Solved: Re: Change default ports for https and http

brianmcatamney · ‎10-16-2005

Hi,

I am trying to alter the default ports for https and http

I have a PIX 506e (which does NOT perform NAT)

I have the following -

static (inside,outside) tcp 192.168.10.2 601 192.168.10.2 http netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.10.2 602 192.168.10.2 443 netmask 255.255.255.255 0 0

access-list acl permit tcp any 192.168.10.2 eq 601

access-list acl permit tcp any 192.168.10.2 eq 602

access-group acl in interface outside

where 601 and 602 are the ports http and https are to be redirected to respectively.

I have changed the web server accordingly

I get the error message

'No translation group found for tcp src outside:189.x.x.x/50232 dst inside:192.x.x.x/80' (when trying to access port 80)

I also have 'fixup protocol http 601'

I did have access to the internal web server externally prior to trying to alter the default ports

Any ideas where I'm going wrong?

Cheers.

jackko · ‎10-16-2005

please excuse me for not thinking properly.

the static should be:

static (inside,outside) tcp 192.168.10.2 80 192.168.10.2 601 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.10.2 443 192.168.10.2 602 netmask 255.255.255.255 0 0

View solution in original post

jackko · ‎10-16-2005

just wondering if you have issue the command "clear xlate" in order to kick off the static statements.

you mentioned "I have changed the web server accordingly", what exactly have you modify?

brianmcatamney · ‎10-16-2005

Hi Jackko, You'll be getting tired from hearing from me! Thanks for all your help so far.....

Yes, I had run clear xlate.

I have configured the web server to accept http and https connections on the corresponding ports (601 and 602). I am confident that the setup on the web server is correct but the traffic doesn't even get to the web server (running network monitor).

jackko · ‎10-16-2005

since the webserver has been modified, the static should be:

static (inside,outside) tcp 192.168.10.2 601 192.168.10.2 601 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.10.2 602 192.168.10.2 602 netmask 255.255.255.255 0 0

jackko · ‎10-16-2005

static (inside,outside) tcp 192.168.10.2 601 192.168.10.2 http netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.10.2 602 192.168.10.2 443 netmask 255.255.255.255 0 0

with the original static above, it would work if the webserver has been modified.

e.g. with the first static, pix will forward any traffic destined for 192.168.10.2 601 to 192.168.10.2 80. now, since the webserver itself has been modified, the server would not expect/respond to port 80 anymore.

brianmcatamney · ‎10-16-2005

I am pretty sure I had that when I first attempted the config. I will try it again but the traffic will still be coming to the PIX on port 80/443 from external users, how would the PIX know to redirect port 80 traffic to 601 and 443 to 602?

jackko · ‎10-16-2005

please excuse me for not thinking properly.

the static should be:

static (inside,outside) tcp 192.168.10.2 80 192.168.10.2 601 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.10.2 443 192.168.10.2 602 netmask 255.255.255.255 0 0

brianmcatamney · ‎10-16-2005

Thanks once again....that did the trick!

I'll get the hang of these Pix sooner or later....(hopefully)

Much appreciated.