Solved

PIX 515-R 6.3(3) is not forwarding ports correctly. Pls Help

Posted on 2003-10-28
4
1,285 Views
Last Modified: 2013-11-16
I am trying to pass FTP and other ports from the outside interface to an internal address. They do not work correctly with the config below for either TCP or UDP. If I add an ANY ANY TCP or ANY ANY UDP then it works great.. that kinda defeats the purpose..  any help would be apriciated.. also I can't telnet or ssh to the pix from remote and it all looks good here..

-----

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password fYGjIZ.r.8FYvTjF encrypted
passwd 5FYXROcMdb4jxDuy encrypted
hostname shizzlemydizzle
domain-name osiris.morpheus.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any eq ftp host 38.119.65.134 eq ftp
access-list outside_access_in permit tcp any eq ftp-data host 38.119.65.134 eq ftp-data
access-list outside_access_in permit udp any eq 8192 host 38.119.65.140 eq 8192
access-list outside_access_in permit udp any eq 2068 host 38.119.65.140 eq 2068
access-list outside_access_in permit udp any eq 3211 host 38.119.65.140 eq 3211
pager lines 24
icmp deny any outside
icmp permit host 24.99.11.194 outside
icmp permit host 66.215.0.0 outside
icmp permit host 66.214.0.0 outside
icmp permit host 38.119.65.0 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 38.119.65.130 255.255.255.224
ip address inside 10.10.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.10 255.255.255.255 inside
pdm location 10.10.10.11 255.255.255.255 inside
pdm location 10.10.10.15 255.255.255.255 inside
pdm location 10.10.10.21 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.0 inside
pdm location 38.119.65.131 255.255.255.255 outside
pdm location 38.119.65.133 255.255.255.255 outside
pdm location 38.119.65.134 255.255.255.255 outside
pdm location 66.214.0.0 255.255.0.0 outside
pdm location 66.215.0.0 255.255.0.0 outside
pdm location 66.226.237.106 255.255.255.255 outside
pdm location 24.99.11.0 255.255.255.0 outside
pdm location 66.226.237.0 255.255.255.0 outside
pdm location 216.31.179.0 255.255.255.0 outside
pdm location 38.119.65.0 255.255.255.0 outside
pdm location 162.119.232.0 255.255.255.0 outside
pdm location 10.10.10.244 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 38.119.65.132
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
static (inside,outside) 38.119.65.133 10.10.10.15 netmask 255.255.255.255 0 0
static (inside,outside) 38.119.65.140 10.10.10.10 netmask 255.255.255.255 0 0
static (inside,outside) 38.119.65.134 10.10.10.21 netmask 255.255.255.255 0 0
static (inside,outside) 38.119.65.135 10.10.10.244 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 38.119.65.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.99.11.0 255.255.255.0 outside
http 66.214.0.0 255.255.0.0 outside
http 66.215.0.0 255.255.0.0 outside
http 66.226.237.0 255.255.255.0 outside
http 162.119.232.0 255.255.255.0 outside
http 216.31.179.0 255.255.255.0 outside
http 10.10.10.0 255.255.255.0 inside
tftp-server inside 10.10.10.21 /
floodguard enable
telnet 24.99.11.0 255.255.255.0 outside
telnet 38.119.65.0 255.255.255.0 outside
telnet 66.214.0.0 255.255.0.0 outside
telnet 66.215.0.0 255.255.0.0 outside
telnet 66.226.237.0 255.255.255.0 outside
telnet 162.119.232.0 255.255.255.0 outside
telnet 216.31.179.0 255.255.255.0 outside
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 24.99.11.0 255.255.255.0 outside
ssh 66.215.0.0 255.255.0.0 outside
ssh 66.214.0.0 255.255.0.0 outside
ssh 66.226.237.0 255.255.255.0 outside
ssh 216.31.179.0 255.255.255.0 outside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80

0
Comment
Question by:firestormo1995
  • 3
4 Comments
 
LVL 2

Accepted Solution

by:
TomCRiley earned 200 total points
ID: 9641288
Unless I'm reading this wrong, your ACL's should look like this:

access-list outside_access_in permit tcp any host 38.119.65.134 eq ftp
access-list outside_access_in permit tcp any host 38.119.65.134 eq ftp-data
access-list outside_access_in permit udp any host 38.119.65.140 eq 8192
access-list outside_access_in permit udp any host 38.119.65.140 eq 2068
access-list outside_access_in permit udp any host 38.119.65.140 eq 3211

About the SSH/telnet thing...I've had some weird problems with my PIX when I block all ICMP on the outside interface.  ICMP type 3 (unreachable) has to be open.  I know that it causes problems with VPN stuff when it's not, but I'm not sure about SSH.  It's worth a shot, though.

Tom
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9641497
Or this:

access-list outside_access_in permit tcp any ftp host 38.119.65.134 ftp
access-list outside_access_in permit tcp any ftp-data host 38.119.65.134 ftp-data
access-list outside_access_in permit udp any 8192 host 38.119.65.140 8192
access-list outside_access_in permit udp any 2068 host 38.119.65.140 2068
access-list outside_access_in permit udp any 3211 host 38.119.65.140 3211

Tom
0
 

Author Comment

by:firestormo1995
ID: 9644188
the second one did not work.. the pix came back with invalid IP address.  Also it looks like the first post may have worked.. but it also looks like it allows any ip and any port to connect to a private address with a specific port.
0
 
LVL 2

Expert Comment

by:TomCRiley
ID: 9644324
The first one is right.  I would double-check the "any" thing.  That doesn't seem like that should be the case with your code.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WYSIWYG editor triggering application firewall errors 6 61
increase internet speed 3 83
Trojan blocked 11 84
SRX240 SYSLOG Setting 6 89
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now