Question : Cisco PIX 501 Port forwarding will not work.

Hi Guy's,
               I have been pulling my hair with this PIX 501. I have it working via pppoe no problem with
web access. I'm used to using cisco routers but his my first pix and its been a little confusing.
I have tried many different configs to access our server through the pix on port 443 for OWA, it
just won't work!!! I have the current config below. I have run show access-list its getting hit and
also run show xlate and the port translation shows up. Any help would great.

thanks

Matt

Code Snippet:

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85:

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.2.200 life-dc access-list inbound permit tcp any interface outside eq https access-list inbound permit tcp any interface outside eq 3389 access-list inbound permit icmp any any access-list outbound permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 192.168.2.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.2.0 255.255.255.0 0 0 nat (inside) 1 192.168.0.0 255.255.0.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface https life-dc https dns netmask 255.255.25 5.255 0 0 static (inside,outside) tcp interface 3389 life-dc 3389 netmask 255.255.255 0 0 access-group inbound in interface outside access-group outbound in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group pppoe_group request dialout pppoe vpdn group pppoe_group localname lifeinstyle vpdn group pppoe_group ppp authentication pap vpdn username lifeinstyle password ********* vpdn username lifeinstyle password ********* store-local dhcpd address 192.168.2.3-192.168.2.34 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:3a3946fe70aa3beb44e34206d0d0015b : end pixfirewall# pixfirewall#

Open in New Window Select All

Answer : Cisco PIX 501 Port forwarding will not work.

OK, first off you don't need the acl permit ip any any on the inside interface. All traffic is allowed out by default. I suggest removing the access-group
  no access-group outbound in interface inside

Otherwise, the configuration looks OK.
You can browse the Internet OK from the server console? How about from another PC?
Hitcounters on the acl and established xlate usually points to the server config. Either subnet mask or default gateway set incorrect on the server, sometimes duplex mismatch between the server NIC and the switchport