?
Solved

Pix 515E - Need to open port XXXXX and forward to specific internal IP address

Posted on 2006-05-05
4
Medium Priority
?
391 Views
Last Modified: 2008-03-06
We are using a Pix 515E and I have got to get port XXXXX open and forwarded to a specific internal IP address.  How do I accomplish this task?  Please be specific.

Configuration information is listed below:

PIX Version 6.3(4)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password Evw/LSyZqENXkcoS encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname xxxxxxx                  
domain-name xxxxxxx.local                        
clock timezone CST -6                    
clock summer-time CDT recurring                              
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 17                        
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
no fixup protocol smtp 25                        
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list 101 permit icmp any any                                  
access-list inside_outbound_nat0_acl permit ip any xxx.xxx.x.xx 255.255.255.224                                                                              

access-list outside_cryptomap_dyn_20 permit ip any xxx.xxx.x.xx 255.255.255.224                                                                              

access-list Outside-In permit tcp any any                                        
pager lines 24              
logging on          
logging buffered informa                      
mtu outside 1500                
mtu inside 1500              
ip address outside pppoe setroute                                
ip address inside xxx.xxx.x.xxx 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool xxxxPOOL xxx.xxx.x.xx-xxx.xxx.x.xxx                                                  
no failover          
failover timeout 0:00:00                        
failover poll 15                
no failover ip address outside                              
no failover ip address inside                            
pdm location xxx.xxx.x.x 255.255.255.0 inside                                            
pdm location xxx.xxx.x.xxx 255.255.255.255 inside                                                
pdm location xxx.xxx.x.x 255.255.255.0 inside                                            
pdm location x.x.x.x 255.255.255.0 outside                                        
pdm logging warnings 100                        
pdm history enable                  
arp timeout 14400                
global (outside) 10 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 10 0.0.0.0 0.0.0.0 0 0                                  
access-group Outside-In in interface outside                                            
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ dea                    
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http xxx.xxx.x.x 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac                                                          
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20                                                                            
crypto dynamic-map outside_dyn_map 2                                  
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map                                                                
crypto map outside_map interface outside                                        
isakmp enable outside                    
isakmp policy 20 authentication pre-share                                      
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxxxxxxxx address-pool xxxxxPOOL
vpngroup xxxxxxxxx dns-server xxx.xxx.x.x xxx.xxx.xxx.xxx
vpngroup xxxxxxxxx default-domain xxxxxxx.local
vpngroup xxxxxxxxx idle-time 1800
vpngroup xxxxxxxxx password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxx@xxxxxxxx.net
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxx@xxxxxxxx.net password *********
vpnclient server xxx.xxx.x.x
vpnclient mode client-mode
vpnclient vpngroup xxxxxxxxxxx password ********
terminal width 80
Cryptochecksum:
: end
0
Comment
Question by:wstirling
  • 2
2 Comments
 
LVL 1

Accepted Solution

by:
gam1002 earned 2000 total points
ID: 16618046
I'll use SMTP as an example. I am trying to forward SMTP from host 192.168.1.1 to external interface.

You need to change your PIX config in two ways. Firstly, the addition of the PAT (Port forwaridng rule). Secondly, and ACL determining access.

For SMTP, you would add:

! Name's for easier read
names 192.168.1.1 mail_inside
names AA.XX.CC.AA mail_outside

! PAT rule
static (inside,outside) tcp interface smtp mail_inside smtp netmask 255.255.255.255 0 0

! ACL
access-list acl_outside permit tcp any host mail_outside eq smtp

Hope this helps.
0
 
LVL 1

Expert Comment

by:gam1002
ID: 16618051
Oh, remember a 'clear xlate' as well ;)
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question