Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Basic setup problem - please help!

Hello,

I am setting up my first PIX firewall, in a test network right now, and it is supposed to go into production in a few days.

I am trying to open up some ports for an inside server, doing everything "by the book" (cisco e-learning, to be exact) but I've had no success with that. Basically I am trying to map an inside server (192.168.254.199) to an outside IP (xxx.115.215.1) which is assigned to the outside interface. The type of traffic that should be passed to the inside server is remote desktop and http. (Other users are PATed to xxx.115.215.2) So I tried to use static/conduit pairs, as per e-learning stuff...

static (inside, outside) xxx.115.215.1 192.168.254.199

conduit permit tcp host xxx.115.215.1 eq www any

conduit permit tcp host xxx.115.215.1 eq 3389 any

After I type this, I can not access the internet from the server, or ping to the outside... and of course can not access remote desktop/web server from the outside either, which is the main goal.

Here is the config:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pix

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.115.215.1 255.255.255.0

ip address inside 192.168.254.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 xxx.115.215.2

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 xxx.115.215.125 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.254.100-192.168.254.150 inside

dhcpd dns 192.168.254.199 199.185.225.10

dhcpd wins 192.168.254.199

dhcpd lease 28800

dhcpd ping_timeout 750

dhcpd domain test.local

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

: end

pix#

I am sure the problem is something simple, as I am just a beginner...

Your help will be GREATLY apprechiated!

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Basic setup problem - please help!

great news ... I am glad it works now !!!

Please resolve the case so it shows up on the list as 'ticked' ... Cheers,

3 REPLIES

Re: Basic setup problem - please help!

I for accessing the internal server from the internet you need to use POrt forwarding please use the below command.

static (inside,outside) tcp interface 3389 192.168.254.199 3389 netmask 255.255.255.255

For remot desktop.

static (inside,outside) tcp interface 80 192.168.254.199 80 netmask 255.255.255.255

For http

I suggest you NOT to use conduit but use access-list instead so ..

access-list Outside-In permit tcp any host xxx.115.215.1 eq 3389

access-list Outside-In permit tcp any host xxx.115.215.1 eq 80

apply the access list to the outside interface

access-group Outside-In in interface outside

The PAT seems OK .. I hope it helps ... please rate it if it does !!!

New Member

Re: Basic setup problem - please help!

Dear Sir,

Thanks to your kindness, here I am, posting from within my test server, accessed by RDP!

After several hours of sheer frustration, I must say your reply was precise, purposeful and right on the money!

Thanks again,

Sean

Re: Basic setup problem - please help!

great news ... I am glad it works now !!!

Please resolve the case so it shows up on the list as 'ticked' ... Cheers,

120
Views
10
Helpful
3
Replies
CreatePlease to create content