Port forwarding to internal subnet

I have a PIX 506E securing access to a subnet visible externally. NAT is not being used. I would like to know how to do port forwarding. For example, I would like to allow ssh to several computers in the internal network but not all of them.
regards, Mark
LVL 3
uanmiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
In a nutshell, the following commands will allow any external host to SSH to IP address 2.2.2.2:

access-list outside_access_in permit tcp any host 2.2.2.2 eq 22
access-group outside_access_in in interface outside

Change the above command to reflect the real IP address of your inside machines that you want to allow SSH to.
0
uanmiAuthor Commented:
This does not appear to work. I still cannot get ssh to work from outside to the internal computer. I need to be able to do ssh from anywhere on the internet through to the internal computer.
The external IP on the PIX is 131.170.253.xxx and the internal IP of the computer I'm trying to connect to is 131.170.68.xxx

I appreciate your help
0
batry_boyCommented:
You're not using NAT?  Are you using NAT 0, or how do you have your translation exemption configured?  It would probably be easier for you to just post your sanitized config so I can give you a better solution.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

uanmiAuthor Commented:
Here is the config file without passwords. I'm trying to get ssh through to 131.170.68.108 and cannot ge this to work. I'm trying to do it without NAT.

regards, Mark
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password abcd encrypted
passwd abcd encrypted
hostname SECEResearch
domain-name rmit.edu.au
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 131.170.68.52 DNSServer
name 131.170.68.108 IENUMServer
name 131.170.68.0 SECEResearch
access-list outside_access_in permit tcp any host IENUMServer eq ssh 
access-list inside_outbound_nat0_acl permit ip any host SECEResearch 
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 131.170.253.10 255.255.255.240
ip address inside 131.170.68.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP 131.170.68.130-131.170.68.140
pdm location 192.168.200.3 255.255.255.255 inside
pdm location 131.170.68.1 255.255.255.255 inside
pdm location DNSServer 255.255.255.255 inside
pdm location 203.34.248.5 255.255.255.255 outside
pdm location 203.81.196.127 255.255.255.255 outside
pdm location IENUMServer 255.255.255.255 inside
pdm location 131.170.0.0 255.255.0.0 outside
pdm location SECEResearch 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) SECEResearch SECEResearch netmask 255.255.255.0 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 131.170.253.13 1
route outside SECEResearch 255.255.255.255 131.170.253.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 203.34.248.5 255.255.255.255 outside
http 203.81.196.127 255.255.255.255 outside
http 131.170.0.0 255.255.0.0 outside
http 192.168.200.3 255.255.255.255 inside
http 131.170.68.1 255.255.255.255 inside
http SECEResearch 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 0.0.0.0 0.0.0.0 outside
telnet SECEResearch 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP_GROUP accept dialin pptp
vpdn group PPTP_GROUP ppp authentication pap
vpdn group PPTP_GROUP ppp authentication chap
vpdn group PPTP_GROUP client configuration address local PPTP
vpdn group PPTP_GROUP client configuration dns 131.170.1.1 131.170.2.1
vpdn group PPTP_GROUP pptp echo 60
vpdn group PPTP_GROUP client authentication local
vpdn username mgregory password ********* 
vpdn username aj password ********* 
vpdn enable outside
vpdn enable inside
dhcpd address 131.170.68.100-131.170.68.110 inside
dhcpd dns 131.170.1.1 131.170.2.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:abcd
: end
[OK]

Open in new window

0
batry_boyCommented:
Try this:

no route outside SECEResearch 255.255.255.255 131.170.253.13
no nat (inside) 0 access-list inside_outbound_nat0_acl

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
uanmiAuthor Commented:
I appreciate your help. This works. I will now consider what the commands are doing and see if I can make further changes.
May I ask if you can see why I cannot telnet to the PIX from outside. I would like to do this as the PDM keeps timing out every minute or so and I have to continually re-open the internet explorer - java PDM tool.

