Solved

Cisco Pix 501, how do i forward a port

Posted on 2008-10-07
27
237 Views
Last Modified: 2010-04-09
Hi I am completely new to the  Cisco Pix 501 and am unsure how to forward a port. Could someone please guide me in the right direction? Any help is greatly appreciated. Thanks
0
Comment
Question by:retro-king
  • 13
  • 11
  • 2
27 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22665156
You have to do two things.
1. create a nat translation for that port
  static (inside,outside) tcp interface <port#> inside.ip.address <port#> netmask 255.255.255.255

2. create an access-list entry to your existing acl if you have one:
 access-list outside_access_in permit tcp any interface outside eq <port#>

Done.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22665808
Also, make sure you bind your access-list to the right interface. This is done with the access-group command.
Here is an example of a working port forwarding setup in a PIX forwarding port 80 (HTTP) requests to inside server 192.168.1.10.
access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
static (inside,outside) tco interface 80 192.168.1.10 80 netmask 255.255.255.255
Cheers! Let me know if you need any help getting this to work!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22665813
Oops, that should have been:
access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255

0
 

Author Comment

by:retro-king
ID: 22669053
OK. This all sounds good, but as I said I am new to cisco commands etc period! I do not exactly understand. The web interface will not load so I have to do it all through telnet. I want to forward 443 and 80 could you give me an exact example of what should be typed. I do not have a ton of time here so any help is appreciated
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22671704
Hi there! The commands I sent you are for telnet.
Just make sure you have the # prompt instead of the > prompt and run the
conf t
command before entering them.
Here is an exact sample of what you need:

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255  
Cheers!
 
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22671711
Oops! Use these instead:
access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255  
static (inside,outside) tcp interface 443 192.168.1.10 443 netmask 255.255.255.255  
0
 

Author Comment

by:retro-king
ID: 22674840
OK lets hypothetically say the internal ip address of the server is 192.168.1.2  mask 255.255.255.0 and the public is xxx.xxx.xxx.xxx.  Would I then EXACTLY type:

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (192.168.1.2,xxx.xxx.xxx.xxx) tcp interface 80 192.168.1.2 80 netmask 255.255.255.0  
static (192.168.1.2,xxx.xxx.xxx.xxx) tcp interface 443 192.168.1.2 443 netmask 255.255.255.0

Please excuse my total ignorance, but the web based GUI on a watchguard is far easier than this damn thing! I inherited this network and am trying to get OWA and OMA working in desperation. Thanks for the help
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22674918
No you would type EXACTLY

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255  
static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255  

the keywords "inside, outside" are direct references to the interface names and have no relation to the actual ip addresses.
0
 

Author Comment

by:retro-king
ID: 22675104
ok. I see. However, should the net masks still be 255.255.255.255 as written instead of 255.255.255.0 which is actual. Again, sorry for the ignorance.

Now I have another problem, when I telnet to the pix it does not ask for my user name, it only asks for the password. When I type the password I it only asks again and again. I gain no access. Shouldn't it be asking for a user name as well as password? I have both, but need the prompts correctly. Also, any ideas why the web interface just hangs when trying to load? I really need to get this done, but it seems as soon as I find one solution another problem presents itself! Any ideas? Thanks in advance.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675288
Yes. Do it EXACTLY like I typed it in my post, just replacing the 192.168.1.10 with 192.168.1.2.
Do not change anything else. It's as simple as that.
Did you mess with commands called aaa? Were you using SSH before instead of telnet? Did you mess with enable password or password? Or a username command?
Please let me know.
For the web page hanging, try another browser.
Cheers! Let me know if you have any questions!
0
 

Author Comment

by:retro-king
ID: 22675339
No I havent set anything up on this thing at all. I just inherited it the way it is. I was instructed to telnet with user and pass given... that would be ok if it prompted me for it. any ideas?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675350
Yes, just log in. Then, once you get logged in and enable run the following commands - do NOTHING before them after you see the # prompt - pasting works best and is fastest.
configure terminal
access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255  
static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255
end
That will do the trick. Let me know if you have any more questions.
0
 

