inside:y.y.y.y/8080 by access-group "inbound_web"

-----------------------------------

Now, is the log entry telling me something when there is the word "inside" next to the external IP address?????

Thanks in advance!

4 REPLIES
Cisco Employee

Re: Cisco PIX501 inbound deny

Hi,

If your webserver is h.h.h.h, your ACL is wrong.

You are not allowing traffic to the public IP address (y.y.y.y)

Please check below:

h.h.h.h = webserver internal IP address

y.y.y.y = webserver public IP address

Now you want to redirect incoming traffic over port 8080 from the outside to go to the internal host over port 80

static (inside,outside) tcp y.y.y.y 8080 h.h.h.h 80 netmask 255.255.255.255

Now the ACL

access-list inbound permit tcp any host y.y.y.y eq 8080

access-group inbound in interface outside

Hope it helps,

Franco Zamora

New Member

Re: Cisco PIX501 inbound deny

Worked great, thanks!

Cisco Employee

Re: Cisco PIX501 inbound deny

Hi,

I'm happy to hear that! Please remember to rate my post!

Have a nice day!

Franco Zamora

Bronze

Re: Cisco PIX501 inbound deny

Hello,

Your access list isn't correct.

If h.h.h.h is an internal IP address, and y.y.y.y is an external IP address, the packet that hits the ACL will be destined for y.y.y.y. (ACL is checked before NAT occurs)

You have the name 'webserver' set up to be h.h.h.h. Change it to be y.y.y.y (if you're not using that name elsewhere) and it should fix itself.

--Jason

Please rate this message if it helped solve some or all of your issue.

223
Views
8
Helpful
4
Replies
CreatePlease login to create content