Solved

Cisco PIX 501 - Port Forwarding

Posted on 2008-06-09
6
432 Views
Last Modified: 2012-05-05
Hi All,

I need to add port forwarding to the Cisco Pix Config below without stopping it from being able to connect the VPN to the centralpix (which is currently working ok). I have had a go at this myself but am not a Cisco expert and couldn't seem to get it working without breaking the VPN connection.

Thanks in advance!

Peter
interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100
 

enable password myPassword

passwd MyPassword
 

hostname MyHostName

clock timezone gmt 10
 

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521                          

fixup protocol tftp 69
 

names

name 5.5.5.5 centralpix

name 192.168.254.1 router

name 192.168.254.2 pixoutside

name 192.168.1.1 pixinside
 

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_out permit icmp any any time-exceeded

access-list acl_out permit icmp any any unreachable

access-list acl_out permit icmp any any echo-reply
 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pixoutside 255.255.255.0

ip address inside pixinside 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 router 1                                      
 

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute
 

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local
 

ntp server 131.107.1.10 source outside

ntp server 192.189.54.33 source outside
 

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable
 

sysopt connection permit-ipsec                              

crypto ipsec transform-set akemat esp-3des esp-sha-hmac

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 110

crypto map newmap 20 set peer centralpix

crypto map newmap 20 set transform-set akemat

crypto map newmap interface outside
 

isakmp enable outside

isakmp key MyPassword address centralpix netmask 255.255.255.255

isakmp keepalive 180 60

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 1000
 

telnet 192.168.1.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 10
 

management-access inside

console timeout 0

dhcpd address 192.168.1.60-192.168.1.91 inside

dhcpd dns 139.130.4.4 203.50.2.71

dhcpd lease 604800

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Open in new window

0
Comment
Question by:PeteJH
  • 3
  • 2
6 Comments
 

Author Comment

by:PeteJH
ID: 21748018
I forgot to mention that the port fowards I need configured are TCP 25, 443 and 4125 to be forwarded to the internal host 192.168.1.2.

Also, the client has a standard DSL modem on the outside of the PIX (192.168.254.1) in routing mode. We just set up the DMZ setting to forward all traffic to the PIX. There is a single static IP on the DSL connection.

Cheers
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 21748573
I'm going to assume that everything that hits your public ip on the dsl modem is converted (natted back) to your pixoutside ip address, then this is what you need;

static (inside,outside) tcp interface 25 192.168.1.2 25
static (inside,outside) tcp interface 443 192.168.1.2 443
static (inside,outside) tcp interface 4125 192.168.1.2 4125

access-list OutsideIn permit any interface outside eq 25
access-list OutsideIn permit any interface outside eq 443
access-list OutsideIn permit any interface outside eq 4125

access-group OutsideIn in interface outside

Cheers,
Rajesh
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21749324
Rajesh is spot on as usuall :)
heres some extra reading http://www.petenetlive.com/Tech/Firewalls/Cisco/portforward.htm
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:PeteJH
ID: 21756276
Thanks Rajesh. You saved me a stack of time and it is most appreciated.

Just a note, I seemed to have to add "tcp" into the following lines to get it to work:

access-list OutsideIn permit tcp any interface outside eq 25
access-list OutsideIn permit tcp any interface outside eq 443
access-list OutsideIn permit tcp any interface outside eq 4125

Thanks again!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21756666
Oh yeah, typo (Haven't worked on a Cisco gear for last 2 years - excuse me :-) )

Cheers,
Rajesh
0
 

Author Comment

by:PeteJH
ID: 21790191
No dramas and thanks again Rajesh!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now