[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Trouble Setting up Radmin Ports on Cisco PIX 506E

Posted on 2008-01-26
6
Medium Priority
?
720 Views
Last Modified: 2010-04-21
I've researched this quite extensively but cannot find a solution that addresses this topic.

I have Radmin installed on a business client pc behind a PIX 506E firewall.

Usually, with home routers I would be able to forward port XXXX to the destination client IP. However, I'm having trouble getting this correct on the PIX.

Here is the PIX configuration thus far.
192.168.XXX.135 is the destination IP and 8XXX is the port I want Radmin to use.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname XXXXXXXX
domain-name XXXXXXXXXX.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 6X.XXX.XXX.30 eq 3XXX
access-list outside_access_in permit tcp any host 6X.XXX.XXX.30 eq 9XXX
access-list outside_access_in permit tcp host 6X.XXX.XXX.198 host 6X.XXX.XXX.30 eq 5XX
access-list outside_access_in permit tcp host 6X.XXX.XXX.198 host 6X.XXX.XXX.30 eq 1XXX
access-list outside_access_in permit tcp any interface outside eq 8XXX
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 6X.XXX.XXX.26 255.255.255.XXX
ip address inside 192.168.XXX.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.XXX.7 255.255.255.255 inside
pdm location 6X.XXX.XXX.198 255.255.255.255 outside
pdm location 192.168.XXX.135 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 6X.XXX.XXX.27-6X.XXX.XXX.­28
global (outside) 1 6X.XXX.XXX.29
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 8XXX 192.168.XXX.135 8XXX netmask 255.255.255.255 0 0
static (inside,outside) 6X.XXX.XXX.30 192.168.XXX.7 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 6X.XXX.XXX.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.XXX.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.XXX.140-192.168.X­XX.200 inside
dhcpd dns 6X.XXX.XXX.18 6X.XXX.XXX.33
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXXXXXXX.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:XXXXXXXXXX­XXXX

Any help is appreciated, I'm stuck.
0
Comment
Question by:jvleigh221
  • 3
  • 3
6 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 20752389
The following lines in your existing configuration look correct and should allow you to use your application when you use the PIX outside interface IP address along with port 8xxx:

access-list outside_access_in permit tcp any interface outside eq 8XXX
static (inside,outside) tcp interface 8XXX 192.168.XXX.135 8XXX netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside

Are you trying to connect to IP address 6X.XXX.XXX.26 on TCP port 8xxx with Radmin?

If you are and are having problems, I would recommend at this point to run the "capture" command to verify that traffic is showing up at the PIX and it sees it on the right port going to the right IP address.  In order to do this, you will need to define an access list to match the traffic you are looking for and then apply the capture to the outside interface while referencing the access list to tell the capture command what traffic to look for.  For your specific scenario, here are the commands:

access-list radmin-traffic permit tcp any interface outside eq 3389
capture rcap access-list radmin-traffic interface outside

Then, try to use the Radmin app.  Next, issue the following command to see what the capture shows:

show capture rcap

Give this a shot and see what you get...
0
 

Author Comment

by:jvleigh221
ID: 20754227
From what I understand I need to connect to 6X.XXX.XXX.29 (the outside IP) not .26

Do you see where I may need to add/edit an entry for that?

I thought it would have been included in the command:
access-list outside_access_in permit tcp any interface outside eq 8XXX
But maybe not.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20754594
>>From what I understand I need to connect to 6X.XXX.XXX.29 (the outside IP) not .26

>>I thought it would have been included in the command:
access-list outside_access_in permit tcp any interface outside eq 8XXX

That's correct.  It is referenced in the access list, but notice that the access list references "interface outside".  Now, take a look at the following command from your PIX configuration:

ip address outside 6X.XXX.XXX.26 255.255.255.XXX

The outside interface actually has 6x.xx.xx.26, not .29, assigned to it.  Therefore, with the way you have it configured, you will need to connect to .26 with your Radmin app for it to work.  You can always reconfigure this, but this is what you'll have to do with the current way it is configured.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 

Author Comment

by:jvleigh221
ID: 20756774
I appreciate your insight. I've tried connecting using .26 and .29 with no success. I know Radmin is working because internally while on site I was able to access it using the private IP .135.

I won't be back at that location til this coming weekend to run the capture. I will post what I find then.

PS: If the inside ip is .26 as the line ( ip address outside 6X.XXX.XXX.26 255.255.255.XXX ) states.
Then what is this line configuring?
global (outside) 1 6X.XXX.XXX.27-6X.XXX.XXX.­28
global (outside) 1 6X.XXX.XXX.29
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20764003
The global commands tell the firewall how to perform translation on source IP addresses that are referenced in the "nat" commands.  The "1" behind the interface name is how you group "global" and "nat" commands together.  For example, let's say you had the following statements in your PIX:

global (outside) 1 6X.XXX.XXX.27-6X.XXX.XXX.­28
global (outside) 1 6X.XXX.XXX.29
global (outside) 2 6X.XXX.XXX.30
global (outside) 3 6X.XXX.XXX.31
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 2 192.168.2.0 255.255.255.0
nat (inside) 3 192.168.3.0 255.255.255.0

The two "global (outside) 1" statements would be used for translation of IP addresses from the 192.168.1.0/24 network because that is the subnet referenced in the corresponding "nat (inside) 1" statement.

In similar fashion, any source IP address from 192.168.2.0/24 would be translated to 6X.XXX.XXX.29 when going to the outside interface and any source IP address from 192.168.3.0/24 would be translated to 6X.XXX.XXX.30.

In your case, where you have a range of addresses configured on one of the global commands, the PIX will take the first IP address from the source IP range in the corresponding NAT statement and translate it to the first IP address in the range.  In other words, if I'm on host 192.168.1.25 and I'm the first one in the office one morning and I'm the first one to send traffic through the PIX, then I will get 6X.XXX.XXX.27 for my translated address.  The second IP address to send traffic from the inside through the PIX will get 6X.XXX.XXX.28, and then the 3rd and subsequent IP addresses will be port address translated (PAT) to 6X.XXX.XXX.29, because that IP is referenced in a global command by itself.  That is also what is happening in my example for the "global (outside) 2" and "global (outside) 3" commands.

Does that help?
0
 

Author Closing Comment

by:jvleigh221
ID: 31425340
Your comments were very prompt, thorough and kindly provided. I haven't been able to return to the client's site to run the capture yet, but I did not want the question to go to long without giving the points deserved. When I do get the capture, I will post the results and if you have any other suggestions I would be grateful. Thanks again.
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question