Solved

Cisco PIX 501 - Port Forwarding

Posted on 2008-06-09
6
430 Views
Last Modified: 2012-05-05
Hi All,

I need to add port forwarding to the Cisco Pix Config below without stopping it from being able to connect the VPN to the centralpix (which is currently working ok). I have had a go at this myself but am not a Cisco expert and couldn't seem to get it working without breaking the VPN connection.

Thanks in advance!

Peter
interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100
 

enable password myPassword

passwd MyPassword
 

hostname MyHostName

clock timezone gmt 10
 

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521                          

fixup protocol tftp 69
 

names

name 5.5.5.5 centralpix

name 192.168.254.1 router

name 192.168.254.2 pixoutside

name 192.168.1.1 pixinside
 

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_out permit icmp any any time-exceeded

access-list acl_out permit icmp any any unreachable

access-list acl_out permit icmp any any echo-reply
 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pixoutside 255.255.255.0

ip address inside pixinside 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 router 1                                      
 

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute
 

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local
 

ntp server 131.107.1.10 source outside

ntp server 192.189.54.33 source outside
 

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable
 

sysopt connection permit-ipsec                              

crypto ipsec transform-set akemat esp-3des esp-sha-hmac

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 110

crypto map newmap 20 set peer centralpix

crypto map newmap 20 set transform-set akemat

crypto map newmap interface outside
 

isakmp enable outside

isakmp key MyPassword address centralpix netmask 255.255.255.255

isakmp keepalive 180 60

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 1000
 

telnet 192.168.1.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 10
 

management-access inside

console timeout 0

dhcpd address 192.168.1.60-192.168.1.91 inside

dhcpd dns 139.130.4.4 203.50.2.71

dhcpd lease 604800

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Open in new window

0
Comment
Question by:PeteJH
  • 3
  • 2
6 Comments
 

Author Comment

by:PeteJH
ID: 21748018
I forgot to mention that the port fowards I need configured are TCP 25, 443 and 4125 to be forwarded to the internal host 192.168.1.2.

Also, the client has a standard DSL modem on the outside of the PIX (192.168.254.1) in routing mode. We just set up the DMZ setting to forward all traffic to the PIX. There is a single static IP on the DSL connection.

Cheers
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 21748573
I'm going to assume that everything that hits your public ip on the dsl modem is converted (natted back) to your pixoutside ip address, then this is what you need;

static (inside,outside) tcp interface 25 192.168.1.2 25
static (inside,outside) tcp interface 443 192.168.1.2 443
static (inside,outside) tcp interface 4125 192.168.1.2 4125

access-list OutsideIn permit any interface outside eq 25
access-list OutsideIn permit any interface outside eq 443
access-list OutsideIn permit any interface outside eq 4125

access-group OutsideIn in interface outside

Cheers,
Rajesh
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21749324
Rajesh is spot on as usuall :)
heres some extra reading http://www.petenetlive.com/Tech/Firewalls/Cisco/portforward.htm
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:PeteJH
ID: 21756276
Thanks Rajesh. You saved me a stack of time and it is most appreciated.

Just a note, I seemed to have to add "tcp" into the following lines to get it to work:

access-list OutsideIn permit tcp any interface outside eq 25
access-list OutsideIn permit tcp any interface outside eq 443
access-list OutsideIn permit tcp any interface outside eq 4125

Thanks again!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21756666
Oh yeah, typo (Haven't worked on a Cisco gear for last 2 years - excuse me :-) )

Cheers,
Rajesh
0
 

Author Comment

by:PeteJH
ID: 21790191
No dramas and thanks again Rajesh!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now