Author Comment

by:retro-king
ID: 22675482
I think you missed something or maybe I am. I cannot login due to the fact that it only prompts for password and not the username. If I type the password it just pops up a prompt for password again. It does this three times and then loses its connection. now, any ieas? Thanks again for the help so far
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675566
You didn't answer any of my questions in my previous post at all:
"
Did you mess with commands called aaa? Were you using SSH before instead of telnet? Did you mess with enable password or password? Or a username command?
"
0
 

Author Comment

by:retro-king
ID: 22675617
sorry for the confusion on previous answer to your question. No I haven't messed with any of that. I haven't been able to get anywhere to type any commands whatsoever. All I have done is try to access the web interface which the user and pass seemed to work for, but it won't get past the loading hourglass. I have also tried to telnet which results in the previous discussion. I talked with the guy that had previously set it up and was instructed to telnet into it. I still have now idea why it is only prompting for password when telnetting. HELP!!! LOL! I am about to pull the rest of my hair out!! Thanks again for your help so far
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675662
Lol no problem.
Did you save the config on the device before?
Have you tried using the console port on the device to try to get access? Try that.
0
 

Author Comment

by:retro-king
ID: 22675674
have never been able to even access to save any config so no, I haven't. How do I access using console? I am not sure how it works. Could you explain? It is hooked up, I know that much! LOl!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675742
Ooohhh.... you have never had access to the config then....
You need to ask the previous device admin what's up.
As far as connecting to the console port, just use the blue console cable and connect it to the serial port on your PC and then use hyperterminal or another terminal program to login to the appropriate COM port (usually COM1 if you don't have a modem and COM3 if you do).
Cheers!
0
 

Author Comment

by:retro-king
ID: 22675813
Well it appears I am able to login using hyper terminal without any login info. Why is that? In any case the screen is just blank, but I typed help to make sure and it listed:
enable
help
login
logout
pager
quit
XXXXXX>

so where should I go from here? God I hate being this helpless. I am pressed for time or I would just learn it all now! I really appreciate the help you have given so far. Thanks
0
 

Author Comment

by:retro-king
ID: 22675869
also is there a way to see the full configuration of the firewall?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675916
You need to run the "enable" command and type in your enable password that was provided to you. Then, you will see the > prompt turn into a # prompt.
Once you get into the # mode, run "sh run" to get the whole config.
Then, just copy it all and paste it here (please don't XXX out all the IPs or I can't help! Noobs tend to do that. :) )
Cheers!
0
 

Author Comment

by:retro-king
ID: 22675999
LOL! don't worry I wont x out th internal IP's! Obviously I can see that the remote port is open, but that appears to be it. Anyway here it is:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password .xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname xxxxxx
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit ip any any
access-list inside_access_in permit ip any any
pager lines 24
logging console notifications
logging monitor notifications
logging buffered notifications
logging trap notifications
logging history notifications
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 0.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.
255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.2
snmp-server location CCCCCC
snmp-server contact XXXX@XXXXX.com
snmp-server community public
snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPPOE request dialout pppoe
vpdn group PPPOE localname XXXXXXXX@bellsouth.net
vpdn group PPPOE ppp authentication pap
vpdn username XXXXXXXX@bellsouth.net password *********
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username XXXXX password XXXXXXXXXXXXXX encrypted privilege 15
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 250 total points
ID: 22676017
Cool! So from the # prompt, just run the following EXACTLY as they are and it will work.

access-list outside_access_in permit tcp any interface outside eq 80

access-list outside_access_in permit tcp any interface outside eq 443

no access-list outside_access_in permit ip any any

static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255  

static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255  

Open in new window

0
 

Author Comment

by:retro-king
ID: 22676050
I have to put configure terminal at the beginning and end at the end, correct? So it should look like this:

configure terminal
access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
no access-list outside_access_in permit ip any any
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255  
static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255
end
 
Then hit enter at the end or after each command? Thanks for all of your help! all this for something so simple that I could have done in two seconds on a watchguard! LOL
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22676093
excellent! You're getting it :)
That's correct.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22676096
I think that over time and experience with PIX and ASA firewalls you'll learn to like them better. :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now