codale
asked on
Port Forwarding on PIX from DMZ1 to Internal Machine Using Different Ports...
We have a company that performs periodic maintenance on an internal machine. Someone here had set up a server (Mars) with a Winproxy on it, so that when they come from port 64888, it then redirects them to port 23 on our internal machine (RS). We upgraded the server (Mars) and would rather handle this with the PIX. Below is what I have in my config, but it doesn't seem to work. Thanks for any thoughts you may have.
name 65.213.10.0 Support-Boulder
name 67.136.192.211 Mars
name 10.1.2.50 RS
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 64888
static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
name 65.213.10.0 Support-Boulder
name 67.136.192.211 Mars
name 10.1.2.50 RS
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 64888
static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
ASKER
I tried reversing that line, but it's still not wanting to go through. Below is my syslog message.
2006-06-09 13:26:48 Local4.Info 172.16.5.2 Jun 09 2006 11:11:04: %PIX-6-302013: Built inbound TCP connection 74637961 for outside:65.213.10.10/16283
2006-06-09 13:26:48 Local4.Info 172.16.5.2 Jun 09 2006 11:11:04: %PIX-6-302014: Teardown TCP connection 74637961 for outside:65.213.10.10/16283
2006-06-09 13:26:48 Local4.Info 172.16.5.2 Jun 09 2006 11:11:04: %PIX-6-302013: Built inbound TCP connection 74637961 for outside:65.213.10.10/16283
2006-06-09 13:26:48 Local4.Info 172.16.5.2 Jun 09 2006 11:11:04: %PIX-6-302014: Teardown TCP connection 74637961 for outside:65.213.10.10/16283
Is DMZ1 the actual name of an interface/machine you're trying to use?
Looks like we're missing some needed config info / network layout information. Might be better if you posted additional config info so we can see the bigger picture here.
Looks like we're missing some needed config info / network layout information. Might be better if you posted additional config info so we can see the bigger picture here.
Try using the outside interface for the xlate:
no static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0
no static (inside,outside) tcp Mars 64888 RS telnet netmask 255.255.255.255
clear xlate
static (inside,outside) tcp interface 64888 RS telnet netmask 255.255.255.255
Else, can you post your complete config for us to look at?
no static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0
no static (inside,outside) tcp Mars 64888 RS telnet netmask 255.255.255.255
clear xlate
static (inside,outside) tcp interface 64888 RS telnet netmask 255.255.255.255
Else, can you post your complete config for us to look at?
ASKER
Below is my config. I don't really want to use the outside interface of the pix, because all of these support people already have an address mapped on their end. Thanks for your help.
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 DMZ2 security15
nameif ethernet4 DMZ3 security20
nameif ethernet5 stateful-failover security25
enable password fmpc7ztOJaD2ejll encrypted
passwd MaYl0Gw3V1cWdk encrypted
hostname PIX
domain-name mydomain.com
fixup protocol dns maximum-length 1024
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 CISCO2511
name 10.1.2.50 RS
name 10.1.2.171 YODA
name 10.1.2.178 MIC11991
name 10.1.2.177 TESTCDR
name 10.1.2.56 ACD
name 10.1.2.179 MUGWART
name 65.213.10.0 Support-Boulder
name 63.172.10.0 Support63
name 206.247.10.0 Support206
name 67.136.192.210 W3
name 67.136.192.211 Mars
name 67.136.192.213 E250
access-list outside-in permit tcp any host W3 eq domain
access-list outside-in permit udp any host W3 eq domain
access-list outside-in permit tcp any host E250 eq smtp
access-list outside-in permit tcp host 207.135.10.5 host E250 eq https
access-list outside-in permit tcp any host Mars eq www
access-list outside-in permit tcp any host Mars eq ftp
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq pcanywhere-data
access-list outside-in permit udp Support-Boulder 255.255.255.0 host Mars eq pcanywhere-status
access-list outside-in permit tcp host 170.215.10.5 host W3 eq smtp
access-list outside-in permit tcp host 170.215.10.5 host W3 eq pop3
access-list outside-in permit tcp host 170.215.10.5 host W3 eq ssh
