Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port Forwarding on PIX 501 1

Status
Not open for further replies.

bdock

Technical User
Jan 20, 2005
7
US
I configured my PIX 501 with an external IP address xxx.xxx.xxx.187 and kept the default 192.168.1.1 for the internal interface to simplify things for now. I have an internal web server that is connected to the PIX and has a static 192.168.1.50 address. What I am unable to do is route all incoming web traffic from the internet to the 192.168.1.50 address. Can anyone tell me how to go about doing this?

Thanks.
 
Well, first of you need to nat your public ip adress on the pix to that server on port 80 and or 443 (ssl web) and then you need to allow it.

NAT :

static (inside,outside) tcp interface 80 192.168.1.50 80 netmask 255.255.255.255

Filter :

access-list incoming permit tcp any host <pix ip x.x.x.x> eq 80

access-group incoming in interface outside

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Jan, that worked beautifully thank you.
 
Hello.i've a problem with ports forwarding too.
My router ip is 192.168.0.1
My firewall (pix501) ip is :
ip address outside 192.168.1.2 255.255.255.0
ip address inside 192.168.0.2 255.255.255.0

My pc ip 123.456.7.999 (there are other pc in the lan...i prefer to open ports only for my pc...if not for all the pc.)

I need to open yahoo webcam services that works on port 5100.
Before i've had a zyxel firewall, but with the cisco i'm very newby so i need step by step help pls.
Can you tell me how to do ?thanks a lot.
 
Cavallo,

If I learned correctly from Jan, this should do the trick for you:

This will route all incoming traffic on port 5100 to your PC:

static (inside,outside) tcp interface 5100 123.456.7.999 5100 netmask 255.255.255.255

This will the traffic to come through the firewall:

access-list incoming permit tcp any host <pix ip x.x.x.x> eq 5100

access-group incoming in interface outside

her instructions were for simple web data. Yahoo may have additional requirements, and, if so, they will probably list them in their FAQ section
 
You can use the "interface" keyword in your ACL also, for when your dynamic IP address changes.
 
Maybe it's a typo but this :

My router ip is 192.168.0.1
My firewall (pix501) ip is :
ip address outside 192.168.1.2 255.255.255.0
ip address inside 192.168.0.2 255.255.255.0

means that you have connected your router to the inside of your pix which is wrong, please explain.


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top