• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 592
  • Last Modified:

PIX 501 port forwarding not forwarding

I have a PIX 501 which is routing Remote Desttop on the primary interface IP of 66.xx.xx.186 to a server of 192.168.0.253... This works...
However, I am trying to route port 3389 for Remote Desktop for another external IP of 66.xx.xx.187 to an internal machine of 192.168.0.200 and this is NOT working.

I see in show access-list a hitcnt showing the hit, but no connection is established.
The same thing happens when I try to forward port 3390 on the outside interface (66.xx.xx.186) to 3389 on the 192.168.0.200 machine.... The hit count increases, but no connection.

I am able to Remote Desktop to the machine just fine on the LAN, it has no firewall running on it.
The same thing happens for port 8080, which I can hit with a browser via the LAN, but not if I configure it on the PIX...

I also cannot ping the 66.xx.xx.187 real world IP, but I CAN ping the *.186 IP from outside the LAN

Below is some of my config...


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 66.xx.xx.186 eq 3389        DOES WORK
access-list outside_access_in permit tcp any host 66.xx.xx.187 eq 3389        DOES *NOT* WORK
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 interface outside
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 interface outside
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.186 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.xx.xx.186 3389 192.168.0.253 3389 netmask 255.255.255.255 0 0    WORKS
static (inside,outside) tcp 66.0.177.187 3389 192.168.0.200 3389 netmask 255.255.255.255 0 0   DOES *NOT* WORK
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.0.177.185 1

So the issues are...

No ability to get to 66.xx.xx.187 via remote desktop
No ability to ping the machine associated with .187 (not a big deal, but what am I missing here?)

output from show access-list:

access-list outside_access_in line 2 permit tcp any host 66.xx.xx.186 eq 3389 (hitcnt=5)   WORKS

access-list outside_access_in line 16 permit tcp any host 66.xx.xx.187 eq 3389 (hitcnt=4)  DOES *NOT* WORK...


Thank you,

John




0
PlusInc
Asked:
PlusInc
  • 2
  • 2
2 Solutions
 
minmeiCommented:
Look for typos in the address.

Verify RDP works from the inside.

Ping will not work with _port_ forwarding, only full NAT will pass the pings...

Does any other address in the range work? I noticed the PIX external address is also 186 (which is why it returns the ping).

Swap the two static translations and see which one still works. Your provider may not be routing the rest of the address space to your PIX (doubtful, but possible).

0
 
Cyclops3590Commented:
if you're getting hits on that access list then it should be working.  like minmei recommended, verify that RDP works from the inside to that client.  Either RDP isn't on or the firewall is blocking it.

Also, just to be sure the packets are passing thru like they should be run a capture on the inside interface of the pix to ensure that the packets are being relayed
0
 
PlusIncAuthor Commented:
access-list outside_access_in line 16 permit tcp any host 66.xx.xx.187 eq 3389 (hitcnt=7)

I keep watching the hitcnt increase, but no connection made =(

yes, I can get to the internal machine on the LAN, but not on the outside....
Very odddddd.

now, as a test, I routed 3389 on the main interface IP to the machine I wanted on the LAN, and it still would not route through... GRRRRR

I did clear xlate and clear local, etc...  

It's those hit counts that blow me away... So the PIX is accepting the traffic, routing it? Maybe the machine is the problem? Hrmmmmm

John


0
 
Cyclops3590Commented:
did you run a capture on the inside interface of the pix to make sure you saw the packets being sent.  

pixfirewall(config)#capture cap_in interface inside
then
pixfirewall(config)#show capture cap_in | grep 192.168.0.200

also make sure that from the firewall you can ping 192.168.0.200 just to make sure

0
 
PlusIncAuthor Commented:
OMG I am a dunce!

The machine I was wanting to forward to did not have a gateway set on it!!!!!!!!!!!  I had to physically get to this location to check it because I did not have a login/password to get into the box over the LAN (from remote desktop connection I had to the server)....

WOW... Okay, color me stupid.

Thank you all for your help, I am applying points to everyone! hahahaha
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now