PlusInc
asked on
PIX 501 port forwarding not forwarding
I have a PIX 501 which is routing Remote Desttop on the primary interface IP of 66.xx.xx.186 to a server of 192.168.0.253... This works...
However, I am trying to route port 3389 for Remote Desktop for another external IP of 66.xx.xx.187 to an internal machine of 192.168.0.200 and this is NOT working.
I see in show access-list a hitcnt showing the hit, but no connection is established.
The same thing happens when I try to forward port 3390 on the outside interface (66.xx.xx.186) to 3389 on the 192.168.0.200 machine.... The hit count increases, but no connection.
I am able to Remote Desktop to the machine just fine on the LAN, it has no firewall running on it.
The same thing happens for port 8080, which I can hit with a browser via the LAN, but not if I configure it on the PIX...
I also cannot ping the 66.xx.xx.187 real world IP, but I CAN ping the *.186 IP from outside the LAN
Below is some of my config...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 66.xx.xx.186 eq 3389 DOES WORK
access-list outside_access_in permit tcp any host 66.xx.xx.187 eq 3389 DOES *NOT* WORK
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 interface outside
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 interface outside
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.186 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.xx.xx.186 3389 192.168.0.253 3389 netmask 255.255.255.255 0 0 WORKS
static (inside,outside) tcp 66.0.177.187 3389 192.168.0.200 3389 netmask 255.255.255.255 0 0 DOES *NOT* WORK
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.0.177.185 1
So the issues are...
No ability to get to 66.xx.xx.187 via remote desktop
No ability to ping the machine associated with .187 (not a big deal, but what am I missing here?)
output from show access-list:
access-list outside_access_in line 2 permit tcp any host 66.xx.xx.186 eq 3389 (hitcnt=5) WORKS
access-list outside_access_in line 16 permit tcp any host 66.xx.xx.187 eq 3389 (hitcnt=4) DOES *NOT* WORK...
Thank you,
John
However, I am trying to route port 3389 for Remote Desktop for another external IP of 66.xx.xx.187 to an internal machine of 192.168.0.200 and this is NOT working.
I see in show access-list a hitcnt showing the hit, but no connection is established.
The same thing happens when I try to forward port 3390 on the outside interface (66.xx.xx.186) to 3389 on the 192.168.0.200 machine.... The hit count increases, but no connection.
I am able to Remote Desktop to the machine just fine on the LAN, it has no firewall running on it.
The same thing happens for port 8080, which I can hit with a browser via the LAN, but not if I configure it on the PIX...
I also cannot ping the 66.xx.xx.187 real world IP, but I CAN ping the *.186 IP from outside the LAN
Below is some of my config...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 66.xx.xx.186 eq 3389 DOES WORK
access-list outside_access_in permit tcp any host 66.xx.xx.187 eq 3389 DOES *NOT* WORK
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 interface outside
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 interface outside
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.186 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.xx.xx.186 3389 192.168.0.253 3389 netmask 255.255.255.255 0 0 WORKS
static (inside,outside) tcp 66.0.177.187 3389 192.168.0.200 3389 netmask 255.255.255.255 0 0 DOES *NOT* WORK
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.0.177.185 1
So the issues are...
No ability to get to 66.xx.xx.187 via remote desktop
No ability to ping the machine associated with .187 (not a big deal, but what am I missing here?)
output from show access-list:
access-list outside_access_in line 2 permit tcp any host 66.xx.xx.186 eq 3389 (hitcnt=5) WORKS
access-list outside_access_in line 16 permit tcp any host 66.xx.xx.187 eq 3389 (hitcnt=4) DOES *NOT* WORK...
Thank you,
John
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
did you run a capture on the inside interface of the pix to make sure you saw the packets being sent.
pixfirewall(config)#captur
then
pixfirewall(config)#show capture cap_in | grep 192.168.0.200
also make sure that from the firewall you can ping 192.168.0.200 just to make sure
pixfirewall(config)#captur
then
pixfirewall(config)#show capture cap_in | grep 192.168.0.200
also make sure that from the firewall you can ping 192.168.0.200 just to make sure
ASKER
OMG I am a dunce!
The machine I was wanting to forward to did not have a gateway set on it!!!!!!!!!!! I had to physically get to this location to check it because I did not have a login/password to get into the box over the LAN (from remote desktop connection I had to the server)....
WOW... Okay, color me stupid.
Thank you all for your help, I am applying points to everyone! hahahaha
The machine I was wanting to forward to did not have a gateway set on it!!!!!!!!!!! I had to physically get to this location to check it because I did not have a login/password to get into the box over the LAN (from remote desktop connection I had to the server)....
WOW... Okay, color me stupid.
Thank you all for your help, I am applying points to everyone! hahahaha
ASKER
I keep watching the hitcnt increase, but no connection made =(
yes, I can get to the internal machine on the LAN, but not on the outside....
Very odddddd.
now, as a test, I routed 3389 on the main interface IP to the machine I wanted on the LAN, and it still would not route through... GRRRRR
I did clear xlate and clear local, etc...
It's those hit counts that blow me away... So the PIX is accepting the traffic, routing it? Maybe the machine is the problem? Hrmmmmm
John