homepage Welcome to WebmasterWorld Guest from 54.197.183.230
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Webmaster Hardware
Forum Library, Charter, Moderator: open

Webmaster Hardware Forum

    
Cisco PIX port forwarding
I refuse to believe this isn't possible!
iseff

10+ Year Member



 
Msg#: 31 posted 7:45 pm on Aug 9, 2004 (gmt 0)

Hi guys,
I have a Cisco PIX 501 firewall which I'm about to put in front of two servers. I'm basically trying to make the two servers look as though they were one server -- a common practice. One server is going to handle web while the other handles SQL.

I've been trying so ridiculously hard to get the PIX to forward ports - but to no avail. Literally a full day of testing, resetting, testing again, searching Google, testing, resetting, etc has yeilded almost nothing.

Is this at all possible?

More specifically, I'm looking for how to make ip:port of aaa.aaa.aaa.aaa:80 to route to 192.168.1.2:80 (where 192.168.1.0 is the inside network) and aaa.aaa.aaa.aaa:1433 to route to 192.168.1.3:1433. I assume this *must* be possible, but I really don't seem to have a grasp on PAT (I think it's what I need to use!).

Can anyone help me, please!?

Thanks a ton,
Ian

 

MattyMoose

10+ Year Member



 
Msg#: 31 posted 8:08 pm on Aug 9, 2004 (gmt 0)

What have you tried so far?

I haven't even looked at my Cisco setup in a long time, so I may be a little rusty, but maybe I can at least give you some ideas. :)

I use this on my 515's (which I believe is similar syntax to the 501):

static (www,outside) tcp aaa.aaa.aaa.aaa www 192.168.1.2 www netmask 255.255.255.255 0 0
(forwards tcp port 80 from outside to the inside "www" interface)

access-list outside permit tcp any host aaa.aaa.aaa.aaa eq www
(enable incoming port 80 to the outside IP)

ip address outside aaa.aaa.aaa.aaa 255.255.255.224
ip address www 192.168.1.2 255.255.255.0

nat (www) 1 0.0.0.0 0.0.0.0 0 0
(And this one I can't remember -- just telling it to nat that interface, I believe)

I hope that helps a little bit at least. :)

-MM

iseff

10+ Year Member



 
Msg#: 31 posted 1:17 pm on Aug 10, 2004 (gmt 0)

Hopefully this will help me a lot!

One question, how did you create the www interface? I assume that is an interface you created for one specific machine behind the firewall?

Thanks,
Ian

MattyMoose

10+ Year Member



 
Msg#: 31 posted 4:43 pm on Aug 10, 2004 (gmt 0)


One question, how did you create the www interface? I assume that is an interface you created for one specific machine behind the firewall?

It was created using: nameif ethernet1 www securityX (fill in X with a number if you use it -- try it without "security" first -- It may cause problems unless you have security settings elsewhere and udnerstand the relationships between the zones).

It was created for a subnet. It allows me to separate my SQL servers and WWW servers in different security zones, so that only mySQL is allowed through from the web servers, and nothing else, and so on. The security settings might be there in the 501, but I'm not sure.

Naming the interface makes life much easier in terms of creating rules for them.

-MM

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Webmaster Hardware
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved