PORT FORWARDING ON PIX506

[skb2005]

I have a DSL Conn with ONE static ip and I want to host a web server inside my network. After doing a lots of research I found the following solution:
*********************************************************
access-list acl_in_http permit tcp any host MY.PUBLIC.IP eq 80
static (inside,outside) tcp MY.PUBLIC.IP 80 MY.LOCAL.IP 80 netmask 255.255.255.255 0 0
access-group acl_in_http in interface outside

access-list acl_in_https permit tcp any host MY.PUBLIC.IP eq 443
static (inside,outside) tcp MY.PUBLIC.IP 443 MY.LOCAL.IP 443 netmask 255.255.255.255 0 0
access-group acl_in_https in interface outside
*********************************************************

But some how it does not seems to work.
Am I missing anything??

Please help...!!!

 

[skb2005]

It's all working. I did the following:

clear arp
clear xlate
reload


boom...!!! it started working.


Now I am facing the another problem. If i open up the browser and type "mydomainname.com" it works from OUTSIDE my network but DOES NOT WORK from INSIDE.

I guess I will have to search little bit more...

 

[Supergrrover]

Take a look at the alias command

http://www.cisco.com/warp/public/110/alias.html

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[skb2005]

Brent, thanks for the reply.

I made the DNS rewrite change according to:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

This change added the keyword "dns", and replaced the PUBLIC.IP to keyword "interface" to the following line.

BEFORE DNS REWRITE
static (inside,outside) tcp MY.PUBLIC.IP 80 MY.LOCAL.IP 80 netmask 255.255.255.255 0 0


AFTER DNS REWRITE
static (inside,outside) tcp interface

http://www MY.PUBLIC.IP

http://www dns

netmask 255.255.255.255 0 0

This change did not make any difference.

Then I tried the alias command reffered by you:

http://www.cisco.com/warp/public/110/alias.html

alias (inside) MY.PUBLIC.IP MY.LOCAL.IP 255.255.255.255

It did not help either.

 

[Supergrrover]

Can you post your whole config (take out passwords and mask the 2nd and 3rd octets of the public IP.)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[skb2005]

Sorry for the delay. I had to fight another fire.

Following is the config:

*************************************************************************
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

domain-name lab.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
object-group network LabNw
description Lab Network
network-object 192.168.220.0 255.255.255.0
object-group network HrpNw
description Hrp House Network
network-object 192.168.6.0 255.255.255.0
object-group network S2CEdNw
description S2C Ed networks
network-object 192.168.2.0 255.255.255.0
object-group network S2CNyNw
description S2C Edison networks
network-object 192.168.21.0 255.255.255.0
object-group network Ed-Extranet
description Edison outside IPs
network-object 72.xxx.xxx.191 255.255.255.255
access-list acl_out permit icmp any any
access-list acl_in permit icmp any any
access-list 101 permit ip any 192.168.220.192 255.255.255.224
access-list 101 permit ip 192.168.220.0 255.255.255.0 192.168.220.192 255.255.255.224
access-list outside_cryptomap_dyn_30 permit ip any 192.168.220.192 255.255.255.224
access-list outside_cryptomap_dyn_50 permit ip any 192.168.220.192 255.255.255.224
access-list testvpn_splitTunnelAcl permit ip 192.168.220.0 255.255.255.0 any
access-list outside_cryptomap_dyn_70 permit ip any 192.168.220.192 255.255.255.224
access-list OrchardVPN_splitTunnelAcl permit ip 192.168.220.0 255.255.255.0 any
access-list outside_cryptomap_dyn_90 permit ip any 192.168.220.192 255.255.255.224
access-list acl_in_http permit tcp any host 72.xxx.xxx.191 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.xxx.xxx.191 255.255.255.0
ip address inside 192.168.220.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool labpool 192.168.220.205-192.168.220.210
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.6.0 255.255.255.0 inside
pdm location 192.168.21.0 255.255.255.0 inside
pdm location 192.168.6.0 255.255.255.255 inside
pdm location 192.168.221.0 255.255.255.0 outside
pdm location 192.168.220.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 72.xxx.xxx.191 192.168.220.2 255.255.255.255
static (inside,outside) tcp interface

http://www 192.168.220.2

http://www dns

netmask 255.255.255.255 0 0
access-group acl_in_http in interface outside
route outside 0.0.0.0 0.0.0.0 72.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.220.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http 192.168.6.0 255.255.255.255 inside
http 192.168.21.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
crypto dynamic-map dynmap 30 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
crypto dynamic-map dynmap 50 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 70 match address outside_cryptomap_dyn_70
crypto dynamic-map dynmap 70 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 90 match address outside_cryptomap_dyn_90
crypto dynamic-map dynmap 90 set transform-set ESP-3DES-MD5
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup testvpn address-pool labpool
vpngroup testvpn default-domain testvpn.Lab.com
vpngroup testvpn split-tunnel testvpn_splitTunnelAcl
vpngroup testvpn idle-time 1800
vpngroup testvpn password ********
vpngroup OrchardVPN address-pool labpool
vpngroup OrchardVPN default-domain vpn.Lab.com
vpngroup OrchardVPN split-tunnel OrchardVPN_splitTunnelAcl
vpngroup OrchardVPN idle-time 1800
vpngroup OrchardVPN password ********
telnet 192.168.220.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.21.0 255.255.255.0 inside
telnet 192.168.6.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
management-access inside
console timeout 30
terminal width 80

*************************************************************************

 

[skb2005]

I also need to forward the port 443 (SSL).

 

[Supergrrover]

The DNS rewrite only works for NAT only and not PAT. If you only have one external IP, it won't work. As an alternate you can edit the hosts file on each PC (a visit to the vbscript forum here can help you with a logon script) or if you have your internal DNS, you can add a record there for it.

To do the https
static (inside,outside) tcp interface 443 192.168.220.2 443 dns netmask 255.255.255.255 0 0
and add this line to the inbound ACL
access-list acl_in_http permit tcp any host 72.xxx.xxx.191 eq 443


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[skb2005]

Brent,
Thanks for your valuable help. I will be able to test port 443 after we get the SSL certificate.

We have about 45 users inside our network, it is not impossible to update the hosts file for each PC but there should be a better solution. I am sure others will also be facing the same problem.

I wonder why alias is not working. I will spent some time on cisco.com and post if I find anything.

 

[progc]

You can not come back in on an interface that you went out on.

You either need to have a second public ip that you can create a global statement for OR the simple solution if you have DNS inside your network is to create an internal zone and make

http://www.yoursite.com

resolve to it's internal ip.

That's what I used to do when I had a single ip.

 

[Supergrrover]

The alias is not rerouting traffic. The alias command basically rewrites the DNS response from the DNS server and replaces the external address with the internal address. The problem is that this only works if the static uses the whole IP and not port redirection. That is just the way that it works. So you will need more than one public IP - one for the interface and one for the DNS server. I think it is still the same for OS7 as well.


Brent
Systems Engineer / Consultant
CCNP, CCSP