Webserver behind PIX

[espo5166]

Hello all,

Here's my scenario,

PIX 515e behind Cable Modem getting dhcp from ISP.

Webserver on inside interface 192.168.20.16
need

http://www and

1600 open
static to fwd 80 and 1600 to webserver.
Config posted below - what am I doing wrong???
PIX Version 7.1(1)
!
hostname 161ESSEX
domain-name home
enable password MF.AhmkSBPVrcpJ0 encrypted
names
!
interface Ethernet0
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.20.2 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 60
ip address 172.16.16.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd ibq6m4GWlrXCz8Cc encrypted
banner login "161 ESSEX PRIVATE NETWORK"
ftp mode passive
dns server-group DefaultDNS
domain-name DR.LOCAL
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 192.168.20.16 eq www
access-list inbound extended permit tcp any host 192.168.20.16 eq 1600
pager lines 24
logging console warnings
mtu OUTSIDE 1500
mtu inside 1500
mtu DMZ 1500
no failover
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (inside,OUTSIDE) interface 192.168.20.16 netmask 255.255.255.255
access-group inbound in interface OUTSIDE
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.20.10-192.168.20.30 inside
dhcpd address 172.16.16.20-172.16.16.50 DMZ
dhcpd dns 24.34.240.9 198.6.1.122
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
dhcpd enable DMZ
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:d91fe9303e4fa46e711ffd196d881f94
: end
[OK]

 

[tekkie123]

It's not clear from your post what the problem is. Is it the people outside can't reach your webserver? Or the people inside?

 

[espo5166]

Webserver not visable from outside...

 

[tekkie123]

and by what domain name is the webserver known to the world? i.e., how are the people outside to access it? are you telling them the current IP you received from DHCP, or running a DNS server somewhere?

 

[espo5166]

Dynamic DNS Service trough ChangeIP.com
But I have tried the direct IP as well.

 

[tekkie123]

Okay, I have a 515 but I'm running 6.3, so your mileage may vary...some commands may be deprecated. Of course my REAL-WORLD-IP never changes.

fixup protocol http 80
...
access-list outside permit tcp any host [REAL-WORLD-IP] eq www
access-list outside permit tcp any host [REAL-WORLD-IP] eq 1600
...
alias (inside) [PRIVATE-IP] [REAL-WORLD-IP] 255.255.255.255

 

[espo5166]

But my "real World IP " is not static.

 

[tekkie123]

Sorry, don't know how to accomplish that. Not sure it is possible with 6.3. Is a static from your ISP too expensive?

 

[tekkie123]

You should read this, if you have not already.

http://www.changeip.com/at/kb/61.html

 

[espo5166]

ok - So then so if I use ChangeIP redirect a to say port 8080, then how do i redirect the traffic from 8080 back to 80 on the webserver? It's a web cam so I can't change the listening ports it needs 80 and 1600.

 

[tekkie123]

Don't know. Better try and ask ChangeIP.

 

[brianinms]

It needs to be ...


access-list inbound extended permit tcp any interface OUTSIDE eq www
access-list inbound extended permit tcp any interface OUTSIDE eq 1600

static (inside,OUTSIDE)tcp interface 80 192.168.20.16 80 netmask 255.255.255.255

static (inside,OUTSIDE)tcp interface 1600 192.168.20.16 1600 netmask 255.255.255.255