Solved

"Port Forwarding" on a PIX 501

Posted on 2004-03-31
5
2,213 Views
Last Modified: 2010-04-09
I have a PIX 501 configured behind a business class cable modem with a single static IP address.

Obviously, I have PAT configured to allow Internet access for all of the machines (about 6) behind the PIX.

I'm trying to do what is basically "port forwarding" on any $50 Linksys router, but is apparently infinitely more complicated on a $500 PIX (as it needs to be for reasons beyond my understanding, I'm sure).

I've tried the following:

::   static (inside, outside) tcp <outside IP to "listen on"> <outside port/service> <inside ip address to forward the ports to> <inside ports> netmask 255.255.255.255 0 0

Along with an accompanying access rule.

What am I doing wrong?
0
Comment
Question by:titan6400
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 350 total points
ID: 10723482
If you want to say, set up a web server, you are definately on the right track:

access-list outside_access_in permit tcp any any eq www
!
static (inside,outside) tcp interface 80 192.168.1.111 80
!
access-group outside_access_in in interface outside
clear xlate

Perhaps you did not apply the access-list?
Sometimes the clear xlate is necessary.
0
 

Author Comment

by:titan6400
ID: 10727400
I don't know what the deal was exactly, but I cleared out everything and did everything exactly as you had it noted and now it works.

Maybe I did forget to apply the ACL or something.

Thanks in any case.
0
 

Expert Comment

by:abrice1
ID: 10917219
I'm having a simular problem. I'm trying for forward some ports to an internal address and for some reason the log says the access group is denying the request.

What's odd is that ports 6881-6889, and 443 are confirmed working. Ports 25, and 4662 are confirmed to not work (port 6346 still needs to be tested...) yet they are all part of the same access group, with the exact same access list configuration.

Below is the log entry for a incoming SMTP request:

Deny tcp src outside:xxx.xxx.xxx.xxx/25 dst inside:192.168.2.80/25 by access-group "outside_access_in"

Below is my current firewall configuration:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Sharaza tcp-udp
  port-object range 6346 6346
object-group service BitTorrent tcp
  port-object range 6881 6889
object-group service eMule tcp-udp
  port-object range 4662 4662
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any object-group Sharaza interface outside object-group Sharaza
access-list outside_access_in remark BitTorrent Ports
access-list outside_access_in permit tcp any object-group BitTorrent interface outside object-group BitTorrent
access-list outside_access_in remark Exchange - SMTP
access-list outside_access_in permit tcp any eq smtp interface outside eq smtp
access-list outside_access_in permit tcp any object-group eMule interface outside object-group eMule
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.2.224 255.255.255.240
pager lines 24
logging on
logging console informational
logging monitor informational
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool palm 192.168.2.230-192.168.2.233
pdm location 192.168.2.50 255.255.255.255 inside
pdm location 192.168.2.80 255.255.255.255 inside
pdm location 192.168.2.224 255.255.255.240 outside
pdm location 217.167.20.237 255.255.255.255 outside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface https 192.168.2.80 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6346 192.168.2.50 6346 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6346 192.168.2.50 6346 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6881 192.168.2.50 6881 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6882 192.168.2.50 6882 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6883 192.168.2.50 6883 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6884 192.168.2.50 6884 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6885 192.168.2.50 6885 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6886 192.168.2.50 6886 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6887 192.168.2.50 6887 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6888 192.168.2.50 6888 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6889 192.168.2.50 6889 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.2.80 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 192.168.2.50 4662 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 4662 192.168.2.50 4662 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 192.168.2.50 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname user0
vpdn group pppoe_group ppp authentication pap
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local palm
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.2.80
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username user0 password ********* store-local
vpdn username user1 password *********
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username user password xxxxx encrypted privilege 15
terminal width 80

: end
[OK]
0
 

Expert Comment

by:kaos_shiv
ID: 11284018
i am trying to do port forwarding ... can u give me the steps on how to go about doing this .... or any good links or doc on the topic
0
 

Expert Comment

by:ahsan9211110200
ID: 11298665
hello
Study this article and u'll get the answer of ur Q's

http://cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a008015e582.html

bye
ahsan9211
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Watchguard Firewall Setup 3 29
Cisco 1830 AP behaving wierdly 7 25
Route summarization 9 44
Cisco ASA 5505 ios upgrade 6 29
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now