Problems with port forwarding pix 501 ver 6.3(1)

[Nocturnalis]

I trying to forward port 9090 to my internal(192.168.1.5) server (web) this is what I set my apache server as due to port 80 being blocked by ISP.

http://192.168.1.5:9090

works fine from inside.

here is my access-list

sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 100; 1 elements
access-list 100 line 1 permit tcp any interface outside eq 9090 (hitcnt=6)


and here is my static

sh static
static (inside,outside) tcp interface 9090 192.168.1.5 9090 netmask 255.255.255.
255 0 0

From outside I cannot get to the site. Can someone help

Thanks

 

[mmonti]

Hi,
I am not an expert but I think you need an (access-group) statement to bind the access-list the outside interface.

Mike

 

[Robroy2003]

That is correct. You need to apply the access-list to an access group. Try something like:

access-group "name" in interface outside

Where "name" is your access list name

 

[yizhar]

> I trying to forward port 9090 to my internal(192.168.1.5) server (web) this is what I set my apache server as due to port 80 being blocked by ISP.
Then how do you know that port 9090 isn't blocked either???

Please provide more info - a blocked port 80 means that you have some filterring and maybe NAT device between your pix and the Internet.

> access-list 100 line 1 permit tcp any interface outside eq 9090 (hitcnt=6)
Maybe the problems is at the web server configuration.
Apache and the OS (Linux?) have access control rules at the host itself - you should check them.

What is the default gateway of the web server - is it the pix inside interface? Can you access the Internet from the web server?

Use syslog messages at the pix to see what's going on.



Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar