Pix 515E - Need to open port XXXXX and forward to specific internal IP address

Posted on 2006-05-05
Last Modified: 2008-03-06
We are using a Pix 515E and I have got to get port XXXXX open and forwarded to a specific internal IP address.  How do I accomplish this task?  Please be specific.

Configuration information is listed below:

PIX Version 6.3(4)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password Evw/LSyZqENXkcoS encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname xxxxxxx                  
domain-name xxxxxxx.local                        
clock timezone CST -6                    
clock summer-time CDT recurring                              
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 17                        
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
no fixup protocol smtp 25                        
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
access-list 101 permit icmp any any                                  
access-list inside_outbound_nat0_acl permit ip any                                                                              

access-list outside_cryptomap_dyn_20 permit ip any                                                                              

access-list Outside-In permit tcp any any                                        
pager lines 24              
logging on          
logging buffered informa                      
mtu outside 1500                
mtu inside 1500              
ip address outside pppoe setroute                                
ip address inside                                            
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool xxxxPOOL                                                  
no failover          
failover timeout 0:00:00                        
failover poll 15                
no failover ip address outside                              
no failover ip address inside                            
pdm location inside                                            
pdm location inside                                                
pdm location inside                                            
pdm location x.x.x.x outside                                        
pdm logging warnings 100                        
pdm history enable                  
arp timeout 14400                
global (outside) 10 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 10 0 0                                  
access-group Outside-In in interface outside                                            
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ dea                    
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac                                                          
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20                                                                            
crypto dynamic-map outside_dyn_map 2                                  
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map                                                                
crypto map outside_map interface outside                                        
isakmp enable outside                    
isakmp policy 20 authentication pre-share                                      
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxxxxxxxx address-pool xxxxxPOOL
vpngroup xxxxxxxxx dns-server
vpngroup xxxxxxxxx default-domain xxxxxxx.local
vpngroup xxxxxxxxx idle-time 1800
vpngroup xxxxxxxxx password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname
vpdn group pppoe_group ppp authentication pap
vpdn username password *********
vpnclient server
vpnclient mode client-mode
vpnclient vpngroup xxxxxxxxxxx password ********
terminal width 80
: end
Question by:wstirling
    LVL 1

    Accepted Solution

    I'll use SMTP as an example. I am trying to forward SMTP from host to external interface.

    You need to change your PIX config in two ways. Firstly, the addition of the PAT (Port forwaridng rule). Secondly, and ACL determining access.

    For SMTP, you would add:

    ! Name's for easier read
    names mail_inside
    names AA.XX.CC.AA mail_outside

    ! PAT rule
    static (inside,outside) tcp interface smtp mail_inside smtp netmask 0 0

    ! ACL
    access-list acl_outside permit tcp any host mail_outside eq smtp

    Hope this helps.
    LVL 1

    Expert Comment

    Oh, remember a 'clear xlate' as well ;)

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now