10-27-2005 03:12 PM - edited 02-21-2020 12:29 AM
Hello,
I have a PIX 501 with two interfaces. I am trying to setup a webserver behind the internal interface.
I have a single public IP assigned to the interface.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
I tried
static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25
5 0 0
and
static (inside,outside) *.*.*.* 192.168.1.2 netmask 255.255.255.255 0 0
but still cannot connect to the web server. I can ping the external interface.
I do have access-list and access-group entries for the inbound connections
access-list permit_in permit tcp any host *.*.*.*
access-group permit_in in interface outside
Is there an issue with PAT and a single outside interface being the same.
Thanks in advance...
10-27-2005 03:44 PM
Example:
http server is: 192.168.1.10
ip address inside 192.168.1.1 255.255.255.0
access-list acl_out permit tcp any interface outside eq http
access-group acl_out in interface outside
static (inside,outside) tcp interface http 192.168.1.10 http netmask 255.255.255.255 0 0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 Gateway 1
After that you need clear the translation table:
clear xlate
sincerely
Patrick
10-27-2005 05:38 PM
Hi Patrick,
The only difference between what I have and what you have it seems is the ACL.
me:
access-list permit_in permit tcp any host *.*.*.*
you:
access-list acl_out permit tcp any interface outside eq http
I can get out no problem just not in.. I have cleared the translation table too.
It seems like a simple configuration. Any ideas?
Thanks
10-28-2005 08:57 AM
Please can you post all your NAT, Global, Statics and Access-list of your config. Replace public IPs.
Usually this is not complicate but sometimes it is just a stupied error somewhere.
Have you hitcounts in your access-lists ?
Do you try from the outside with the public IP ?
sincerely
Patrick
10-28-2005 09:54 AM
Patrick,
All is well. I just replaced the public IP in the ACL with 'interface'...
This is the first PIX I have setup using a single public IP for NAT/PAT on the outside interface.. The little 501 works well for my purpose.
Thank you for your help.
10-28-2005 09:29 AM
Hi,
The configuration Patrick recommended should work, go ahead a check if the traffic is getting to your PIX, then if its passing through it ang getting to the server and the MOST IMPORTANT thing, check if your webserver is responding. CHECK THE SERVERS DEFAULT GATEWAY
Check the hitcounts on the ACLs
run a debug packet
debug packet outside dst
tcp dport 80
if you see the packets on the screen, issue the command
undebug all
debug packet inside dst 192.168.1.2 proto tcp dport 80
if you the packets passing, PIX is working. Check if the server is responding with
debug packet inside src 192.168.1.2 proto tcp
if not, as I mentioned, check your server.
I hope it helps
Franco Zamora
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide