?
Solved

Port forwarding to internal subnet

Posted on 2008-02-04
10
Medium Priority
?
440 Views
Last Modified: 2011-10-03
I have a PIX 506E securing access to a subnet visible externally. NAT is not being used. I would like to know how to do port forwarding. For example, I would like to allow ssh to several computers in the internal network but not all of them.
regards, Mark
0
Comment
Question by:uanmi
  • 5
  • 5
10 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20820111
In a nutshell, the following commands will allow any external host to SSH to IP address 2.2.2.2:

access-list outside_access_in permit tcp any host 2.2.2.2 eq 22
access-group outside_access_in in interface outside

Change the above command to reflect the real IP address of your inside machines that you want to allow SSH to.
0
 
LVL 3

Author Comment

by:uanmi
ID: 20820645
This does not appear to work. I still cannot get ssh to work from outside to the internal computer. I need to be able to do ssh from anywhere on the internet through to the internal computer.
The external IP on the PIX is 131.170.253.xxx and the internal IP of the computer I'm trying to connect to is 131.170.68.xxx

I appreciate your help
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20820764
You're not using NAT?  Are you using NAT 0, or how do you have your translation exemption configured?  It would probably be easier for you to just post your sanitized config so I can give you a better solution.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 3

Author Comment

by:uanmi
ID: 20820909
Here is the config file without passwords. I'm trying to get ssh through to 131.170.68.108 and cannot ge this to work. I'm trying to do it without NAT.

regards, Mark
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password abcd encrypted
passwd abcd encrypted
hostname SECEResearch
domain-name rmit.edu.au
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 131.170.68.52 DNSServer
name 131.170.68.108 IENUMServer
name 131.170.68.0 SECEResearch
access-list outside_access_in permit tcp any host IENUMServer eq ssh 
access-list inside_outbound_nat0_acl permit ip any host SECEResearch 
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 131.170.253.10 255.255.255.240
ip address inside 131.170.68.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP 131.170.68.130-131.170.68.140
pdm location 192.168.200.3 255.255.255.255 inside
pdm location 131.170.68.1 255.255.255.255 inside
pdm location DNSServer 255.255.255.255 inside
pdm location 203.34.248.5 255.255.255.255 outside
pdm location 203.81.196.127 255.255.255.255 outside
pdm location IENUMServer 255.255.255.255 inside
pdm location 131.170.0.0 255.255.0.0 outside
pdm location SECEResearch 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) SECEResearch SECEResearch netmask 255.255.255.0 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 131.170.253.13 1
route outside SECEResearch 255.255.255.255 131.170.253.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 203.34.248.5 255.255.255.255 outside
http 203.81.196.127 255.255.255.255 outside
http 131.170.0.0 255.255.0.0 outside
http 192.168.200.3 255.255.255.255 inside
http 131.170.68.1 255.255.255.255 inside
http SECEResearch 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 0.0.0.0 0.0.0.0 outside
telnet SECEResearch 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP_GROUP accept dialin pptp
vpdn group PPTP_GROUP ppp authentication pap
vpdn group PPTP_GROUP ppp authentication chap
vpdn group PPTP_GROUP client configuration address local PPTP
vpdn group PPTP_GROUP client configuration dns 131.170.1.1 131.170.2.1
vpdn group PPTP_GROUP pptp echo 60
vpdn group PPTP_GROUP client authentication local
vpdn username mgregory password ********* 
vpdn username aj password ********* 
vpdn enable outside
vpdn enable inside
dhcpd address 131.170.68.100-131.170.68.110 inside
dhcpd dns 131.170.1.1 131.170.2.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:abcd
: end
[OK]

Open in new window

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 20820942
Try this:

no route outside SECEResearch 255.255.255.255 131.170.253.13
no nat (inside) 0 access-list inside_outbound_nat0_acl

0
 
LVL 3

Author Comment

by:uanmi
ID: 20820993
I appreciate your help. This works. I will now consider what the commands are doing and see if I can make further changes.
May I ask if you can see why I cannot telnet to the PIX from outside. I would like to do this as the PDM keeps timing out every minute or so and I have to continually re-open the internet explorer - java PDM tool.

