Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: open
I've been trying so ridiculously hard to get the PIX to forward ports - but to no avail. Literally a full day of testing, resetting, testing again, searching Google, testing, resetting, etc has yeilded almost nothing.
Is this at all possible?
More specifically, I'm looking for how to make ip:port of aaa.aaa.aaa.aaa:80 to route to 192.168.1.2:80 (where 192.168.1.0 is the inside network) and aaa.aaa.aaa.aaa:1433 to route to 192.168.1.3:1433. I assume this *must* be possible, but I really don't seem to have a grasp on PAT (I think it's what I need to use!).
Can anyone help me, please!?
Thanks a ton,
I haven't even looked at my Cisco setup in a long time, so I may be a little rusty, but maybe I can at least give you some ideas. :)
I use this on my 515's (which I believe is similar syntax to the 501):
static (www,outside) tcp aaa.aaa.aaa.aaa www 192.168.1.2 www netmask 255.255.255.255 0 0
(forwards tcp port 80 from outside to the inside "www" interface)
access-list outside permit tcp any host aaa.aaa.aaa.aaa eq www
(enable incoming port 80 to the outside IP)
ip address outside aaa.aaa.aaa.aaa 255.255.255.224
ip address www 192.168.1.2 255.255.255.0
nat (www) 1 0.0.0.0 0.0.0.0 0 0
(And this one I can't remember -- just telling it to nat that interface, I believe)
I hope that helps a little bit at least. :)
One question, how did you create the www interface? I assume that is an interface you created for one specific machine behind the firewall?
It was created using:
(fill in X with a number if you use it -- try it without "security" first -- It may cause problems unless you have security settings elsewhere and udnerstand the relationships between the zones).
nameif ethernet1 www securityX
It was created for a subnet. It allows me to separate my SQL servers and WWW servers in different security zones, so that only mySQL is allowed through from the web servers, and nothing else, and so on. The security settings might be there in the 501, but I'm not sure.
Naming the interface makes life much easier in terms of creating rules for them.