Hi,
I have 1 public ip address asigned by my isp. 195.12.X.X
My topology is:
Internet ---> my 2600 router ---> PIX 515--DMZ
|
I am trying to forward any request to the public IP address on port 80 to a web server in the DMZ(192.168.82.190).
The Internet Router has a IP nat command that should forward requests through the PIX to the DMZ, for example ...
ip nat inside source static tcp 192.168.82.190 80 195.12.X.X 80 extendable
Below is the config of my Internet Router:
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname myrouter
!
enable secret ######
!
ip subnet-zero
!
interface FastEthernet0/0
description LAN
ip address 192.168.82.126 255.255.255.192
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description Leased line to Internet
ip address 195.12.X.X 255.255.255.252
ip nat outside
no fair-queue
!
interface FastEthernet0/1
description Link to Conncentrator 3005
ip address 192.168.82.62 255.255.255.192
duplex auto
speed auto
!
ip nat pool overld 195.12.X.X 195.12.X.X prefix-length 30
ip nat inside source list 198 pool overld overload
ip nat inside source static esp 192.168.82.61 interface Serial0/0
ip nat inside source static udp 192.168.82.61 500 195.12.X.X 500 extendable
ip nat inside source static udp 192.168.82.61 10000 195.12.X.X 10000 extendable
ip nat inside source static tcp 192.168.82.190 80 195.12.X.X 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 195.12.0.201
ip route 172.16.0.0 255.255.0.0 192.168.82.125
ip route 192.168.82.128 255.255.255.192 192.168.82.125
ip http server
ip pim bidir-enable
!
access-list 12 permit 195.12.X.X
access-list 12 permit 195.12.X.X
access-list 12 permit 172.16.0.0 0.0.255.255
access-list 12 permit 10.220.0.0 0.0.255.255
access-list 12 permit 192.168.82.0 0.0.0.255
access-list 198 permit ip 192.168.82.0 0.0.0.255 any
snmp-server community #####
!
line con 0
line aux 0
line vty 0 4
access-class 12 in
password #####
And also the config of the PIX:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable encrypted
passwd encrypted
hostname myPIX
domain-name test.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.16.0.0 AB_LAN
access-list 101 permit tcp any host 192.168.82.190 eq www
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
icmp permit AB_LAN 255.255.0.0 echo-reply inside
icmp permit AB_LAN 255.255.0.0 echo inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 192.168.82.125 255.255.255.192
ip address inside 172.16.0.249 255.255.0.0
ip address DMZ 192.168.82.129 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm location AB_LAN 255.255.0.0 inside
pdm location 172.16.102.33 255.255.255.255 inside
pdm location 192.168.82.190 255.255.255.255 DMZ
pdm history enable
arp timeout 14400
global (outside) 1 192.168.82.65-192.168.82.100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) tcp 195.12.X.X 255.255.255.255
0 0
static (inside,DMZ) AB_LAN AB_LAN netmask 255.255.0.0 0 0
access-group 101 in interface outside
access-group 101 in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.82.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip
0:30:00
sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http AB_LAN 255.255.0.0 inside
snmp-server host inside 172.16.102.33
no snmp-server location
no snmp-server contact
snmp-server community ####
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet AB_LAN 255.255.0.0 inside
telnet timeout 30
ssh timeout 5
terminal width 80
Cryptochecksum:64495696c4eb86dd5796afa3f6e7079e
Any help would be appreciated.
I have 1 public ip address asigned by my isp. 195.12.X.X
My topology is:
Internet ---> my 2600 router ---> PIX 515--DMZ
|
I am trying to forward any request to the public IP address on port 80 to a web server in the DMZ(192.168.82.190).
The Internet Router has a IP nat command that should forward requests through the PIX to the DMZ, for example ...
ip nat inside source static tcp 192.168.82.190 80 195.12.X.X 80 extendable
Below is the config of my Internet Router:
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname myrouter
!
enable secret ######
!
ip subnet-zero
!
interface FastEthernet0/0
description LAN
ip address 192.168.82.126 255.255.255.192
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description Leased line to Internet
ip address 195.12.X.X 255.255.255.252
ip nat outside
no fair-queue
!
interface FastEthernet0/1
description Link to Conncentrator 3005
ip address 192.168.82.62 255.255.255.192
duplex auto
speed auto
!
ip nat pool overld 195.12.X.X 195.12.X.X prefix-length 30
ip nat inside source list 198 pool overld overload
ip nat inside source static esp 192.168.82.61 interface Serial0/0
ip nat inside source static udp 192.168.82.61 500 195.12.X.X 500 extendable
ip nat inside source static udp 192.168.82.61 10000 195.12.X.X 10000 extendable
ip nat inside source static tcp 192.168.82.190 80 195.12.X.X 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 195.12.0.201
ip route 172.16.0.0 255.255.0.0 192.168.82.125
ip route 192.168.82.128 255.255.255.192 192.168.82.125
ip http server
ip pim bidir-enable
!
access-list 12 permit 195.12.X.X
access-list 12 permit 195.12.X.X
access-list 12 permit 172.16.0.0 0.0.255.255
access-list 12 permit 10.220.0.0 0.0.255.255
access-list 12 permit 192.168.82.0 0.0.0.255
access-list 198 permit ip 192.168.82.0 0.0.0.255 any
snmp-server community #####
!
line con 0
line aux 0
line vty 0 4
access-class 12 in
password #####
And also the config of the PIX:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable encrypted
passwd encrypted
hostname myPIX
domain-name test.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.16.0.0 AB_LAN
access-list 101 permit tcp any host 192.168.82.190 eq www
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
icmp permit AB_LAN 255.255.0.0 echo-reply inside
icmp permit AB_LAN 255.255.0.0 echo inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 192.168.82.125 255.255.255.192
ip address inside 172.16.0.249 255.255.0.0
ip address DMZ 192.168.82.129 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm location AB_LAN 255.255.0.0 inside
pdm location 172.16.102.33 255.255.255.255 inside
pdm location 192.168.82.190 255.255.255.255 DMZ
pdm history enable
arp timeout 14400
global (outside) 1 192.168.82.65-192.168.82.100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) tcp 195.12.X.X 255.255.255.255
0 0
static (inside,DMZ) AB_LAN AB_LAN netmask 255.255.0.0 0 0
access-group 101 in interface outside
access-group 101 in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.82.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip
0:30:00
sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http AB_LAN 255.255.0.0 inside
snmp-server host inside 172.16.102.33
no snmp-server location
no snmp-server contact
snmp-server community ####
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet AB_LAN 255.255.0.0 inside
telnet timeout 30
ssh timeout 5
terminal width 80
Cryptochecksum:64495696c4eb86dd5796afa3f6e7079e
Any help would be appreciated.