Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What is wrong with this PIX 501 config?

I am experimenting with a Cisco PIX 501. In the future I want to connect about 35 to our central (now 3600) router using VPN tunnels.

First I want to understand the basic functions.

(I will ask the tunnel questions later)

This is what I want::

1. Do nat from in to outside

2. Forward some ports (WWW, SMTP, FTP NNTP and some other) to an internal

host.

Problems:

- Somehow only www forwarding seems to work.

- It looks like the PIX does not use "statefull inspection" because as soon

as I make a connection with a remote system, suddenly all protocols are

forwarded to my redirect system. (and all ports are open?)

This is what I do:

clear conf all

hostname MyHostinterface ethernet0 10baset

interface ethernet0 10baseT

ip address outside 123.187.1.204 255.255.248.0

route outside 0.0.0.0 0.0.0.0 123.187.0.1 1

ip address inside 172.16.4.43 255.255.255.248

nat 1 0.0.0.0 0.0.0.0

global 1 interface

http server enable

http 172.16.4.0 255.255.255.0

pdm loggin informational

access-list outside_in permit icmp any host 123.187.1.204

access-list outside_in permit tcp any host 123.187.1.204 eq 20

access-list outside_in permit tcp any host 123.187.1.204 eq 21

access-list outside_in permit tcp any host 123.187.1.204 eq 22

access-list outside_in permit tcp any host 123.187.1.204 eq 25

access-list outside_in permit tcp any host 123.187.1.204 eq 80

access-list outside_in permit tcp any host 123.187.1.204 eq 110

access-list outside_in permit tcp any host 123.187.1.204 eq 113

access-list outside_in permit tcp any host 123.187.1.204 eq 119

access-list outside_in permit tcp any host 123.187.1.204 eq 443

access-list inside_access_in permit ip any any

access-group outside_in in interface outside

access-group inside_access_in in interface inside

static tcp interface 20 172.16.4.41 20 netmask 255.255.255.255 0 0static tcp

interface 21 172.16.4.41 21 netmask 255.255.255.255 0 0static tcp interface

22 172.16.4.41 22 netmask 255.255.255.255 0 0static tcp interface 25

172.16.4.41 25 netmask 255.255.255.255 0 0static tcp interface 80

172.16.4.41 80 netmask 255.255.255.255 0 0static tcp interface 110

172.16.4.41 110 netmask 255.255.255.255 0 0static tcp interface 113

172.16.4.41 113 netmask 255.255.255.255 0 0static tcp interface 119

172.16.4.41 119 netmask 255.255.255.255 0 0static tcp interface 443

172.16.4.41 443 netmask 255.255.255.255 0 0

2 REPLIES
New Member

Re: What is wrong with this PIX 501 config?

PIX does stateful inspection.

May be few tips on this page will help you to fix your problem

http://www.cisco.com/warp/public/707/index.shtml#pix

New Member

Re: What is wrong with this PIX 501 config?

In your access-list statements, you use 123.187.1.204 as a host, this is your PIX firewall's outside interface. This should be a host matched to 172.16.4.41 in a static statement.

161
Views
0
Helpful
2
Replies
CreatePlease login to create content