- Posts: 4
- Thank you received: 0
PIX 506E-How to make internal servers accessible from public
16 years 5 months ago #25683
by cortezone
Hi,
I have a SOHO setup with one public IP (ISP gave me a /30 bunch). One of the public IPs is for their modem of course two are network and broadcast leaving only one which I use as the PIX external IP. I've configured the PIX so internal workstations can access the internet with no problem. I have a couple of servers that must be reachable from the outside. Here's the config that I used to allow that to happen.
global (outside) 1 interface
nat 1.0.0.0 0.0.0.0 0
ip address outside 217.30.x.x 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
name WEB-SERVER 192.168.1.20
name VOICE-SERVER 192.168.1.50
object-group service PUBLIC-SERVICES tcp
description Publicly accessible services
port-object eq www
port-object eq smtp
object-group service MEDIA-SERVICES udp
port-range 5060 5062
port-range 10000 25000
access-list INBOUND permit tcp any host WEB-SERVER object-group PUBLC-SERVICES
access-list INBOUND permit udp any host VOICE-SERVER object-group MEDIA-SERVICES
static (inside,outside) tcp interface www WEB-SERVER www netmask 255.255.255.255 0 0
static (inside,outside) udp interface object-group MEDIA-SERVICES VOICE-SERVER object-group MEDIA-SERVICE netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
The problem is that though I can ping the outside interface I'm unable to connect to the web server from outside. Internally everything is fine but when I try connecting to the web from a public access no show. Incidentally SIP traffic is passed successfully for both registration and call termination.
Is there something I'm missing? Is there a how-to somewhere I can consult? Has someone successfully configured this type of scenario and can they share the experience?
TIA
I have a SOHO setup with one public IP (ISP gave me a /30 bunch). One of the public IPs is for their modem of course two are network and broadcast leaving only one which I use as the PIX external IP. I've configured the PIX so internal workstations can access the internet with no problem. I have a couple of servers that must be reachable from the outside. Here's the config that I used to allow that to happen.
global (outside) 1 interface
nat 1.0.0.0 0.0.0.0 0
ip address outside 217.30.x.x 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
name WEB-SERVER 192.168.1.20
name VOICE-SERVER 192.168.1.50
object-group service PUBLIC-SERVICES tcp
description Publicly accessible services
port-object eq www
port-object eq smtp
object-group service MEDIA-SERVICES udp
port-range 5060 5062
port-range 10000 25000
access-list INBOUND permit tcp any host WEB-SERVER object-group PUBLC-SERVICES
access-list INBOUND permit udp any host VOICE-SERVER object-group MEDIA-SERVICES
static (inside,outside) tcp interface www WEB-SERVER www netmask 255.255.255.255 0 0
static (inside,outside) udp interface object-group MEDIA-SERVICES VOICE-SERVER object-group MEDIA-SERVICE netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
The problem is that though I can ping the outside interface I'm unable to connect to the web server from outside. Internally everything is fine but when I try connecting to the web from a public access no show. Incidentally SIP traffic is passed successfully for both registration and call termination.
Is there something I'm missing? Is there a how-to somewhere I can consult? Has someone successfully configured this type of scenario and can they share the experience?
TIA
16 years 5 months ago #25714
by Elohim
Replied by Elohim on topic Re: PIX 506E-How to make internal servers accessible from pu
Your access list references the wrong IP address of the server.
Hi,
I have a SOHO setup with one public IP (ISP gave me a /30 bunch). One of the public IPs is for their modem of course two are network and broadcast leaving only one which I use as the PIX external IP. I've configured the PIX so internal workstations can access the internet with no problem. I have a couple of servers that must be reachable from the outside. Here's the config that I used to allow that to happen.
global (outside) 1 interface
nat 1.0.0.0 0.0.0.0 0
ip address outside 217.30.x.x 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
name WEB-SERVER 192.168.1.20
name VOICE-SERVER 192.168.1.50
object-group service PUBLIC-SERVICES tcp
description Publicly accessible services
port-object eq www
port-object eq smtp
object-group service MEDIA-SERVICES udp
port-range 5060 5062
port-range 10000 25000
access-list INBOUND permit tcp any host WEB-SERVER object-group PUBLC-SERVICES
access-list INBOUND permit udp any host VOICE-SERVER object-group MEDIA-SERVICES
static (inside,outside) tcp interface www WEB-SERVER www netmask 255.255.255.255 0 0
static (inside,outside) udp interface object-group MEDIA-SERVICES VOICE-SERVER object-group MEDIA-SERVICE netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
The problem is that though I can ping the outside interface I'm unable to connect to the web server from outside. Internally everything is fine but when I try connecting to the web from a public access no show. Incidentally SIP traffic is passed successfully for both registration and call termination.
Is there something I'm missing? Is there a how-to somewhere I can consult? Has someone successfully configured this type of scenario and can they share the experience?
TIA
Time to create page: 0.121 seconds