Welcome to WebmasterWorld Guest from 54.145.235.72

Forum Moderators: open

Cisco PIX port forwarding

I refuse to believe this isn't possible!

   
7:45 pm on Aug 9, 2004 (gmt 0)

10+ Year Member



Hi guys,
I have a Cisco PIX 501 firewall which I'm about to put in front of two servers. I'm basically trying to make the two servers look as though they were one server -- a common practice. One server is going to handle web while the other handles SQL.

I've been trying so ridiculously hard to get the PIX to forward ports - but to no avail. Literally a full day of testing, resetting, testing again, searching Google, testing, resetting, etc has yeilded almost nothing.

Is this at all possible?

More specifically, I'm looking for how to make ip:port of aaa.aaa.aaa.aaa:80 to route to 192.168.1.2:80 (where 192.168.1.0 is the inside network) and aaa.aaa.aaa.aaa:1433 to route to 192.168.1.3:1433. I assume this *must* be possible, but I really don't seem to have a grasp on PAT (I think it's what I need to use!).

Can anyone help me, please!?

Thanks a ton,
Ian

8:08 pm on Aug 9, 2004 (gmt 0)

10+ Year Member



What have you tried so far?

I haven't even looked at my Cisco setup in a long time, so I may be a little rusty, but maybe I can at least give you some ideas. :)

I use this on my 515's (which I believe is similar syntax to the 501):

static (www,outside) tcp aaa.aaa.aaa.aaa www 192.168.1.2 www netmask 255.255.255.255 0 0
(forwards tcp port 80 from outside to the inside "www" interface)

access-list outside permit tcp any host aaa.aaa.aaa.aaa eq www
(enable incoming port 80 to the outside IP)

ip address outside aaa.aaa.aaa.aaa 255.255.255.224
ip address www 192.168.1.2 255.255.255.0

nat (www) 1 0.0.0.0 0.0.0.0 0 0
(And this one I can't remember -- just telling it to nat that interface, I believe)

I hope that helps a little bit at least. :)

-MM

1:17 pm on Aug 10, 2004 (gmt 0)

10+ Year Member



Hopefully this will help me a lot!

One question, how did you create the www interface? I assume that is an interface you created for one specific machine behind the firewall?

Thanks,
Ian

4:43 pm on Aug 10, 2004 (gmt 0)

10+ Year Member




One question, how did you create the www interface? I assume that is an interface you created for one specific machine behind the firewall?

It was created using:

nameif ethernet1 www securityX
(fill in X with a number if you use it -- try it without "security" first -- It may cause problems unless you have security settings elsewhere and udnerstand the relationships between the zones).

It was created for a subnet. It allows me to separate my SQL servers and WWW servers in different security zones, so that only mySQL is allowed through from the web servers, and nothing else, and so on. The security settings might be there in the 501, but I'm not sure.

Naming the interface makes life much easier in terms of creating rules for them.

-MM

 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month