PIX 501 port forwarding not forwarding
Posted on 2006-04-20
I have a PIX 501 which is routing Remote Desttop on the primary interface IP of 66.xx.xx.186 to a server of 192.168.0.253... This works...
However, I am trying to route port 3389 for Remote Desktop for another external IP of 66.xx.xx.187 to an internal machine of 192.168.0.200 and this is NOT working.
I see in show access-list a hitcnt showing the hit, but no connection is established.
The same thing happens when I try to forward port 3390 on the outside interface (66.xx.xx.186) to 3389 on the 192.168.0.200 machine.... The hit count increases, but no connection.
I am able to Remote Desktop to the machine just fine on the LAN, it has no firewall running on it.
The same thing happens for port 8080, which I can hit with a browser via the LAN, but not if I configure it on the PIX...
I also cannot ping the 66.xx.xx.187 real world IP, but I CAN ping the *.186 IP from outside the LAN
Below is some of my config...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 66.xx.xx.186 eq 3389 DOES WORK
access-list outside_access_in permit tcp any host 66.xx.xx.187 eq 3389 DOES *NOT* WORK
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 interface outside
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 interface outside
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.186 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.xx.xx.186 3389 192.168.0.253 3389 netmask 255.255.255.255 0 0 WORKS
static (inside,outside) tcp 184.108.40.206 3389 192.168.0.200 3389 netmask 255.255.255.255 0 0 DOES *NOT* WORK
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 220.127.116.11 1
So the issues are...
No ability to get to 66.xx.xx.187 via remote desktop
No ability to ping the machine associated with .187 (not a big deal, but what am I missing here?)
output from show access-list:
access-list outside_access_in line 2 permit tcp any host 66.xx.xx.186 eq 3389 (hitcnt=5) WORKS
access-list outside_access_in line 16 permit tcp any host 66.xx.xx.187 eq 3389 (hitcnt=4) DOES *NOT* WORK...