Solved

"Port Forwarding" on a PIX 501

Posted on 2004-03-31
5
2,214 Views
Last Modified: 2010-04-09
I have a PIX 501 configured behind a business class cable modem with a single static IP address.

Obviously, I have PAT configured to allow Internet access for all of the machines (about 6) behind the PIX.

I'm trying to do what is basically "port forwarding" on any $50 Linksys router, but is apparently infinitely more complicated on a $500 PIX (as it needs to be for reasons beyond my understanding, I'm sure).

I've tried the following:

::   static (inside, outside) tcp <outside IP to "listen on"> <outside port/service> <inside ip address to forward the ports to> <inside ports> netmask 255.255.255.255 0 0

Along with an accompanying access rule.

What am I doing wrong?
0
Comment
Question by:titan6400
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 350 total points
ID: 10723482
If you want to say, set up a web server, you are definately on the right track:

access-list outside_access_in permit tcp any any eq www
!
static (inside,outside) tcp interface 80 192.168.1.111 80
!
access-group outside_access_in in interface outside
clear xlate

Perhaps you did not apply the access-list?
Sometimes the clear xlate is necessary.
0
 

Author Comment

by:titan6400
ID: 10727400
I don't know what the deal was exactly, but I cleared out everything and did everything exactly as you had it noted and now it works.

Maybe I did forget to apply the ACL or something.

Thanks in any case.
0
 

Expert Comment

by:abrice1
ID: 10917219
I'm having a simular problem. I'm trying for forward some ports to an internal address and for some reason the log says the access group is denying the request.

What's odd is that ports 6881-6889, and 443 are confirmed working. Ports 25, and 4662 are confirmed to not work (port 6346 still needs to be tested...) yet they are all part of the same access group, with the exact same access list configuration.

Below is the log entry for a incoming SMTP request:

Deny tcp src outside:xxx.xxx.xxx.xxx/25 dst inside:192.168.2.80/25 by access-group "outside_access_in"

Below is my current firewall configuration:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Sharaza tcp-udp
  port-object range 6346 6346
object-group service BitTorrent tcp
  port-object range 6881 6889
object-group service eMule tcp-udp
  port-object range 4662 4662
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any object-group Sharaza interface outside object-group Sharaza
access-list outside_access_in remark BitTorrent Ports
access-list outside_access_in permit tcp any object-group BitTorrent interface outside object-group BitTorrent
access-list outside_access_in remark Exchange - SMTP
access-list outside_access_in permit tcp any eq smtp interface outside eq smtp
access-list outside_access_in permit tcp any object-group eMule interface outside object-group eMule
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.2.224 255.255.255.240
pager lines 24
logging on
logging console informational
logging monitor informational
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool palm 192.168.2.230-192.168.2.233
pdm location 192.168.2.50 255.255.255.255 inside
pdm location 192.168.2.80 255.255.255.255 inside
pdm location 192.168.2.224 255.255.255.240 outside
pdm location 217.167.20.237 255.255.255.255 outside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface https 192.168.2.80 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6346 192.168.2.50 6346 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6346 192.168.2.50 6346 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6881 192.168.2.50 6881 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6882 192.168.2.50 6882 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6883 192.168.2.50 6883 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6884 192.168.2.50 6884 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6885 192.168.2.50 6885 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6886 192.168.2.50 6886 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6887 192.168.2.50 6887 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6888 192.168.2.50 6888 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6889 192.168.2.50 6889 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.2.80 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 192.168.2.50 4662 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 4662 192.168.2.50 4662 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 192.168.2.50 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname user0
vpdn group pppoe_group ppp authentication pap
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local palm
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.2.80
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username user0 password ********* store-local
vpdn username user1 password *********
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username user password xxxxx encrypted privilege 15
terminal width 80

: end
[OK]
0
 

Expert Comment

by:kaos_shiv
ID: 11284018
i am trying to do port forwarding ... can u give me the steps on how to go about doing this .... or any good links or doc on the topic
0
 

Expert Comment

by:ahsan9211110200
ID: 11298665
hello
Study this article and u'll get the answer of ur Q's

http://cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a008015e582.html

bye
ahsan9211
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question