Re: PIX 501 QUESTIONS...what am I doing wrong here?
From: Scott \(blndspt\) (scott_at_dontreplyhere.com)
Date: 04/03/04
- Next message: Søren Skovgaard: "A good software firewall"
- Previous message: Jizmak Da Gusher: "Securemote"
- In reply to: Scott \(blndspt\): "PIX 501 QUESTIONS...what am I doing wrong here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 3 Apr 2004 13:43:53 -0700
Guys,
I figured it out based on a cisco forum reply on dslreports.com. You
won't believe it. As it turns out, everything WAS working. I guess, when
you set up PAT and port forwarding in this way.... you can't access the
inside services FROM the INSIDE by going out to the internet. I confirmed
this by remoting to another server and attempting to open up the web site IP
and it worked. Any idea why you can type the public IP in from the inside?
http://publicIP:8080 wasn't working from the inside, but you can access it
from outside the firewall just fine. Also, if it is setup on 1 IP using
port forwarding in this way, do VPN's work ok? The real reason we got this
thing is b/c we are trying to setup a site to site VPN from a remote
location. Any problems there?
Thanks everyone
Scott
"Scott (blndspt)" <scott@dontreplyhere.com> wrote in message
news:VnDbc.147581$cx5.10485@fed1read04...
> All,
> hey, I wouldn't normally post here but I am dead stuck. First of all,
> let me tell you that I am a software developer and in no way a cisco or
pix
> expert. So, I apologize in advance if the questions are too simple here.
> But, I have no where else to turn! Ok, so here goes. We got a PIX 501 to
> go in our co-location facility. I spent all day trying to set it up down
> there but was unsuccessful. So, I brought it home and decided to mess
with
> it here. I have a Cox Cable Modem connection using DHCP. Also, since I
> have no desire to truly learn the CLI, I wanted to setup everything in the
> PDM. Ok, get this>
>
> I went through the simple setup wizard. I setup two interfaces:
>
> outside: DHCP
> inside: 192.168.1.1
>
> Pretty simple right. Now, all I wanted to do was now get the bare minimum
> working from the outside in. This is where I began to run into problems.
> No matter what I do, no access is allowed in. Here is what I tried:
>
> 1) Just get ICMP working.
> I went to the ICMP screen under administration in the PDM and added
one
> stinking rule. I allowed all ICMP from any outside inferface IP. Pretty
> simple right. Well, guess what, you couldn't ping the damn DHCP retrieved
> IP address. So, figuring that maybe Cox blocked ICMP on home networks, I
> decided to use the web port of 8080.
>
> 2) Get any traffic working through 8080
> I have a Pix firewall book in which I followed these instructions word
> for word. If you like, the PDM can display the commands that are given on
> each action, so I could go down there and copy and pasted the CLI commands
> that are created. Anyway, here's what I did:
> First of all, I setup my laptop on 192.168.1.2 and setup IIS to
run
> on port 8080. I verified that this worked by opening a browser to
> http://192.168.1.2:8080. This did give me the default web site. And, I
> know 100% that Cox doesn't block ports 8080. My book told me to first to
> create a simple address translation rule:
> Original Host/Network:
> Interface: inside
> IP: 192.168.1.2
> Mask: 255.255.255.255
> Translate address on less secured interface: outside
> Translate address to: Static
> IP Address: Interface IP (uses the DHCP address)
> Redirect Port: yes
> TCP: Original: 8080, Translated: 8080
>
> Then, as my book discusses, I created a simple address rule:
> Permit
> Source: Outside
> Destination: 192.168.1.2
> Protocol: TCP port 8080 (for both source and destination)
>
> I saved the configuration as described.
>
> Guess what, you get no access then from the outside IP address which was
> http://68.104.185.40:8080. No go. Now, I know I'm not stupid, but my
> inability to either get ICMP working or traffic on 8080 befuddles me. I
> even installed VNC and tried the same things on port 5800.
>
> Does anyone see what is wrong here? I've set 100 low tech routers for
home
> use, but for some reason, I can't get any Inbound access working! I'm
> stuck!
>
> All Help is greatly appreciated. Sorry to bother you guys with such a
> simple question, but if you go to google and type in Pix 501, you get
little
> help in the way of a simple setup. And, the Cisco documentation mentions
> nothing of this.
>
> Thanks.
> Scott
>
>
>
>
>
- Next message: Søren Skovgaard: "A good software firewall"
- Previous message: Jizmak Da Gusher: "Securemote"
- In reply to: Scott \(blndspt\): "PIX 501 QUESTIONS...what am I doing wrong here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