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp Support63 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp Support206 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp host 207.135.10.5 host Mars eq 64888
access-list outside-in permit tcp host 166.70.10.5 host Mars eq 64888
access-list outside-in permit tcp host 65.89.10.5 host Mars eq 64888
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit tcp host 168.103.10.5 host Mars eq 64888
access-list outside-in permit tcp any host W3 eq pop3
access-list outside-in permit tcp any host W3 eq smtp
access-list outside-in permit tcp any host W3 eq ssh
access-list outside-in permit tcp any host W3 eq https
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 3389
access-list inside-out deny udp 10.1.2.0 255.255.254.0 any eq netbios-ns
access-list inside-out deny udp 10.1.2.0 255.255.254.0 any eq netbios-dgm
access-list inside-out permit ip any any
access-list DMZ1 permit ip any any
access-list vpn permit ip any 10.4.4.0 255.255.254.0
access-list DMZ2 permit ip any host RS
access-list DMZ2 permit ip any host ACD
access-list DMZ2 permit ip host CISCO2511 host 10.1.10.23
access-list DMZ2 permit ip any host W3
access-list Outside_To_Inside permit tcp host 168.103.10.5 host Mars eq 64888
pager lines 24
logging on
logging timestamp
logging standby
logging monitor warnings
logging buffered debugging
logging trap debugging
logging host inside MIC11991
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu DMZ3 1500
mtu stateful-failover 1500
ip address outside 67.136.192.194 255.255.255.240
ip address inside 172.16.5.2 255.255.255.248
ip address DMZ1 67.136.192.209 255.255.255.240
ip address DMZ2 192.168.1.1 255.255.255.0
ip address DMZ3 127.0.0.1 255.255.255.255
ip address stateful-failover 192.168.254.1 255.255.255.252
ip audit name attackfromoutside attack action alarm drop
ip audit name infofromoutside info action alarm
ip audit interface outside infofromoutside
ip audit interface outside attackfromoutside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 10.254.254.1-10.254.254.25
ip local pool vpn 172.16.254.1-172.16.254.25
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 67.136.192.195
failover ip address inside 172.16.5.3
failover ip address DMZ1 67.136.192.212
failover ip address DMZ2 192.168.1.3
no failover ip address DMZ3
failover ip address stateful-failover 192.168.254.2
failover link stateful-failover
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
nat (inside) 1 10.2.0.0 255.255.0.0 0 0
nat (inside) 1 10.3.0.0 255.255.0.0 0 0
nat (inside) 1 10.5.0.0 255.255.0.0 0 0
nat (inside) 1 10.6.0.0 255.255.0.0 0 0
nat (inside) 1 10.7.0.0 255.255.0.0 0 0
nat (inside) 1 10.8.0.0 255.255.0.0 0 0
nat (inside) 1 10.9.0.0 255.255.0.0 0 0
nat (DMZ2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,DMZ2) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.5.0.0 10.5.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.5.0.0 10.5.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.6.0.0 10.6.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.6.0.0 10.6.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.7.0.0 10.7.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.8.0.0 10.8.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.7.0.0 10.7.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.8.0.0 10.8.0.0 netmask 255.255.0.0 0 0
static (DMZ2,inside) 192.168.0.0 192.168.0.0 netmask 255.255.224.0 0 0
static (DMZ2,DMZ1) 192.168.0.0 192.168.0.0 netmask 255.255.224.0 0 0
static (inside,DMZ1) 10.9.0.0 10.9.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.9.0.0 10.9.0.0 netmask 255.255.0.0 0 0
static (DMZ1,outside) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (DMZ1,DMZ2) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (DMZ1,inside) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (inside,outside) 67.136.192.197 192.168.0.51 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group inside-out in interface inside
access-group DMZ1 in interface DMZ1
access-group DMZ2 in interface DMZ2
route outside 0.0.0.0 0.0.0.0 67.136.192.193 1
route inside 10.1.0.0 255.255.0.0 172.16.5.1 1
route inside 10.1.2.0 255.255.254.0 172.16.5.1 1
route inside 10.1.4.0 255.255.254.0 172.16.5.1 1
route inside 10.1.6.0 255.255.254.0 172.16.5.1 1
