spotnruby
asked on
Can't forward ports to server through CISCO PIX 501
Hi all,
I'm having a problem configuring a PIX 501 to forward some ports to a newly installed server. I'm primarily a server admin not a network admin so you guys can really help me out here. I've inherited the firewall and I am not sure what some of the settings are for so I have tried to only add what I needed without removing what I don't understand.
I've xxx'd out some identifying information. I don't think it will prevent you from figuring this out.
I've also used the following conventions in obscuring some information:
Internal Network: a.b.c.0/24
Internal Server IP: a.b.c.11
PIX LAN IP: a.b.c.1
PIX Primary WAN IP: w.x.y.153
PIX Secondary WAN IP: w.x.y.154
PIX Default Gateway: w.x.y.158
And with that, here is the running config:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
domain-name xxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 152
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name a.b.c.11 SERVER
access-list server-traffic permit tcp any interface outside eq www
access-list server-traffic permit tcp any interface outside eq smtp
access-list server-traffic permit tcp any interface outside eq pop3
access-list server-traffic permit tcp any interface outside eq imap4
access-list server-traffic permit tcp any interface outside eq https
access-list server-traffic permit tcp any interface outside eq 444
access-list server-traffic permit tcp any interface outside eq pptp
access-list server-traffic permit tcp any interface outside eq 3389
access-list server-traffic permit tcp any interface outside eq 4125
access-list ipsectraffic permit ip a.b.c.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging history emergencies
mtu outside 1500
mtu inside 1500
ip address outside w.x.y.153 255.255.255.248
ip address inside a.b.c.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name ATTACK-DETECT attack action alarm drop reset
ip audit interface outside ATTACK-DETECT
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.1.1-172.16.1.10
pdm location 172.16.1.0 255.255.255.0 outside
pdm location a.b.c.0 255.255.255.0 inside
pdm location SERVER 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 w.x.y.154
nat (inside) 0 access-list ipsectraffic
nat (inside) 1 a.b.c.0 255.255.255.0 0 0
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 SERVER pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 SERVER imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 SERVER 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp SERVER pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 SERVER 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 SERVER 4125 netmask 255.255.255.255 0 0
access-group server-traffic in interface outside
route outside 0.0.0.0 0.0.0.0 w.x.y.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
ntp server 198.82.161.227 source outside
ntp server 198.82.162.213 source outside prefer
http server enable
http a.b.c.0 255.255.255.0 inside
snmp-server host inside SERVER
no snmp-server location
no snmp-server contact
snmp-server community xxx
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AES-256 esp-aes-256 esp-md5-hmac
crypto dynamic-map vpnuser 65000 set transform-set AES-256
crypto map vpnmap 65000 ipsec-isakmp dynamic vpnuser
crypto map vpnmap client authentication LOCAL
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 65000 authentication pre-share
isakmp policy 65000 encryption aes-256
isakmp policy 65000 hash md5
isakmp policy 65000 group 2
isakmp policy 65000 lifetime 86400
vpngroup vpnclient address-pool vpnpool
vpngroup vpnclient default-domain xxx.com
vpngroup vpnclient split-tunnel ipsectraffic
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********
telnet 172.16.1.0 255.255.255.0 outside
telnet a.b.c.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username xxx password xxx encrypted privilege 15
terminal width 80
banner motd WARNING!!! UNAUTHORIZED ACCESS IS PROHIBITED!!!
Cryptochecksum:xxx
: end
[OK]
Thanks all!
I'm having a problem configuring a PIX 501 to forward some ports to a newly installed server. I'm primarily a server admin not a network admin so you guys can really help me out here. I've inherited the firewall and I am not sure what some of the settings are for so I have tried to only add what I needed without removing what I don't understand.
I've xxx'd out some identifying information. I don't think it will prevent you from figuring this out.
