Solved

Port Forwarding on PIX from DMZ1 to Internal Machine Using Different Ports...

Posted on 2006-06-09
7
446 Views
Last Modified: 2013-11-16
We have a company that performs periodic maintenance on an internal machine.  Someone here had set up a server (Mars) with a Winproxy on it, so that when they come from port 64888, it then redirects them to port 23 on our internal machine (RS).  We upgraded the server (Mars) and would rather handle this with the PIX.  Below is what I have in my config, but it doesn't seem to work.  Thanks for any thoughts you may have.

name 65.213.10.0 Support-Boulder
name 67.136.192.211 Mars
name 10.1.2.50 RS

access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 64888

static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0

access-group outside-in in interface outside
0
Comment
Question by:codale
  • 3
  • 2
  • 2
7 Comments
 
LVL 8

Expert Comment

by:christsis
ID: 16872348
static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0

That appears to be reversed...
should be:

static (inside,outside) tcp Mars 64888 RS telnet netmask 255.255.255.255

Chris
0
 

Author Comment

by:codale
ID: 16873844
I tried reversing that line, but it's still not wanting to go through.  Below is my syslog message.


2006-06-09 13:26:48      Local4.Info      172.16.5.2      Jun 09 2006 11:11:04: %PIX-6-302013: Built inbound TCP connection 74637961 for outside:65.213.10.10/16283 (65.121.47.10/16283) to DMZ1:67.136.192.211/6488 (67.135.181.211/64888)
2006-06-09 13:26:48      Local4.Info      172.16.5.2      Jun 09 2006 11:11:04: %PIX-6-302014: Teardown TCP connection 74637961 for outside:65.213.10.10/16283 to DMZ1:67.136.192.211/64888 duration 0:00:00 bytes 0 TCP Reset-I
0
 
LVL 8

Expert Comment

by:christsis
ID: 16873907
Is DMZ1 the actual name of an interface/machine you're trying to use?

Looks like we're missing some needed config info / network layout information. Might be better if you posted additional config info so we can see the bigger picture here.

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16874125
Try using the outside interface for the xlate:

no static (inside,outside) tcp RS telnet Mars 64888 netmask 255.255.255.255 0 0
no static (inside,outside) tcp Mars 64888 RS telnet netmask 255.255.255.255
clear xlate
static (inside,outside) tcp interface 64888 RS telnet netmask 255.255.255.255

Else, can you post your complete config for us to look at?
0
 

Author Comment

by:codale
ID: 16874368
Below is my config.  I don't really want to use the outside interface of the pix, because all of these support people already have an address mapped on their end.  Thanks for your help.