route inside 10.1.10.0 255.255.255.0 172.16.5.1 1
route inside 10.1.12.0 255.255.254.0 172.16.5.1 1
route inside 10.1.14.0 255.255.254.0 172.16.5.1 1
route inside 10.1.20.0 255.255.255.0 172.16.5.1 1
route inside 10.1.200.0 255.255.255.0 172.16.5.4 1
route inside 10.1.251.0 255.255.255.0 172.16.5.1 1
route inside 10.2.0.0 255.255.0.0 172.16.5.1 1
route inside 10.3.0.0 255.255.0.0 172.16.5.1 1
route inside 10.5.0.0 255.255.0.0 172.16.5.1 1
route inside 10.6.0.0 255.255.0.0 172.16.5.1 1
route inside 10.7.0.0 255.255.0.0 172.16.5.1 1
route inside 10.8.0.0 255.255.0.0 172.16.5.1 1
route inside 10.9.0.0 255.255.0.0 172.16.5.1 1
route DMZ2 192.168.0.0 255.255.224.0 CISCO2511 1
timeout xlate 8:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 8:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.2.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set elkoset esp-3des esp-md5-hmac
crypto map elkomap 1 ipsec-isakmp
crypto map elkomap 1 match address vpn
crypto map elkomap 1 set peer 170.215.10.5
crypto map elkomap 1 set transform-set elkoset
crypto map elkomap interface outside
isakmp enable outside
isakmp key ******** address 170.215.10.5 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 10.1.2.0 255.255.254.0 inside
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 DMZ2 security15
nameif ethernet4 DMZ3 security20
nameif ethernet5 stateful-failover security25
enable password fmpc7ztOJaD2ejll encrypted
passwd MaYl0Gw3V1cWdk encrypted
hostname PIX
domain-name mydomain.com
fixup protocol dns maximum-length 1024
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 CISCO2511
name 10.1.2.50 RS
name 10.1.2.171 YODA
name 10.1.2.178 MIC11991
name 10.1.2.177 TESTCDR
name 10.1.2.56 ACD
name 10.1.2.179 MUGWART
name 65.213.10.0 Support-Boulder
name 63.172.10.0 Support63
name 206.247.10.0 Support206
name 67.136.192.210 W3
name 67.136.192.211 Mars
name 67.136.192.213 E250
access-list outside-in permit tcp any host W3 eq domain
access-list outside-in permit udp any host W3 eq domain
access-list outside-in permit tcp any host E250 eq smtp
access-list outside-in permit tcp host 207.135.10.5 host E250 eq https
access-list outside-in permit tcp any host Mars eq www
access-list outside-in permit tcp any host Mars eq ftp
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq pcanywhere-data
access-list outside-in permit udp Support-Boulder 255.255.255.0 host Mars eq pcanywhere-status
access-list outside-in permit tcp host 170.215.10.5 host W3 eq smtp
access-list outside-in permit tcp host 170.215.10.5 host W3 eq pop3
access-list outside-in permit tcp host 170.215.10.5 host W3 eq ssh
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp Support63 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp Support206 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp host 207.135.10.5 host Mars eq 64888
access-list outside-in permit tcp host 166.70.10.5 host Mars eq 64888
access-list outside-in permit tcp host 65.89.10.5 host Mars eq 64888
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit tcp host 168.103.10.5 host Mars eq 64888
access-list outside-in permit tcp any host W3 eq pop3
access-list outside-in permit tcp any host W3 eq smtp
access-list outside-in permit tcp any host W3 eq ssh
access-list outside-in permit tcp any host W3 eq https
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 3389
access-list inside-out deny udp 10.1.2.0 255.255.254.0 any eq netbios-ns
access-list inside-out deny udp 10.1.2.0 255.255.254.0 any eq netbios-dgm
access-list inside-out permit ip any any
access-list DMZ1 permit ip any any
access-list vpn permit ip any 10.4.4.0 255.255.254.0
access-list DMZ2 permit ip any host RS
access-list DMZ2 permit ip any host ACD
access-list DMZ2 permit ip host CISCO2511 host 10.1.10.23
access-list DMZ2 permit ip any host W3
access-list Outside_To_Inside permit tcp host 168.103.10.5 host Mars eq 64888
pager lines 24
logging on
logging timestamp
logging standby
logging monitor warnings
logging buffered debugging
logging trap debugging
logging host inside MIC11991
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu DMZ3 1500
mtu stateful-failover 1500
ip address outside 67.136.192.194 255.255.255.240
ip address inside 172.16.5.2 255.255.255.248
ip address DMZ1 67.136.192.209 255.255.255.240