regards, Mark
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password abcd encrypted
passwd abcd encrypted
hostname SECEResearch
domain-name rmit.edu.au
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 131.170.68.52 DNSServer
name 131.170.68.108 IENUMServer
name 131.170.68.0 SECEResearch
access-list outside_access_in permit tcp any host IENUMServer eq ssh 
access-list inside_outbound_nat0_acl permit ip any host SECEResearch 
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 131.170.253.10 255.255.255.240
ip address inside 131.170.68.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP 131.170.68.130-131.170.68.140
pdm location 192.168.200.3 255.255.255.255 inside
pdm location 131.170.68.1 255.255.255.255 inside
pdm location DNSServer 255.255.255.255 inside
pdm location 203.34.248.5 255.255.255.255 outside
pdm location 203.81.196.127 255.255.255.255 outside
pdm location IENUMServer 255.255.255.255 inside
pdm location 131.170.0.0 255.255.0.0 outside
pdm location SECEResearch 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) SECEResearch SECEResearch netmask 255.255.255.0 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 131.170.253.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 203.34.248.5 255.255.255.255 outside
http 203.81.196.127 255.255.255.255 outside
http 131.170.0.0 255.255.0.0 outside
http 192.168.200.3 255.255.255.255 inside
http 131.170.68.1 255.255.255.255 inside
http SECEResearch 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 0.0.0.0 0.0.0.0 outside
telnet SECEResearch 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP_GROUP accept dialin pptp
vpdn group PPTP_GROUP ppp authentication pap
vpdn group PPTP_GROUP ppp authentication chap
vpdn group PPTP_GROUP client configuration address local PPTP
vpdn group PPTP_GROUP client configuration dns 131.170.1.1 131.170.2.1
vpdn group PPTP_GROUP pptp echo 60
vpdn group PPTP_GROUP client authentication local
vpdn username mgregory password ********* 
vpdn username aj password ********* 
vpdn enable outside
vpdn enable inside
dhcpd address 131.170.68.100-131.170.68.110 inside
dhcpd dns 131.170.1.1 131.170.2.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:abcd
: end
[OK]

Open in new window

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20821048
You cannot use telnet to get to the PIX on the outside interface, unless the traffic is protected by an IPSEC tunnel.  This was implemented as a security feature.  You can use telnet on any of the other interfaces without the traffic being in an IPSEC tunnel, but not the outside.  You can use SSH to the outside interface, however, since SSH is encrypted traffic.  You can use something like PuTTY as an SSH client.  Get it here:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

You will also need to use the "ssh" command in the PIX config to specify the source IP address you are coming from.  So, if you wanted to allow SSH from any external IP address (not recommended, but you may not have a static public to lock it down to), then you would do this:

ssh 0.0.0.0 0.0.0.0 outside

As far as the PDM timing out, my understanding is that it is a bug in the Java code on the PIX as well as the version of Java you are using on the client.  What version of Java do you have loaded on the client that is timing out?
0
 
LVL 3

Author Comment

by:uanmi
ID: 20821071
On my PC I have Java Standard Version 1.6.0_03
The PDM is v 3.0(3)
The PIX is version 6.3(4)
I don't have a Cisco support plan so I cannot upgrade the IOS.
Thank you for letting me know about telnet. I will use putty and ssh. The PDM timeout is driving me silly so I need an alternative.
Interesting the commands that fixed this problem cannot be set using the PDM, as I cannot find any changes to the settings in it prior to setting the two commands you offered using the CLI.
regards, Mark
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20821087
The route command should be found in the PDM under "Configuration - System Properties", then on the left, click on Routing, then choose "Static Route".  The route should have been listed there, although you won't see it now since you removed it with the CLI...:)

The nat commnad should have been found under "Configuration - Translation Rules", then click the "Translation Exemption Rules" radio button.

I would try actually downgrading your version of Java to 1.4.2 to see if that helps with the timeout issue, if you're interested.  I've read where that can help although I haven't personally verified that myself.

Good luck!
0
 
LVL 3

Author Comment

by:uanmi
ID: 20821104
thank you for your help today, I will be able to move forward now.
regards, Mark
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Get the source code for a fully functional Access application shell with several popular security features that Access VBA application developers desire, but find difficult or impossible to figure out how to code. You get the source code for managi…
Suggested Courses

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question