• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 341
  • Last Modified:

Cisco Pix 501 Port Forwarding

I have open the port on my pix firewall using the following command where 1.1.1.1 is the outside ip address.  

{Access-list acl_out permit tcp any host 1.1.1.1 eq 25000}

What command do I use to have the firewall forward all traffic on that port to the internal server 192.168.0.1
0
MarkWP
Asked:
MarkWP
  • 3
  • 2
2 Solutions
 
centrepcCommented:
Same commands just don't specify a port.  If you don't specify a port it forwards all ports.  Why have a pix if you are going to do this.  This is extremly unsecure.  I hope you have a good backup routine......

access-group 100 in interface outside
access-list 100 permit tcp any host 1.1.1.1
access-group 100 in interface outside
hostname(config)# static (inside,outside) tcp 1.1.1.1 192.168.0.1 netmask 255.255.255.255

you will also have to get rid of the old entries by typing the NO at the front of each command
0
 
MarkWPAuthor Commented:
What is a more secure way to do this then?  
0
 
centrepcCommented:
What are you trying to access on the server or workstation.  What applications.  Maybe terminal services would allow real-time access to your apps with only forwarding port 3389.  Let me know what you are trying to do and we will figure out a  way to do it without making your server or workstation wide open.    

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
MarkWPAuthor Commented:
I have 2 locations..1 in the US and 1 in India. I want to replicate large amounts of data over the internet.  I found a program that workes pretty well but I would need to forward the traffic on port 25000 to the software.   I am still in the testing phase.  The program will work over VPN but when testing I have had problems with my VPN disconnecting.
Is it possible to restrict the traffic on that port by IP adress instead of opening it the whole world?
http://www.xosoft.com/products/f_WANSync.shtml
0
 
naveedbCommented:
Yes it can be done. As centrepc suggested remove old commands. If you need help selecting which command to remove, post your PIX configuration and we can mark them for you.

Asuming 1.1.1.1 is the External IP Address on US end and 2.2.2.2 is the external IP Address on India's side.

One US PIX:

config term

Access-list acl_out permit tcp host 2.2.2.2 host 1.1.1.1 eq 25000

static (inside,outside) 1.1.1.1 192.168.0.1 netmask 255.255.255.255

access-group acl_out in interface outside

First command will start configuration mode
Second will open port 25000 for host 1.1.1.1 to ONLY host 2.2.2.2
Third is a mapping to map external IP address 1.1.1.1 to 192.168.0.1
Fourth is to apply the open port command on external outside interface
0
 
MarkWPAuthor Commented:
Thanks guys
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now