[lug] OT: Cisco PIX

Hugh Brown hugh at math.byu.edu
Thu Oct 17 14:45:44 MDT 2002

I am struggling with getting a Cisco PIX firewall (501) to redirect web
traffic on the outside interface to a specific host on the inside

Under linux I would do this:

ipmasqadm portfw -a -P  tcp -L <ext ip> 80 -R <internal host> 80

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
             -s <remotehost> $UNPRIVPORTS \
             -d <ext ip> 443 -j ACCEPT  -l

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -s <ext ip> 443 \
             -d <remote host> $UNPRIVPORTS -j ACCEPT  -l

I have tried the following on the pix

static (inside,outside) <ext ip> <internal host> netmask
0 0
access-list acl_out permit tcp host <remote host> gt 1024 host <internal
host> eq 80
access-group acl_out in interface outside

and I get:

106023: Deny tcp src outside:<remote host>/40623 dst inside:<ext ip>/80
by access-group "acl_out"

What am I doing wrong?


More information about the LUG mailing list