cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
295
Views
0
Helpful
3
Replies

Need help with Cisco PIX501 config and port redirect

admin_2
Level 3
Level 3

Hi,

I have a simple network and I need to redirect http and 8080 ports to web server but it won't work. I can't download anything from web either. Can someone check my config and tell me what's wrong with it?

network: lan - pix - wan

ip: static

config: attached

Thanks!

3 Replies 3

bcarroll
Level 1
Level 1

Okay, after looking at your config here are some things I see:

Your access-list on the inside interface:

access-list 100 deny tcp any object-group ms-ports any

access-list 100 deny udp any object-group ms-ports any

access-list 100 permit tcp any any

access-list 100 permit udp any any

access-list 100 deny tcp any any <----get rid of this

access-list 100 permit ip any any <----get rid of this

access-list 100 deny ip any any <--with this protocols like gre, esp and so on will not make it out. only tcp and udp protocols.

Your access-list on the inside interface:

access-list 101 deny tcp any object-group ms-ports any <---you dont need this. ASA already denies them.

access-list 101 deny udp any object-group ms-ports any <---you dont need this. ASA already denies them.

access-list 101 permit tcp any eq www interface outside eq www <---Remove the first "eq www" The source port is dynamic.

access-list 101 permit tcp any eq https interface outside eq https <---Remove the first "eq https" The source port is dynamic.

access-list 101 permit tcp any eq 8080 interface outside eq 8080 <---Remove the first "eq 8080" The source port is dynamic.

access-list 101 deny tcp any any <---remove this. Replace it with "access-list 101 deny ip any any.

Your Statics:

static (inside,outside) tcp interface www name1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https name1 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8080 name1 8080 netmask 255.255.255.255 0 0

Normally port redirection should redirect you to different internal ports. For example:

static (in,out) tcp interface 8080 name1 www

You may be able to leave it as is if you clean up your access-lists though.

Let me know.

BC

Not applicable

Hi,

I did some changes but port 8080 is still quiet. From LAN side it's working fine but from WAN, nothing.

Here's my new config if someone can check it and tell me what's wrong with it.

Thanks,

-elohopea-

When you changed to this:

static (inside,outside) 200.xxx.xxx.9 name1 netmask 255.255.255.255 0 0

from:

static (inside,outside) tcp interface www name1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https name1 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8080 name1 8080 netmask 255.255.255.255 0 0

is why you may still have the problem.

You mentioned that port 8080 is still quiet, what about ports 80 and 443 from the wan, are they quiet to? I suspect so.

See if you have any hit count for this acl entry:

access-list 101 permit tcp any interface outside object-group WEB-srv

You may need to create a seperate acl as if the inside server NAME1 was initiating the connections and changeing the static to use the acl. I'll give an example:

access-list pmap_01 permit tcp host name1 any

static (in, out) tcp interface 80 access-list pmap_01

static (in, out) tcp interface 443 access-list pmap_01

static (in, out) tcp interface 8080 access-list pmap_01

Remove this: static (inside,outside) 200.xxx.xxx.9 name1 netmask 255.255.255.255 0 0

Run the clear xlate command after modifying the statics and try to connect over the WAN. Let me know how it turns out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: