Solved

Port forwarding with Cisco PIX 501

Posted on 2004-04-27
4
134,775 Views
Last Modified: 2013-11-16
I'm not sure how this web site works, if simular problems should be posted under existing questions, or new questions should be created, in any case I've done both! :) Below is the problem I'm having, if anyone can provide some feedback it would be VERY helpfull.

Thanks!

I'm trying for forward some ports to an internal address and for some reason the log says the access group is denying the request.

What's odd is that ports 6881-6889, and 443 are confirmed working. Ports 25, and 4662 are confirmed to not work, and port 6346 still needs to be tested. Yet they are all part of the same access group, with the exact same access list configuration.

Below is the log entry for a incoming SMTP request:

Deny tcp src outside:xxx.xxx.xxx.xxx/25 dst inside:192.168.2.80/25 by access-group "outside_access_in"

Below is my current firewall configuration:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Sharaza tcp-udp
  port-object range 6346 6346
object-group service BitTorrent tcp
  port-object range 6881 6889
object-group service eMule tcp-udp
  port-object range 4662 4662
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any object-group Sharaza interface outside object-group Sharaza
access-list outside_access_in remark BitTorrent Ports
access-list outside_access_in permit tcp any object-group BitTorrent interface outside object-group BitTorrent
access-list outside_access_in remark Exchange - SMTP
access-list outside_access_in permit tcp any eq smtp interface outside eq smtp
access-list outside_access_in permit tcp any object-group eMule interface outside object-group eMule
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.2.224 255.255.255.240
pager lines 24
logging on
logging console informational
logging monitor informational
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool palm 192.168.2.230-192.168.2.233
pdm location 192.168.2.50 255.255.255.255 inside
pdm location 192.168.2.80 255.255.255.255 inside
pdm location 192.168.2.224 255.255.255.240 outside
pdm location 217.167.20.237 255.255.255.255 outside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface https 192.168.2.80 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6346 192.168.2.50 6346 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6346 192.168.2.50 6346 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6881 192.168.2.50 6881 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6882 192.168.2.50 6882 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6883 192.168.2.50 6883 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6884 192.168.2.50 6884 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6885 192.168.2.50 6885 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6886 192.168.2.50 6886 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6887 192.168.2.50 6887 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6888 192.168.2.50 6888 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6889 192.168.2.50 6889 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.2.80 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4662 192.168.2.50 4662 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 4662 192.168.2.50 4662 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 192.168.2.50 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname user0
vpdn group pppoe_group ppp authentication pap
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local palm
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.2.80
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username user0 password ********* store-local
vpdn username user1 password *********
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username user password xxxxx encrypted privilege 15
terminal width 80

: end
[OK]
0
Comment
Question by:abrice1
  • 2
  • 2
4 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10927611
This is correct:

Deny tcp src outside:xxx.xxx.xxx.xxx/25 dst inside:192.168.2.80/25 by access-group "outside_access_in"

Outside hosts should NOT be allowed to talk to the inside host directly on port 25.
So - why is this host even trying to talk to your internal mail server on it's internal address ?

If email's not working, maybe it's something else ?

fixup smtp is known to cause problems with Enterprise email servers (Exchange, Domino etc).  Try no fixup smtp.

0
 

Author Comment

by:abrice1
ID: 10930324
Why not? The other access rules allow for direct access (443, 6881-6889), it's only smtp (25) and 4662 that aren't working.

Isn't that the point of port forwarding to forward ports from the external interface to an internal host? This would be a simple task with a linksys! :-)
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 135 total points
ID: 10932625
What you should be seeing is traffic being accepted from outside to the NATted address of the SMTP server, not it's internal address.
I would do the access-list slightly differently.  Instead of:

access-list outside_access_in permit tcp any eq smtp interface outside eq smtp

use this:

access-list outside_access_in permit tcp any interface outside eq smtp

Also, with this error message, is xxx.xxx.xxx.xxx your external PIX address, or something out on the Internet ?

Deny tcp src outside:xxx.xxx.xxx.xxx/25 dst inside:192.168.2.80/25 by access-group "outside_access_in"

Don't forget to 'clear xlate' everytime you make a NAT change.  Or just reboot...  ;)
0
 

Author Comment

by:abrice1
ID: 10937643
I actually ended up trying what you commented on last night before I saw this and it solved the problem. I just copied the working SSL access list and changed it for 4662 and smtp. --- Something I learned with this is NEVER use the GUI to do anything other than monitor the firewall.

Thanks for your help!!

-Arron
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now