?
Solved

Port Forwarding on PIX from DMZ1 to Internal Machine Using Different Ports...

Posted on 2006-06-09
7
Medium Priority
?
480 Views
Last Modified: 2013-11-16
We have a company that performs periodic maintenance on an internal machine.  Someone here had set up a server (Mars) with a Winproxy on it, so that when they come from port 64888, it then redirects them to port 23 on our internal machine (RS).  We upgraded the server (Mars) and would rather handle this with the PIX.  Below is what I have in my config, but it doesn't seem to work.  Thanks for any thoughts you may have.

name 65.213.10.0 Support-Boulder
name 67.136.192.211 Mars
name 10.1.2.50 RS

access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 64888

static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0

access-group outside-in in interface outside
0
Comment
Question by:codale
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 8

Expert Comment

by:christsis
ID: 16872348
static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0

That appears to be reversed...
should be:

static (inside,outside) tcp Mars 64888 RS telnet netmask 255.255.255.255

Chris
0
 

Author Comment

by:codale
ID: 16873844
I tried reversing that line, but it's still not wanting to go through.  Below is my syslog message.


2006-06-09 13:26:48      Local4.Info      172.16.5.2      Jun 09 2006 11:11:04: %PIX-6-302013: Built inbound TCP connection 74637961 for outside:65.213.10.10/16283 (65.121.47.10/16283) to DMZ1:67.136.192.211/6488 (67.135.181.211/64888)
2006-06-09 13:26:48      Local4.Info      172.16.5.2      Jun 09 2006 11:11:04: %PIX-6-302014: Teardown TCP connection 74637961 for outside:65.213.10.10/16283 to DMZ1:67.136.192.211/64888 duration 0:00:00 bytes 0 TCP Reset-I
0
 
LVL 8

Expert Comment

by:christsis
ID: 16873907
Is DMZ1 the actual name of an interface/machine you're trying to use?

Looks like we're missing some needed config info / network layout information. Might be better if you posted additional config info so we can see the bigger picture here.

0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 79

Expert Comment

by:lrmoore
ID: 16874125
Try using the outside interface for the xlate:

no static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0
no static (inside,outside) tcp Mars 64888 RS telnet netmask 255.255.255.255
clear xlate
static (inside,outside) tcp interface 64888 RS telnet netmask 255.255.255.255

Else, can you post your complete config for us to look at?
0
 

Author Comment

by:codale
ID: 16874368
Below is my config.  I don't really want to use the outside interface of the pix, because all of these support people already have an address mapped on their end.  Thanks for your help.

