FrankieAIX
Technical User
How do I enable or specify a specific port to be forwarded to 1 host on my network?
Thanks!
-FrankieAIX
Thanks!
-FrankieAIX
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX Port Forwarding?
- Thread starter FrankieAIX
- Start date
- Status
Supergrrover
IS-IT--Management
You need a Static and and ACL statment.
static (inside,outside) tcp [outside IP] [port] [inside IP] [port] netmask 255.255.255.255 0 0
access-list inbound permit tcp any host [outside IP] eq [port]
access-list inbound deny any any
access-group inbound in interface outside
Brent
Systems Engineer / Consultant
CCNP, CCSP
static (inside,outside) tcp [outside IP] [port] [inside IP] [port] netmask 255.255.255.255 0 0
access-list inbound permit tcp any host [outside IP] eq [port]
access-list inbound deny any any
access-group inbound in interface outside
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Thread starter
- #3
FrankieAIX
Technical User
Brent,
Thank you for the response, would it be possible to do with a dynamic IP on the outside interface? Do both the inside & outside IP's need to be static?
Could the outside interface be defined as "interface"?
Thank you again!
-FrankieAIX
Thank you for the response, would it be possible to do with a dynamic IP on the outside interface? Do both the inside & outside IP's need to be static?
Could the outside interface be defined as "interface"?
Thank you again!
-FrankieAIX
Supergrrover
IS-IT--Management
Yes, You can change the [outside IP] to interface.
Brent
Systems Engineer / Consultant
CCNP, CCSP
just out of curiosity...if you went to and did a port scan to see what was opened at your firewall.....you SHOULD see port 80 open right?....
for some reason I am not seeing port 80 open yet i am seeing ssh open (the rules are basically identical with the exception of 'ssh' and ' could possibly be wrong?...i verified on my webserver that http was running:
apache 19808 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19809 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19810 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19811 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19812 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19813 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19814 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19815 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
and here is the pix config that is relevant...
please note:
a.b.c.d = public IP
e.f.g.h = private ip for webserver
access-list inbound permit udp any any
access-list inbound permit icmp any any
access-list inbound permit tcp any host a.b.c.d eq ssh
access-list inbound permit tcp any host a.b.c.d eq www
static (inside,outside) tcp interface ssh e.f.g.h ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
access-group inbound in interface outside
so looking at the configs, it looks like i should be able to see port 80 open through grc.com....weird?
for some reason I am not seeing port 80 open yet i am seeing ssh open (the rules are basically identical with the exception of 'ssh' and ' could possibly be wrong?...i verified on my webserver that http was running:
apache 19808 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19809 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19810 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19811 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19812 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19813 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19814 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
apache 19815 0.0 13.5 29152 15008 ? S Jul02 0:00 httpd -k start
and here is the pix config that is relevant...
please note:
a.b.c.d = public IP
e.f.g.h = private ip for webserver
access-list inbound permit udp any any
access-list inbound permit icmp any any
access-list inbound permit tcp any host a.b.c.d eq ssh
access-list inbound permit tcp any host a.b.c.d eq www
static (inside,outside) tcp interface ssh e.f.g.h ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
access-group inbound in interface outside
so looking at the configs, it looks like i should be able to see port 80 open through grc.com....weird?
Supergrrover
IS-IT--Management
sla07
By the looks of it , yes it should work. Are there any other access lists involved?
You have interface for the Statics. Are you sure you have the right external IP?
Try a different website for the scan.
Your ISP may have blocked your ability to host.
Brent
Systems Engineer / Consultant
CCNP, CCSP
By the looks of it , yes it should work. Are there any other access lists involved?
You have interface for the Statics. Are you sure you have the right external IP?
Try a different website for the scan.
Your ISP may have blocked your ability to host.
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Status
Similar threads
- Locked
- Question