ip address DMZ2 192.168.1.1 255.255.255.0
ip address DMZ3 127.0.0.1 255.255.255.255
ip address stateful-failover 192.168.254.1 255.255.255.252
ip audit name attackfromoutside attack action alarm drop
ip audit name infofromoutside info action alarm
ip audit interface outside infofromoutside
ip audit interface outside attackfromoutside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 10.254.254.1-10.254.254.25
ip local pool vpn 172.16.254.1-172.16.254.25
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 67.136.192.195
failover ip address inside 172.16.5.3
failover ip address DMZ1 67.136.192.212
failover ip address DMZ2 192.168.1.3
no failover ip address DMZ3
failover ip address stateful-failover 192.168.254.2
failover link stateful-failover
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
nat (inside) 1 10.2.0.0 255.255.0.0 0 0
nat (inside) 1 10.3.0.0 255.255.0.0 0 0
nat (inside) 1 10.5.0.0 255.255.0.0 0 0
nat (inside) 1 10.6.0.0 255.255.0.0 0 0
nat (inside) 1 10.7.0.0 255.255.0.0 0 0
nat (inside) 1 10.8.0.0 255.255.0.0 0 0
nat (inside) 1 10.9.0.0 255.255.0.0 0 0
nat (DMZ2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,DMZ2) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.5.0.0 10.5.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.5.0.0 10.5.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.6.0.0 10.6.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.6.0.0 10.6.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.7.0.0 10.7.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.8.0.0 10.8.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.7.0.0 10.7.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.8.0.0 10.8.0.0 netmask 255.255.0.0 0 0
static (DMZ2,inside) 192.168.0.0 192.168.0.0 netmask 255.255.224.0 0 0
static (DMZ2,DMZ1) 192.168.0.0 192.168.0.0 netmask 255.255.224.0 0 0
static (inside,DMZ1) 10.9.0.0 10.9.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.9.0.0 10.9.0.0 netmask 255.255.0.0 0 0
static (DMZ1,outside) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (DMZ1,DMZ2) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (DMZ1,inside) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (inside,outside) 67.136.192.197 192.168.0.51 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group inside-out in interface inside
access-group DMZ1 in interface DMZ1
access-group DMZ2 in interface DMZ2
route outside 0.0.0.0 0.0.0.0 67.136.192.193 1
route inside 10.1.0.0 255.255.0.0 172.16.5.1 1
route inside 10.1.2.0 255.255.254.0 172.16.5.1 1
route inside 10.1.4.0 255.255.254.0 172.16.5.1 1
route inside 10.1.6.0 255.255.254.0 172.16.5.1 1
route inside 10.1.10.0 255.255.255.0 172.16.5.1 1
route inside 10.1.12.0 255.255.254.0 172.16.5.1 1
route inside 10.1.14.0 255.255.254.0 172.16.5.1 1
route inside 10.1.20.0 255.255.255.0 172.16.5.1 1
route inside 10.1.200.0 255.255.255.0 172.16.5.4 1
route inside 10.1.251.0 255.255.255.0 172.16.5.1 1
route inside 10.2.0.0 255.255.0.0 172.16.5.1 1
route inside 10.3.0.0 255.255.0.0 172.16.5.1 1
route inside 10.5.0.0 255.255.0.0 172.16.5.1 1
route inside 10.6.0.0 255.255.0.0 172.16.5.1 1
route inside 10.7.0.0 255.255.0.0 172.16.5.1 1
route inside 10.8.0.0 255.255.0.0 172.16.5.1 1
route inside 10.9.0.0 255.255.0.0 172.16.5.1 1
route DMZ2 192.168.0.0 255.255.224.0 CISCO2511 1
timeout xlate 8:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 8:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.2.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set elkoset esp-3des esp-md5-hmac
crypto map elkomap 1 ipsec-isakmp
crypto map elkomap 1 match address vpn
crypto map elkomap 1 set peer 170.215.10.5
crypto map elkomap 1 set transform-set elkoset
crypto map elkomap interface outside
isakmp enable outside
isakmp key ******** address 170.215.10.5 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 10.1.2.0 255.255.254.0 inside
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's kind of what I thought. I didn't think you could route from the DMZ directly, but it was worth a shot. I just installed WinGate on a box with that address and it's now working. Thank you very much for the help.
That appears to be reversed...
should be:
static (inside,outside) tcp Mars 64888 RS telnet netmask 255.255.255.255
Chris