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 DMZ2 security15
nameif ethernet4 DMZ3 security20
nameif ethernet5 stateful-failover security25
enable password fmpc7ztOJaD2ejll encrypted
passwd MaYl0Gw3V1cWdk encrypted
hostname PIX
domain-name mydomain.com
fixup protocol dns maximum-length 1024
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 CISCO2511
name 10.1.2.50 RS
name 10.1.2.171 YODA
name 10.1.2.178 MIC11991
name 10.1.2.177 TESTCDR
name 10.1.2.56 ACD
name 10.1.2.179 MUGWART
name 65.213.10.0 Support-Boulder
name 63.172.10.0 Support63
name 206.247.10.0 Support206
name 67.136.192.210 W3
name 67.136.192.211 Mars
name 67.136.192.213 E250
access-list outside-in permit tcp any host W3 eq domain
access-list outside-in permit udp any host W3 eq domain
access-list outside-in permit tcp any host E250 eq smtp
access-list outside-in permit tcp host 207.135.10.5 host E250 eq https
access-list outside-in permit tcp any host Mars eq www
access-list outside-in permit tcp any host Mars eq ftp
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq pcanywhere-data
access-list outside-in permit udp Support-Boulder 255.255.255.0 host Mars eq pcanywhere-status
access-list outside-in permit tcp host 170.215.10.5 host W3 eq smtp
access-list outside-in permit tcp host 170.215.10.5 host W3 eq pop3
access-list outside-in permit tcp host 170.215.10.5 host W3 eq ssh
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp Support63 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp Support206 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp host 207.135.10.5 host Mars eq 64888
access-list outside-in permit tcp host 166.70.10.5 host Mars eq 64888
access-list outside-in permit tcp host 65.89.10.5 host Mars eq 64888
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit tcp host 168.103.10.5 host Mars eq 64888
access-list outside-in permit tcp any host W3 eq pop3
access-list outside-in permit tcp any host W3 eq smtp
access-list outside-in permit tcp any host W3 eq ssh
access-list outside-in permit tcp any host W3 eq https
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 3389
access-list inside-out deny udp 10.1.2.0 255.255.254.0 any eq netbios-ns
access-list inside-out deny udp 10.1.2.0 255.255.254.0 any eq netbios-dgm
access-list inside-out permit ip any any
access-list DMZ1 permit ip any any
access-list vpn permit ip any 10.4.4.0 255.255.254.0
access-list DMZ2 permit ip any host RS
access-list DMZ2 permit ip any host ACD
access-list DMZ2 permit ip host CISCO2511 host 10.1.10.23
access-list DMZ2 permit ip any host W3
access-list Outside_To_Inside permit tcp host 168.103.10.5 host Mars eq 64888
pager lines 24
logging on
logging timestamp
logging standby
logging monitor warnings
logging buffered debugging
logging trap debugging
logging host inside MIC11991
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu DMZ3 1500
mtu stateful-failover 1500
ip address outside 67.136.192.194 255.255.255.240
ip address inside 172.16.5.2 255.255.255.248
ip address DMZ1 67.136.192.209 255.255.255.240
ip address DMZ2 192.168.1.1 255.255.255.0
ip address DMZ3 127.0.0.1 255.255.255.255
ip address stateful-failover 192.168.254.1 255.255.255.252
ip audit name attackfromoutside attack action alarm drop
ip audit name infofromoutside info action alarm
ip audit interface outside infofromoutside
ip audit interface outside attackfromoutside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 10.254.254.1-10.254.254.254
ip local pool vpn 172.16.254.1-172.16.254.254
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 67.136.192.195
failover ip address inside 172.16.5.3
failover ip address DMZ1 67.136.192.212
failover ip address DMZ2 192.168.1.3
no failover ip address DMZ3
failover ip address stateful-failover 192.168.254.2
failover link stateful-failover
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
nat (inside) 1 10.2.0.0 255.255.0.0 0 0
nat (inside) 1 10.3.0.0 255.255.0.0 0 0
nat (inside) 1 10.5.0.0 255.255.0.0 0 0
nat (inside) 1 10.6.0.0 255.255.0.0 0 0
nat (inside) 1 10.7.0.0 255.255.0.0 0 0
nat (inside) 1 10.8.0.0 255.255.0.0 0 0
nat (inside) 1 10.9.0.0 255.255.0.0 0 0
nat (DMZ2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,DMZ2) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.5.0.0 10.5.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.5.0.0 10.5.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.6.0.0 10.6.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.6.0.0 10.6.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.7.0.0 10.7.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.8.0.0 10.8.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.7.0.0 10.7.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.8.0.0 10.8.0.0 netmask 255.255.0.0 0 0
static (DMZ2,inside) 192.168.0.0 192.168.0.0 netmask 255.255.224.0 0 0
static (DMZ2,DMZ1) 192.168.0.0 192.168.0.0 netmask 255.255.224.0 0 0
static (inside,DMZ1) 10.9.0.0 10.9.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.9.0.0 10.9.0.0 netmask 255.255.0.0 0 0
static (DMZ1,outside) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (DMZ1,DMZ2) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (DMZ1,inside) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (inside,outside) 67.136.192.197 192.168.0.51 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group inside-out in interface inside
access-group DMZ1 in interface DMZ1
access-group DMZ2 in interface DMZ2
route outside 0.0.0.0 0.0.0.0 67.136.192.193 1
route inside 10.1.0.0 255.255.0.0 172.16.5.1 1
route inside 10.1.2.0 255.255.254.0 172.16.5.1 1
route inside 10.1.4.0 255.255.254.0 172.16.5.1 1
route inside 10.1.6.0 255.255.254.0 172.16.5.1 1
route inside 10.1.10.0 255.255.255.0 172.16.5.1 1
route inside 10.1.12.0 255.255.254.0 172.16.5.1 1
route inside 10.1.14.0 255.255.254.0 172.16.5.1 1
route inside 10.1.20.0 255.255.255.0 172.16.5.1 1
route inside 10.1.200.0 255.255.255.0 172.16.5.4 1
route inside 10.1.251.0 255.255.255.0 172.16.5.1 1
route inside 10.2.0.0 255.255.0.0 172.16.5.1 1
route inside 10.3.0.0 255.255.0.0 172.16.5.1 1
route inside 10.5.0.0 255.255.0.0 172.16.5.1 1
route inside 10.6.0.0 255.255.0.0 172.16.5.1 1
route inside 10.7.0.0 255.255.0.0 172.16.5.1 1
route inside 10.8.0.0 255.255.0.0 172.16.5.1 1
route inside 10.9.0.0 255.255.0.0 172.16.5.1 1
route DMZ2 192.168.0.0 255.255.224.0 CISCO2511 1
timeout xlate 8:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 8:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.2.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set elkoset esp-3des esp-md5-hmac
crypto map elkomap 1 ipsec-isakmp
crypto map elkomap 1 match address vpn
crypto map elkomap 1 set peer 170.215.10.5
crypto map elkomap 1 set transform-set elkoset
crypto map elkomap interface outside
isakmp enable outside
isakmp key ******** address 170.215.10.5 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 10.1.2.0 255.255.254.0 inside
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16874421
So you want to take MARS server out of the picture, have outside users hit the same public IP that was Mars on port 64888 that redirects to RS/telnet ?

Problem is that MARS IP address resides on the DMZ interface, not the Public interface
You can't redirect from outside to DMZ1 and back to inside just with the PIX.
You -can- redirect from outside to a host on DMZ1 with then redirects to a host on inside
I don't think you have much choice except to tell the support folk that MARS' ip address has changed . . .




0
 

Author Comment

by:codale
ID: 16874540
That's kind of what I thought.  I didn't think you could route from the DMZ directly, but it was worth a shot.  I just installed WinGate on a box with that address and it's now working.  Thank you very much for the help.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month14 days, 20 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question