I've also used the following conventions in obscuring some information:
Internal Network: a.b.c.0/24
Internal Server IP: a.b.c.11
PIX LAN IP: a.b.c.1
PIX Primary WAN IP: w.x.y.153
PIX Secondary WAN IP: w.x.y.154
PIX Default Gateway: w.x.y.158
And with that, here is the running config:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
domain-name xxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 152
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name a.b.c.11 SERVER
access-list server-traffic permit tcp any interface outside eq www
access-list server-traffic permit tcp any interface outside eq smtp
access-list server-traffic permit tcp any interface outside eq pop3
access-list server-traffic permit tcp any interface outside eq imap4
access-list server-traffic permit tcp any interface outside eq https
access-list server-traffic permit tcp any interface outside eq 444
access-list server-traffic permit tcp any interface outside eq pptp
access-list server-traffic permit tcp any interface outside eq 3389
access-list server-traffic permit tcp any interface outside eq 4125
access-list ipsectraffic permit ip a.b.c.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging history emergencies
mtu outside 1500
mtu inside 1500
ip address outside w.x.y.153 255.255.255.248
ip address inside a.b.c.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name ATTACK-DETECT attack action alarm drop reset
ip audit interface outside ATTACK-DETECT
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.1.1-172.16.1.10
pdm location 172.16.1.0 255.255.255.0 outside
pdm location a.b.c.0 255.255.255.0 inside
pdm location SERVER 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 w.x.y.154
nat (inside) 0 access-list ipsectraffic
nat (inside) 1 a.b.c.0 255.255.255.0 0 0
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 SERVER pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 SERVER imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 SERVER 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp SERVER pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 SERVER 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 SERVER 4125 netmask 255.255.255.255 0 0
access-group server-traffic in interface outside
route outside 0.0.0.0 0.0.0.0 w.x.y.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
ntp server 198.82.161.227 source outside
ntp server 198.82.162.213 source outside prefer
http server enable
http a.b.c.0 255.255.255.0 inside
snmp-server host inside SERVER
no snmp-server location
no snmp-server contact
snmp-server community xxx
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AES-256 esp-aes-256 esp-md5-hmac
crypto dynamic-map vpnuser 65000 set transform-set AES-256
crypto map vpnmap 65000 ipsec-isakmp dynamic vpnuser
crypto map vpnmap client authentication LOCAL
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 65000 authentication pre-share
isakmp policy 65000 encryption aes-256
isakmp policy 65000 hash md5
isakmp policy 65000 group 2
isakmp policy 65000 lifetime 86400
vpngroup vpnclient address-pool vpnpool
vpngroup vpnclient default-domain xxx.com
vpngroup vpnclient split-tunnel ipsectraffic
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********
telnet 172.16.1.0 255.255.255.0 outside
telnet a.b.c.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username xxx password xxx encrypted privilege 15
terminal width 80
banner motd WARNING!!! UNAUTHORIZED ACCESS IS PROHIBITED!!!
Cryptochecksum:xxx
: end
[OK]
Thanks all!
ASKER
The SERVER's IP is a.b.c.11 and its default gateway is a.b.c.1 with a bitmask of 24. I just confirmed that manually.
I've decided that since I have a backup of the config, I'm going to simplify the config as much as possible to see if I can just get the port forwarding to work. Once that works, I'll increase security on the firewall. So, I have a newer simpler config as shown below. But, it's still not working.
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
domain-name xxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name a.b.c.11 SERVER
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any interface outside eq imap4
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq 444
access-list outside_in permit tcp any interface outside eq pptp
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 4125
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside w.x.y.153 255.255.255.248
ip address inside a.b.c.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location a.b.c.0 255.255.255.0 inside
pdm location SERVER 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 a.b.c.0 255.255.255.0 0 0
static (inside,outside) tcp w.x.y.155 smtp SERVER smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 www SERVER www netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 https SERVER https netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 444 SERVER 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 3389 SERVER 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 4125 SERVER 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 pptp SERVER pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 pop3 SERVER pop3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 w.x.y.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
ntp server 198.82.161.227 source outside
ntp server 198.82.162.213 source outside prefer
http server enable
http a.b.c.0 255.255.255.0 inside
snmp-server host inside SERVER
no snmp-server location
no snmp-server contact
snmp-server community xxx
snmp-server enable traps
floodguard enable
isakmp policy 65000 authentication rsa-sig
isakmp policy 65000 encryption des
isakmp policy 65000 hash sha
isakmp policy 65000 group 1
isakmp policy 65000 lifetime 86400
telnet a.b.c.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username admin password xxx encrypted privilege 15
terminal width 80
banner motd WARNING!!! UNAUTHORIZED ACCESS IS PROHIBITED!!!