regards, Mark
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password abcd encrypted
passwd abcd encrypted
hostname SECEResearch
domain-name rmit.edu.au
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 131.170.68.52 DNSServer
name 131.170.68.108 IENUMServer
name 131.170.68.0 SECEResearch
access-list outside_access_in permit tcp any host IENUMServer eq ssh 
access-list inside_outbound_nat0_acl permit ip any host SECEResearch 
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 131.170.253.10 255.255.255.240
ip address inside 131.170.68.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP 131.170.68.130-131.170.68.140
pdm location 192.168.200.3 255.255.255.255 inside
pdm location 131.170.68.1 255.255.255.255 inside
pdm location DNSServer 255.255.255.255 inside
pdm location 203.34.248.5 255.255.255.255 outside
pdm location 203.81.196.127 255.255.255.255 outside
pdm location IENUMServer 255.255.255.255 inside
pdm location 131.170.0.0 255.255.0.0 outside
pdm location SECEResearch 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) SECEResearch SECEResearch netmask 255.255.255.0 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 131.170.253.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 203.34.248.5 255.255.255.255 outside
http 203.81.196.127 255.255.255.255 outside
http 131.170.0.0 255.255.0.0 outside
http 192.168.200.3 255.255.255.255 inside
http 131.170.68.1 255.255.255.255 inside
http SECEResearch 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 0.0.0.0 0.0.0.0 outside
telnet SECEResearch 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP_GROUP accept dialin pptp
vpdn group PPTP_GROUP ppp authentication pap
vpdn group PPTP_GROUP ppp authentication chap
vpdn group PPTP_GROUP client configuration address local PPTP
vpdn group PPTP_GROUP client configuration dns 131.170.1.1 131.170.2.1
vpdn group PPTP_GROUP pptp echo 60
vpdn group PPTP_GROUP client authentication local
vpdn username mgregory password ********* 
vpdn username aj password ********* 
vpdn enable outside
vpdn enable inside
dhcpd address 131.170.68.100-131.170.68.110 inside
dhcpd dns 131.170.1.1 131.170.2.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:abcd
: end
[OK]

Open in new window

0
batry_boyCommented:
You cannot use telnet to get to the PIX on the outside interface, unless the traffic is protected by an IPSEC tunnel.  This was implemented as a security feature.  You can use telnet on any of the other interfaces without the traffic being in an IPSEC tunnel, but not the outside.  You can use SSH to the outside interface, however, since SSH is encrypted traffic.  You can use something like PuTTY as an SSH client.  Get it here:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

You will also need to use the "ssh" command in the PIX config to specify the source IP address you are coming from.  So, if you wanted to allow SSH from any external IP address (not recommended, but you may not have a static public to lock it down to), then you would do this:

ssh 0.0.0.0 0.0.0.0 outside

As far as the PDM timing out, my understanding is that it is a bug in the Java code on the PIX as well as the version of Java you are using on the client.  What version of Java do you have loaded on the client that is timing out?
0
uanmiAuthor Commented:
On my PC I have Java Standard Version 1.6.0_03
The PDM is v 3.0(3)
The PIX is version 6.3(4)
I don't have a Cisco support plan so I cannot upgrade the IOS.
Thank you for letting me know about telnet. I will use putty and ssh. The PDM timeout is driving me silly so I need an alternative.
Interesting the commands that fixed this problem cannot be set using the PDM, as I cannot find any changes to the settings in it prior to setting the two commands you offered using the CLI.
regards, Mark
0
batry_boyCommented:
The route command should be found in the PDM under "Configuration - System Properties", then on the left, click on Routing, then choose "Static Route".  The route should have been listed there, although you won't see it now since you removed it with the CLI...:)

The nat commnad should have been found under "Configuration - Translation Rules", then click the "Translation Exemption Rules" radio button.

I would try actually downgrading your version of Java to 1.4.2 to see if that helps with the timeout issue, if you're interested.  I've read where that can help although I haven't personally verified that myself.

Good luck!
0
uanmiAuthor Commented:
thank you for your help today, I will be able to move forward now.
regards, Mark
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.