Solved

Cisco Pix 501, how do i forward a port

Posted on 2008-10-07
27
226 Views
Last Modified: 2010-04-09
Hi I am completely new to the  Cisco Pix 501 and am unsure how to forward a port. Could someone please guide me in the right direction? Any help is greatly appreciated. Thanks
0
Comment
Question by:retro-king
  • 13
  • 11
  • 2
27 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22665156
You have to do two things.
1. create a nat translation for that port
  static (inside,outside) tcp interface <port#> inside.ip.address <port#> netmask 255.255.255.255

2. create an access-list entry to your existing acl if you have one:
 access-list outside_access_in permit tcp any interface outside eq <port#>

Done.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22665808
Also, make sure you bind your access-list to the right interface. This is done with the access-group command.
Here is an example of a working port forwarding setup in a PIX forwarding port 80 (HTTP) requests to inside server 192.168.1.10.
access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
static (inside,outside) tco interface 80 192.168.1.10 80 netmask 255.255.255.255
Cheers! Let me know if you need any help getting this to work!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22665813
Oops, that should have been:
access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255

0
 

Author Comment

by:retro-king
ID: 22669053
OK. This all sounds good, but as I said I am new to cisco commands etc period! I do not exactly understand. The web interface will not load so I have to do it all through telnet. I want to forward 443 and 80 could you give me an exact example of what should be typed. I do not have a ton of time here so any help is appreciated
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22671704
Hi there! The commands I sent you are for telnet.
Just make sure you have the # prompt instead of the > prompt and run the
conf t
command before entering them.
Here is an exact sample of what you need:

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255  
Cheers!
 
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22671711
Oops! Use these instead:
access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255  
static (inside,outside) tcp interface 443 192.168.1.10 443 netmask 255.255.255.255  
0
 

Author Comment

by:retro-king
ID: 22674840
OK lets hypothetically say the internal ip address of the server is 192.168.1.2  mask 255.255.255.0 and the public is xxx.xxx.xxx.xxx.  Would I then EXACTLY type:

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (192.168.1.2,xxx.xxx.xxx.xxx) tcp interface 80 192.168.1.2 80 netmask 255.255.255.0  
static (192.168.1.2,xxx.xxx.xxx.xxx) tcp interface 443 192.168.1.2 443 netmask 255.255.255.0

Please excuse my total ignorance, but the web based GUI on a watchguard is far easier than this damn thing! I inherited this network and am trying to get OWA and OMA working in desperation. Thanks for the help
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22674918
No you would type EXACTLY

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255  
static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255  

the keywords "inside, outside" are direct references to the interface names and have no relation to the actual ip addresses.
0
 

Author Comment

by:retro-king
ID: 22675104
ok. I see. However, should the net masks still be 255.255.255.255 as written instead of 255.255.255.0 which is actual. Again, sorry for the ignorance.

Now I have another problem, when I telnet to the pix it does not ask for my user name, it only asks for the password. When I type the password I it only asks again and again. I gain no access. Shouldn't it be asking for a user name as well as password? I have both, but need the prompts correctly. Also, any ideas why the web interface just hangs when trying to load? I really need to get this done, but it seems as soon as I find one solution another problem presents itself! Any ideas? Thanks in advance.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675288
Yes. Do it EXACTLY like I typed it in my post, just replacing the 192.168.1.10 with 192.168.1.2.
Do not change anything else. It's as simple as that.
Did you mess with commands called aaa? Were you using SSH before instead of telnet? Did you mess with enable password or password? Or a username command?
Please let me know.
For the web page hanging, try another browser.
Cheers! Let me know if you have any questions!
0
 

Author Comment

by:retro-king
ID: 22675339
No I havent set anything up on this thing at all. I just inherited it the way it is. I was instructed to telnet with user and pass given... that would be ok if it prompted me for it. any ideas?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675350
Yes, just log in. Then, once you get logged in and enable run the following commands - do NOTHING before them after you see the # prompt - pasting works best and is fastest.
configure terminal
access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255  
static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255
end
That will do the trick. Let me know if you have any more questions.
0
 

