Trouble Setting up Radmin Ports on Cisco PIX 506E

I've researched this quite extensively but cannot find a solution that addresses this topic.

I have Radmin installed on a business client pc behind a PIX 506E firewall.

Usually, with home routers I would be able to forward port XXXX to the destination client IP. However, I'm having trouble getting this correct on the PIX.

Here is the PIX configuration thus far.
192.168.XXX.135 is the destination IP and 8XXX is the port I want Radmin to use.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname XXXXXXXX
domain-name XXXXXXXXXX.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 6X.XXX.XXX.30 eq 3XXX
access-list outside_access_in permit tcp any host 6X.XXX.XXX.30 eq 9XXX
access-list outside_access_in permit tcp host 6X.XXX.XXX.198 host 6X.XXX.XXX.30 eq 5XX
access-list outside_access_in permit tcp host 6X.XXX.XXX.198 host 6X.XXX.XXX.30 eq 1XXX
access-list outside_access_in permit tcp any interface outside eq 8XXX
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 6X.XXX.XXX.26 255.255.255.XXX
ip address inside 192.168.XXX.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.XXX.7 255.255.255.255 inside
pdm location 6X.XXX.XXX.198 255.255.255.255 outside
pdm location 192.168.XXX.135 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 6X.XXX.XXX.27-6X.XXX.XXX.­28
global (outside) 1 6X.XXX.XXX.29
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 8XXX 192.168.XXX.135 8XXX netmask 255.255.255.255 0 0
static (inside,outside) 6X.XXX.XXX.30 192.168.XXX.7 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 6X.XXX.XXX.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.XXX.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.XXX.140-192.168.X­XX.200 inside
dhcpd dns 6X.XXX.XXX.18 6X.XXX.XXX.33
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXXXXX.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:XXXXXXXXXX­XXXX

Any help is appreciated, I'm stuck.
jvleigh221Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
The following lines in your existing configuration look correct and should allow you to use your application when you use the PIX outside interface IP address along with port 8xxx:

access-list outside_access_in permit tcp any interface outside eq 8XXX
static (inside,outside) tcp interface 8XXX 192.168.XXX.135 8XXX netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside

Are you trying to connect to IP address 6X.XXX.XXX.26 on TCP port 8xxx with Radmin?

If you are and are having problems, I would recommend at this point to run the "capture" command to verify that traffic is showing up at the PIX and it sees it on the right port going to the right IP address.  In order to do this, you will need to define an access list to match the traffic you are looking for and then apply the capture to the outside interface while referencing the access list to tell the capture command what traffic to look for.  For your specific scenario, here are the commands:

access-list radmin-traffic permit tcp any interface outside eq 3389
capture rcap access-list radmin-traffic interface outside

Then, try to use the Radmin app.  Next, issue the following command to see what the capture shows:

show capture rcap

Give this a shot and see what you get...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jvleigh221Author Commented:
From what I understand I need to connect to 6X.XXX.XXX.29 (the outside IP) not .26

Do you see where I may need to add/edit an entry for that?

I thought it would have been included in the command:
access-list outside_access_in permit tcp any interface outside eq 8XXX
But maybe not.
0
batry_boyCommented:
>>From what I understand I need to connect to 6X.XXX.XXX.29 (the outside IP) not .26

>>I thought it would have been included in the command:
access-list outside_access_in permit tcp any interface outside eq 8XXX

That's correct.  It is referenced in the access list, but notice that the access list references "interface outside".  Now, take a look at the following command from your PIX configuration:

ip address outside 6X.XXX.XXX.26 255.255.255.XXX

The outside interface actually has 6x.xx.xx.26, not .29, assigned to it.  Therefore, with the way you have it configured, you will need to connect to .26 with your Radmin app for it to work.  You can always reconfigure this, but this is what you'll have to do with the current way it is configured.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

jvleigh221Author Commented:
I appreciate your insight. I've tried connecting using .26 and .29 with no success. I know Radmin is working because internally while on site I was able to access it using the private IP .135.

I won't be back at that location til this coming weekend to run the capture. I will post what I find then.

PS: If the inside ip is .26 as the line ( ip address outside 6X.XXX.XXX.26 255.255.255.XXX ) states.
Then what is this line configuring?
global (outside) 1 6X.XXX.XXX.27-6X.XXX.XXX.­28
global (outside) 1 6X.XXX.XXX.29
0
batry_boyCommented:
The global commands tell the firewall how to perform translation on source IP addresses that are referenced in the "nat" commands.  The "1" behind the interface name is how you group "global" and "nat" commands together.  For example, let's say you had the following statements in your PIX:

global (outside) 1 6X.XXX.XXX.27-6X.XXX.XXX.­28
global (outside) 1 6X.XXX.XXX.29
global (outside) 2 6X.XXX.XXX.30
global (outside) 3 6X.XXX.XXX.31
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 2 192.168.2.0 255.255.255.0
nat (inside) 3 192.168.3.0 255.255.255.0

The two "global (outside) 1" statements would be used for translation of IP addresses from the 192.168.1.0/24 network because that is the subnet referenced in the corresponding "nat (inside) 1" statement.

In similar fashion, any source IP address from 192.168.2.0/24 would be translated to 6X.XXX.XXX.29 when going to the outside interface and any source IP address from 192.168.3.0/24 would be translated to 6X.XXX.XXX.30.

In your case, where you have a range of addresses configured on one of the global commands, the PIX will take the first IP address from the source IP range in the corresponding NAT statement and translate it to the first IP address in the range.  In other words, if I'm on host 192.168.1.25 and I'm the first one in the office one morning and I'm the first one to send traffic through the PIX, then I will get 6X.XXX.XXX.27 for my translated address.  The second IP address to send traffic from the inside through the PIX will get 6X.XXX.XXX.28, and then the 3rd and subsequent IP addresses will be port address translated (PAT) to 6X.XXX.XXX.29, because that IP is referenced in a global command by itself.  That is also what is happening in my example for the "global (outside) 2" and "global (outside) 3" commands.

Does that help?
0
jvleigh221Author Commented:
Your comments were very prompt, thorough and kindly provided. I haven't been able to return to the client's site to run the capture yet, but I did not want the question to go to long without giving the points deserved. When I do get the capture, I will post the results and if you have any other suggestions I would be grateful. Thanks again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.