cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
665
Views
4
Helpful
4
Replies

PPPOE and PORT FORWARDING with PIX501

lpaster
Level 1
Level 1

I have the following:

ISP DSL PPPoe --- (outside)PIX501(inside) --- my webserver

I need to set up the PIX to forward traffic coming in from internet to outside port 80 into webserver port 80.

But on the translation rules, the outside interface show as 127.0.0.1 instead of the interface IP assigned with the PPPoe.

I have that config working when the DSL is with fixed IP. can anyone tell why here it doesn't work with DSL over PPPoe ???

thanks.

4 Replies 4

mhoda
Level 5
Level 5

Hello,

You don't need a static ip so long the PIX gets the dynamic ip from the dhcp server on ISP. To verify, if pix got the dynamic ip, you can execute show interface on the pix. Anyway, the config needed on the pix is as follows -

static (inside,outside) tcp interface www 10.1.1.5 www netmask 255.255.255.255

Here keyword interface would be replaced with the dynamically assigned outside interface ip address and you need to replcae 10.1.1.5 with your actual web server ip address. Then you need to create the ACL on outside interface and in the ACL, you can define interface as destination.

Regards,

Mynul

1. listed below PIX 501 config.

2. my network config is:

- I have one box - a web server - 10.100.100.100 - it's behind the PIX and it is permitted to go outside (Internet etc').

I have a dns2go service running on the webserver. if you are not familiar with it, it is used where dsl/cable is using dynamic IP. it is working fine.

so if you go to http://dpdemo2.dns2go.com you should get to 10.100.100.100 and it has some test page that should come up.

it works from inside http://10.100.100.100

3. I want traffic from Internet to be directed to port 80 on 10.100.100.100.

I used PDM and added the following on the PIX:

static (inside,outside) tcp interface www 10.100.100.100 www netmask 255.255.255.255 0 0

access-list outside_access_in permit tcp any eq www any eq www

access-group outside_access_in in interface outside

BUT I STILL CAN'T GET TO WEBSERVER FROM INTERNET.

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password DvgG2ZzvLdD3UYnW encrypted

passwd xxxxxx encrypted

hostname pixfirewall

domain-name ciscopix.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_outbound_nat0_acl permit ip any 10.100.100.192 255.255.255.224

access-list outside_access_in permit tcp any eq www any eq www

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any echo-reply outside

icmp permit any router-solicitation outside

icmp permit any traceroute outside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 10.100.100.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool01 10.100.100.200-10.100.100.220

pdm location 10.100.100.192 255.255.255.224 outside

pdm location 10.100.100.100 255.255.255.255 inside

pdm location 10.100.120.192 255.255.255.224 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 10.100.100.100 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.100.100.100 www netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname vze4sr8m

vpdn group pppoe_group ppp authentication pap

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool01

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username digitallp password *********

vpdn username digitalsj password *********

vpdn username digitalka password *********

vpdn username vze4sr8m password *********

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:xxxxxx

: end

[OK]

Yous should not limit the source port of the incoming traffic from the Internet to tcp port 80.

Requesting computers has dynamic ports assignment as the source and the destination as tcp port 80 to come to your web server.

You should change your access list not to restrict the source port of the incoming tcp port.

Change your access-list to:

access-list outside_access_in permit tcp any any eq www

Change your static configuration also not to restrict the source port of the incoming traffic to tcp 80.

regarding the change on the access-list - I did it.

regarding the static config - it has to be port 80 on inside interface to port 80 on outside interface, since it is a static port mapping. I do it on other pix's and it works fine.

the problem is that from some reason the thing still doesn't work.

the system is accessible from the internet: you can go to https://dpdemo2.dns2go.com and get the PDM login screen.

what's more strange is that when I open the translation rule with PDM, it shows the external interface IP as 127.0.0.1.

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password DvgG2ZzvLdD3UYnW encrypted

passwd xxxxx encrypted

hostname pixfirewall

domain-name ciscopix.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_outbound_nat0_acl permit ip any 10.100.100.192 255.255.255.224

access-list outside_access_in permit tcp any any eq www

access-list outside_cryptomap_dyn_20 permit ip any 10.100.100.192 255.255.255.224

pager lines 24

logging on

logging console informational

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any echo-reply outside

icmp permit any router-solicitation outside

icmp permit any traceroute outside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 10.100.100.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool01 10.100.100.200-10.100.100.220

pdm location 10.100.100.192 255.255.255.224 outside

pdm location 10.100.100.100 255.255.255.255 inside

pdm location 10.100.120.192 255.255.255.224 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 10.100.100.100 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.100.100.100 www netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup digitallp address-pool VPNPool01

vpngroup digitallp idle-time 1800

vpngroup digitallp password ********

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname vze4sr8m

vpdn group pppoe_group ppp authentication pap

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool01

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username digitallp password *********

vpdn username digitalsj password *********

vpdn username digitalka password *********

vpdn username vze4sr8m password *********

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: