Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
4
Replies

A pix port redirection question

Go to solution
xbw
Level 1
Level 1

‎10-08-2005 05:03 PM - edited ‎02-21-2020 12:27 AM

I have only one public ip address.It was used by outside interface.How can I allow outside host to access to internal

web server?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7
In response to jackko

‎10-09-2005 02:09 AM

As per Jack Ko's post, you could also use keyword: interface on your static i.e. if you only have one public IP and this IP is being used for the PIX outside interface:

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255 0 0

-or-

For SMTP access:

access-list 100 permit tcp any host eq smtp

access-group 100 in interface outside

static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

Again, save with: write mem and also issue: clear xlate

Hope this helps,

Jay

View solution in original post

0 Helpful
4 Replies 4

Go to solution
itchampnz
Level 1
Level 1

‎10-08-2005 06:08 PM

Hi, you have 2 options.

If you can use that public ip for just the webserver and nothing else then a standard static would do.

However if you want to prepare for expansion later, you would need to utilise port forwarding, so you would set it up to forward any port 80 traffic to the privately addressed inside ip address. This is by far the recommended way.

See here for details.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

0 Helpful

Go to solution
jackko
Level 7
Level 7

‎10-08-2005 07:15 PM

one way is to configure port forwarding on the pix.

e.g.

static (inside,outside) tcp 80 80 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host eq 80

access-group 100 in interface outside

clear xlate

the last command "clear xlate" is used to force the pix to refresh the existing address translation, so that the new static statement will be kicked off.

0 Helpful

Go to solution
jmia
Level 7
Level 7
In response to jackko

‎10-09-2005 02:09 AM

As per Jack Ko's post, you could also use keyword: interface on your static i.e. if you only have one public IP and this IP is being used for the PIX outside interface:

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255 0 0

-or-

For SMTP access:

access-list 100 permit tcp any host eq smtp

access-group 100 in interface outside

static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

Again, save with: write mem and also issue: clear xlate

Hope this helps,

Jay

0 Helpful

Go to solution
bobfuller
Level 1
Level 1
In response to jmia

‎12-01-2005 12:56 AM

I've been trying to do a similar port forward, however have been unsuccessful. My outside address is obtained from my ISP's dhcp and is not static. This is from a cable modem connection, residential service.

I'm trying to effectively do what standard home retail routers like Linksys or any others do.

Is this possible over a DHCP'd single address service?

TIA,

Bob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card