Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
5
Replies

PIX 501 Single Public IP and Static command to port 80

adisegna713
Level 1
Level 1

‎10-27-2005 03:12 PM - edited ‎02-21-2020 12:29 AM

Hello,

I have a PIX 501 with two interfaces. I am trying to setup a webserver behind the internal interface.

I have a single public IP assigned to the interface.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

I tried

static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25

5 0 0

and

static (inside,outside) *.*.*.* 192.168.1.2 netmask 255.255.255.255 0 0

but still cannot connect to the web server. I can ping the external interface.

I do have access-list and access-group entries for the inbound connections

access-list permit_in permit tcp any host *.*.*.*

access-group permit_in in interface outside

Is there an issue with PAT and a single outside interface being the same.

Thanks in advance...

0 Helpful
5 Replies 5

Patrick Iseli
Level 7
Level 7

‎10-27-2005 03:44 PM

Example:

http server is: 192.168.1.10

ip address inside 192.168.1.1 255.255.255.0

access-list acl_out permit tcp any interface outside eq http

access-group acl_out in interface outside

static (inside,outside) tcp interface http 192.168.1.10 http netmask 255.255.255.255 0 0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 Gateway 1

After that you need clear the translation table:

clear xlate

sincerely

Patrick

0 Helpful

adisegna713
Level 1
Level 1
In response to Patrick Iseli

‎10-27-2005 05:38 PM

Hi Patrick,

The only difference between what I have and what you have it seems is the ACL.

me:

access-list permit_in permit tcp any host *.*.*.*

you:

access-list acl_out permit tcp any interface outside eq http

I can get out no problem just not in.. I have cleared the translation table too.

It seems like a simple configuration. Any ideas?

Thanks

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to adisegna713

‎10-28-2005 08:57 AM

Please can you post all your NAT, Global, Statics and Access-list of your config. Replace public IPs.

Usually this is not complicate but sometimes it is just a stupied error somewhere.

Have you hitcounts in your access-lists ?

Do you try from the outside with the public IP ?

sincerely

Patrick

0 Helpful

adisegna713
Level 1
Level 1
In response to Patrick Iseli

‎10-28-2005 09:54 AM

Patrick,

All is well. I just replaced the public IP in the ACL with 'interface'...

This is the first PIX I have setup using a single public IP for NAT/PAT on the outside interface.. The little 501 works well for my purpose.

Thank you for your help.

0 Helpful

fzamora
Cisco Employee
Cisco Employee

‎10-28-2005 09:29 AM

Hi,

The configuration Patrick recommended should work, go ahead a check if the traffic is getting to your PIX, then if its passing through it ang getting to the server and the MOST IMPORTANT thing, check if your webserver is responding. CHECK THE SERVERS DEFAULT GATEWAY

Check the hitcounts on the ACLs

run a debug packet

debug packet outside dst proto

tcp dport 80

if you see the packets on the screen, issue the command

undebug all

debug packet inside dst 192.168.1.2 proto tcp dport 80

if you the packets passing, PIX is working. Check if the server is responding with

debug packet inside src 192.168.1.2 proto tcp

if not, as I mentioned, check your server.

I hope it helps

Franco Zamora

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card