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 DMZ2 security15
nameif ethernet4 DMZ3 security20
nameif ethernet5 stateful-failover security25
enable password fmpc7ztOJaD2ejll encrypted
passwd MaYl0Gw3V1cWdk encrypted
hostname PIX
domain-name mydomain.com
fixup protocol dns maximum-length 1024
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 CISCO2511
name 10.1.2.50 RS
name 10.1.2.171 YODA
name 10.1.2.178 MIC11991
name 10.1.2.177 TESTCDR
name 10.1.2.56 ACD
name 10.1.2.179 MUGWART
name 65.213.10.0 Support-Boulder
name 63.172.10.0 Support63
name 206.247.10.0 Support206
name 67.136.192.210 W3
name 67.136.192.211 Mars
name 67.136.192.213 E250
access-list outside-in permit tcp any host W3 eq domain
access-list outside-in permit udp any host W3 eq domain
access-list outside-in permit tcp any host E250 eq smtp
access-list outside-in permit tcp host 207.135.10.5 host E250 eq https
access-list outside-in permit tcp any host Mars eq www
access-list outside-in permit tcp any host Mars eq ftp
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq pcanywhere-data
access-list outside-in permit udp Support-Boulder 255.255.255.0 host Mars eq pcanywhere-status
access-list outside-in permit tcp host 170.215.10.5 host W3 eq smtp
access-list outside-in permit tcp host 170.215.10.5 host W3 eq pop3
access-list outside-in permit tcp host 170.215.10.5 host W3 eq ssh
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp Support63 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp Support206 255.255.255.0 host Mars eq 64888
access-list outside-in permit tcp host 207.135.10.5 host Mars eq 64888
access-list outside-in permit tcp host 166.70.10.5 host Mars eq 64888
access-list outside-in permit tcp host 65.89.10.5 host Mars eq 64888
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit tcp host 168.103.10.5 host Mars eq 64888
access-list outside-in permit tcp any host W3 eq pop3
access-list outside-in permit tcp any host W3 eq smtp
access-list outside-in permit tcp any host W3 eq ssh
access-list outside-in permit tcp any host W3 eq https
access-list outside-in permit tcp Support-Boulder 255.255.255.0 host Mars eq 3389
access-list inside-out deny udp 10.1.2.0 255.255.254.0 any eq netbios-ns
access-list inside-out deny udp 10.1.2.0 255.255.254.0 any eq netbios-dgm
access-list inside-out permit ip any any
access-list DMZ1 permit ip any any
access-list vpn permit ip any 10.4.4.0 255.255.254.0
access-list DMZ2 permit ip any host RS
access-list DMZ2 permit ip any host ACD
access-list DMZ2 permit ip host CISCO2511 host 10.1.10.23
access-list DMZ2 permit ip any host W3
access-list Outside_To_Inside permit tcp host 168.103.10.5 host Mars eq 64888
pager lines 24
logging on
logging timestamp
logging standby
logging monitor warnings
logging buffered debugging
logging trap debugging
logging host inside MIC11991
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu DMZ2 1500
mtu DMZ3 1500
mtu stateful-failover 1500
ip address outside 67.136.192.194 255.255.255.240
ip address inside 172.16.5.2 255.255.255.248
ip address DMZ1 67.136.192.209 255.255.255.240
ip address DMZ2 192.168.1.1 255.255.255.0
ip address DMZ3 127.0.0.1 255.255.255.255
ip address stateful-failover 192.168.254.1 255.255.255.252
ip audit name attackfromoutside attack action alarm drop
ip audit name infofromoutside info action alarm
ip audit interface outside infofromoutside
ip audit interface outside attackfromoutside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 10.254.254.1-10.254.254.254
ip local pool vpn 172.16.254.1-172.16.254.254
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 67.136.192.195
failover ip address inside 172.16.5.3
failover ip address DMZ1 67.136.192.212
failover ip address DMZ2 192.168.1.3
no failover ip address DMZ3
failover ip address stateful-failover 192.168.254.2
failover link stateful-failover
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
nat (inside) 1 10.2.0.0 255.255.0.0 0 0
nat (inside) 1 10.3.0.0 255.255.0.0 0 0
nat (inside) 1 10.5.0.0 255.255.0.0 0 0
nat (inside) 1 10.6.0.0 255.255.0.0 0 0
nat (inside) 1 10.7.0.0 255.255.0.0 0 0
nat (inside) 1 10.8.0.0 255.255.0.0 0 0
nat (inside) 1 10.9.0.0 255.255.0.0 0 0
nat (DMZ2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,DMZ2) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.5.0.0 10.5.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.5.0.0 10.5.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.6.0.0 10.6.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.6.0.0 10.6.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.7.0.0 10.7.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ1) 10.8.0.0 10.8.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.7.0.0 10.7.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.8.0.0 10.8.0.0 netmask 255.255.0.0 0 0
static (DMZ2,inside) 192.168.0.0 192.168.0.0 netmask 255.255.224.0 0 0
static (DMZ2,DMZ1) 192.168.0.0 192.168.0.0 netmask 255.255.224.0 0 0
static (inside,DMZ1) 10.9.0.0 10.9.0.0 netmask 255.255.0.0 0 0
static (inside,DMZ2) 10.9.0.0 10.9.0.0 netmask 255.255.0.0 0 0
static (DMZ1,outside) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (DMZ1,DMZ2) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (DMZ1,inside) 67.136.192.208 67.136.192.208 netmask 255.255.255.240 0 0
static (inside,outside) 67.136.192.197 192.168.0.51 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group inside-out in interface inside
access-group DMZ1 in interface DMZ1
access-group DMZ2 in interface DMZ2
route outside 0.0.0.0 0.0.0.0 67.136.192.193 1
route inside 10.1.0.0 255.255.0.0 172.16.5.1 1
route inside 10.1.2.0 255.255.254.0 172.16.5.1 1
route inside 10.1.4.0 255.255.254.0 172.16.5.1 1
route inside 10.1.6.0 255.255.254.0 172.16.5.1 1
route inside 10.1.10.0 255.255.255.0 172.16.5.1 1
route inside 10.1.12.0 255.255.254.0 172.16.5.1 1
route inside 10.1.14.0 255.255.254.0 172.16.5.1 1
route inside 10.1.20.0 255.255.255.0 172.16.5.1 1
route inside 10.1.200.0 255.255.255.0 172.16.5.4 1
route inside 10.1.251.0 255.255.255.0 172.16.5.1 1
route inside 10.2.0.0 255.255.0.0 172.16.5.1 1
route inside 10.3.0.0 255.255.0.0 172.16.5.1 1
route inside 10.5.0.0 255.255.0.0 172.16.5.1 1
route inside 10.6.0.0 255.255.0.0 172.16.5.1 1
route inside 10.7.0.0 255.255.0.0 172.16.5.1 1
route inside 10.8.0.0 255.255.0.0 172.16.5.1 1
route inside 10.9.0.0 255.255.0.0 172.16.5.1 1
route DMZ2 192.168.0.0 255.255.224.0 CISCO2511 1
timeout xlate 8:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 8:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.2.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set elkoset esp-3des esp-md5-hmac
crypto map elkomap 1 ipsec-isakmp
crypto map elkomap 1 match address vpn
crypto map elkomap 1 set peer 170.215.10.5
crypto map elkomap 1 set transform-set elkoset
crypto map elkomap interface outside
isakmp enable outside
isakmp key ******** address 170.215.10.5 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 10.1.2.0 255.255.254.0 inside
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 16874421
So you want to take MARS server out of the picture, have outside users hit the same public IP that was Mars on port 64888 that redirects to RS/telnet ?

Problem is that MARS IP address resides on the DMZ interface, not the Public interface
You can't redirect from outside to DMZ1 and back to inside just with the PIX.
You -can- redirect from outside to a host on DMZ1 with then redirects to a host on inside
I don't think you have much choice except to tell the support folk that MARS' ip address has changed . . .




0
 

Author Comment

by:codale
ID: 16874540
That's kind of what I thought.  I didn't think you could route from the DMZ directly, but it was worth a shot.  I just installed WinGate on a box with that address and it's now working.  Thank you very much for the help.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now