Cryptochecksum:xxx
: end
[OK]
I've decided that since I have a backup of the config, I'm going to simplify the config as much as possible to see if I can just get the port forwarding to work. Once that works, I'll increase security on the firewall. So, I have a newer simpler config as shown below. But, it's still not working.
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
domain-name xxx
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name a.b.c.11 SERVER
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq pop3
access-list outside_in permit tcp any interface outside eq imap4
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq 444
access-list outside_in permit tcp any interface outside eq pptp
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 4125
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside w.x.y.153 255.255.255.248
ip address inside a.b.c.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location a.b.c.0 255.255.255.0 inside
pdm location SERVER 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 a.b.c.0 255.255.255.0 0 0
static (inside,outside) tcp w.x.y.155 smtp SERVER smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 www SERVER www netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 https SERVER https netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 444 SERVER 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 3389 SERVER 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 4125 SERVER 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 pptp SERVER pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp w.x.y.155 pop3 SERVER pop3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 w.x.y.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
ntp server 198.82.161.227 source outside
ntp server 198.82.162.213 source outside prefer
http server enable
http a.b.c.0 255.255.255.0 inside
snmp-server host inside SERVER
no snmp-server location
no snmp-server contact
snmp-server community xxx
snmp-server enable traps
floodguard enable
isakmp policy 65000 authentication rsa-sig
isakmp policy 65000 encryption des
isakmp policy 65000 hash sha
isakmp policy 65000 group 1
isakmp policy 65000 lifetime 86400
telnet a.b.c.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username admin password xxx encrypted privilege 15
terminal width 80
banner motd WARNING!!! UNAUTHORIZED ACCESS IS PROHIBITED!!!
Cryptochecksum:xxx
: end
[OK]
If you have the spare external IP address, why not make it really simple with a single 1-1 NAT
static (inside,outside) x.x.x.155 SERVER netmask 255.255.255.255
Else, it should work just the way you have it. A couple of caveats:
- If you are testing access to the public interface from the inside network - don't
- If you NEED to access the public ip from inside, we'll have to work that as a separate issue
- use "show access-list" to see hintcounts increase on the acl to see if anything is even trying to get in
static (inside,outside) x.x.x.155 SERVER netmask 255.255.255.255
Else, it should work just the way you have it. A couple of caveats:
- If you are testing access to the public interface from the inside network - don't
- If you NEED to access the public ip from inside, we'll have to work that as a separate issue
- use "show access-list" to see hintcounts increase on the acl to see if anything is even trying to get in
ASKER
Never mind. I figured it out that with the latest config I just had to change the static commands to point to interface instead of w.x.y.155.
Thanks.
Thanks.
This question will be classified as abandoned soon if we don't get some feedback from you.
Can you close out this question? See here for details:
https://www.experts-exchange.com/help.jsp#hs5
Thanks for your attention!
ASKER
This can be closed and refunded. I answered my own question. Thanks.
ASKER
I'm sorry but I thought it was obvious from my previous comment.
<QUOTE>
Never mind. I figured it out that with the latest config I just had to change the static commands to point to interface instead of w.x.y.155.
</QUOTE>
Thanks.
<QUOTE>
Never mind. I figured it out that with the latest config I just had to change the static commands to point to interface instead of w.x.y.155.
</QUOTE>
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
access-list permit required ports - check
static xlate inside,outside - interface to server - check
access-list applied to interface - check
What is default gateway setting on SERVER?
It must point to a.b.c.1
Check it's subnet mask also.