Author Comment

by:retro-king
ID: 22675482
I think you missed something or maybe I am. I cannot login due to the fact that it only prompts for password and not the username. If I type the password it just pops up a prompt for password again. It does this three times and then loses its connection. now, any ieas? Thanks again for the help so far
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675566
You didn't answer any of my questions in my previous post at all:
"
Did you mess with commands called aaa? Were you using SSH before instead of telnet? Did you mess with enable password or password? Or a username command?
"
0
 

Author Comment

by:retro-king
ID: 22675617
sorry for the confusion on previous answer to your question. No I haven't messed with any of that. I haven't been able to get anywhere to type any commands whatsoever. All I have done is try to access the web interface which the user and pass seemed to work for, but it won't get past the loading hourglass. I have also tried to telnet which results in the previous discussion. I talked with the guy that had previously set it up and was instructed to telnet into it. I still have now idea why it is only prompting for password when telnetting. HELP!!! LOL! I am about to pull the rest of my hair out!! Thanks again for your help so far
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675662
Lol no problem.
Did you save the config on the device before?
Have you tried using the console port on the device to try to get access? Try that.
0
 

Author Comment

by:retro-king
ID: 22675674
have never been able to even access to save any config so no, I haven't. How do I access using console? I am not sure how it works. Could you explain? It is hooked up, I know that much! LOl!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675742
Ooohhh.... you have never had access to the config then....
You need to ask the previous device admin what's up.
As far as connecting to the console port, just use the blue console cable and connect it to the serial port on your PC and then use hyperterminal or another terminal program to login to the appropriate COM port (usually COM1 if you don't have a modem and COM3 if you do).
Cheers!
0
 

Author Comment

by:retro-king
ID: 22675813
Well it appears I am able to login using hyper terminal without any login info. Why is that? In any case the screen is just blank, but I typed help to make sure and it listed:
enable
help
login
logout
pager
quit
XXXXXX>

so where should I go from here? God I hate being this helpless. I am pressed for time or I would just learn it all now! I really appreciate the help you have given so far. Thanks
0
 

Author Comment

by:retro-king
ID: 22675869
also is there a way to see the full configuration of the firewall?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675916
You need to run the "enable" command and type in your enable password that was provided to you. Then, you will see the > prompt turn into a # prompt.
Once you get into the # mode, run "sh run" to get the whole config.
Then, just copy it all and paste it here (please don't XXX out all the IPs or I can't help! Noobs tend to do that. :) )
Cheers!
0
 

Author Comment

by:retro-king
ID: 22675999
LOL! don't worry I wont x out th internal IP's! Obviously I can see that the remote port is open, but that appears to be it. Anyway here it is:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname xxxxxx
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging console notifications
logging monitor notifications
logging buffered notifications
logging trap notifications
logging history notifications
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 0.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.
255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.2
snmp-server location CCCCCC
snmp-server contact XXXX@XXXXX.com
snmp-server community public
snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPPOE request dialout pppoe
vpdn group PPPOE localname XXXXXXXX@bellsouth.net
vpdn group PPPOE ppp authentication pap
vpdn username XXXXXXXX@bellsouth.net password *********
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username XXXXX password XXXXXXXXXXXXXX encrypted privilege 15
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 250 total points
ID: 22676017
Cool! So from the # prompt, just run the following EXACTLY as they are and it will work.

access-list outside_access_in permit tcp any interface outside eq 80

access-list outside_access_in permit tcp any interface outside eq 443

no access-list outside_access_in permit ip any any

static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255  

static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255  

Open in new window

0
 

Author Comment

by:retro-king
ID: 22676050
I have to put configure terminal at the beginning and end at the end, correct? So it should look like this:

configure terminal
access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
no access-list outside_access_in permit ip any any
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255  
static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255
end
 
Then hit enter at the end or after each command? Thanks for all of your help! all this for something so simple that I could have done in two seconds on a watchguard! LOL
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22676093
excellent! You're getting it :)
That's correct.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22676096
I think that over time and experience with PIX and ASA firewalls you'll learn to like them better. :)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5506 5 39
Cisco switch SVI 17 42
PCAnywhere 2 58
Trunk port configuration for Wireless VLANs 11 55
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now