Solved

port forwarding

Posted on 2009-05-03
15
715 Views
Last Modified: 2012-05-06
hi experts,

What command should i use to open port 162 for incoming internet traffic from IP 174.129.x.x and point it to 192.168.0.10 ?

im using PIX 506e
Thanks
0
Comment
Question by:aucklandnz
  • 7
  • 7
15 Comments
 
LVL 4

Expert Comment

by:Macros82
ID: 24292247
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 24292265
Will it work ?

access-list outside_access_in permit tcp 174.129.x.x host 192.168.0.10 eq 162
static (inside,outside) tcp 174.129.x.x 162 192.168.0.10 162 netmask 255.255.255.255 0 0
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24292309
hey there

What you have above wont work
you need to translate 192.168.0.10 to a public ip address in your range - or to the outside ip address of the PIX itself.
Then allow access in from the required ip to the translated address.
Can you clarify the following:
Is 174.129.x.x the ip address you want to be able to access your server 192.168.0.10 or is it the ip address you want 192.168.0.10 to be translated to - i.e. its public ip?

If 174.129.x.x is the ip address of an internet host that you need to access your machine 192.168.0.10 then you need to first translate 192.168.0.10 to an available public ip (or you can use the PIX outside ip - the way you configure these depends on which way you want to do it)

E.g.

To use the PIX outside ip:
access-list outside_access_in permit tcp host 174.129.x.x interface outside eq 162
static (inside,outside) tcp interface 162 192.168.0.10 162 netmask 255.255.255.255
access-group outside_access_in in interface outside

If you have a free public ip address do the following - where x.x.x.x is the public ip address:
access-list outside_access_in permit tcp host 174.129.x.x host x.x.x.x eq 162
static (inside,outside) tcp x.x.x.x 162 192.168.0.10 162 netmask 255.255.255.255
access-group outside_access_in in interface outside

Pls clarify on the above


0
 
LVL 3

Author Comment

by:aucklandnz
ID: 24292430
174.129.x.x is hosted somewhere else - management server (not my server)
 i need to allow connection between  174.129.x.x and device on my network (192.168.0.10) thru port 162
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24292453
ok - do you want to translate it to the pix outside ip or to a seperate public ip address?
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 24292475
I'm not sure. I'm very new to it. I just need to allow access for 174.129.x.x to 192.168.0.10 thru 162 port. What would be best way to do it?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24292506
Using the PIX interface is probably easiest.  BTw is 174.129.x.x a network or just a single ip?

If its a single ip:
access-list outside_access_in permit tcp host 174.129.x.x interface outside eq 162
static (inside,outside) tcp interface 162 192.168.0.10 162 netmask 255.255.255.255
access-group outside_access_in in interface outside

Then you the machine at 174.129.x.x opens a connection to the public ip address of your PIX on port 162 and voila

cheers

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 19

Expert Comment

by:nodisco
ID: 24292510
If you are unclear on any of this - post your pix config and we can ensure its correct.  To protect privacy - just ### out any public ip addresses you have and passwords.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 24292525
174.129.x.x is a single ip address
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24292530
Ok - as per last example then.  Do you have any access-list applied to our outside interface currently?
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 24292662
below is my config
just found out that the ip address of the device is 192.168.0.163 not 192.168.0.10 as i stated before.

Thanks


PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ******** encrypted
hostname
domain-name mydomain.local
clock timezone NZST 12
fixup protocol dns maximum-length 768
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.10 Blue
name 192.168.0.15 brown
access-list outside_access_in permit tcp any host x.x.x.x eq www
access-list outside_access_in permit tcp any host x.x.x.x eq 5900
access-list outside_access_in permit icmp any host x.x.x.x
access-list outside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq 993
access-list Loui permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Sky permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Airport permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255
.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_access_in permit udp host 192.168.0.162 any eq snmp
pager lines 24
logging on
logging console notifications
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.0.9 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.0.5-192.168.0.8
pdm location Blue 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.16.0 255.255.255.0 outside
pdm location 192.168.20.0 255.255.255.0 outside
pdm location 10.0.0.1 255.255.255.255 outside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.114 255.255.255.255 inside
pdm location 192.168.0.134 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location brown 255.255.255.255 inside
pdm location 192.168.0.142 255.255.255.255 inside
pdm location 192.168.0.111 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.x www brown www netmask 255.255.255.255 0
 0
static (inside,outside) tcp x.x.x.x https brown https netmask 255.255.255.2
55 0 0
static (inside,outside) tcp x.x.x.x smtp brown smtp netmask 255.255.255.255
 0 0
static (inside,outside) tcp x.x.x.x 3389 Blue 3389 netmask 255.255.255.255
0 0
static (inside,outside) tcp x.x.x.x 3389 192.168.0.111 3389 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.x.x www 192.168.0.111 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp x.x.x.x 1433 192.168.0.111 1433 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.x.x5900 192.168.0.111 5900 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.x.x 3000 192.168.0.111 3000 netmask 255.255
.255.255 0 0
static (inside,outside) tcp interface 993 brown 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x 5500 192.168.0.167 5500 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.x.x 5501 192.168.0.169 5501 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.x.x 8080 192.168.0.111 8080 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.x.x ftp 192.168.0.111 ftp netmask 255.255.2
55.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.124
snmp-server host inside 192.168.0.162
snmp-server location
snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map forsberg 21 ipsec-isakmp
crypto map forsberg 21 match address Loui
crypto map forsberg 21 set peer x.x.x.x
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg 22 ipsec-isakmp
crypto map forsberg 22 match address Sky
crypto map forsberg 22 set peer x.x.x.x
crypto map forsberg 22 set transform-set avalanche
crypto map forsberg 23 ipsec-isakmp
crypto map forsberg 23 match address Airport
crypto map forsberg 23 set peer x.x.x.x
crypto map forsberg 23 set transform-set avalanche
crypto map forsberg interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
vpngroup vpn3000-all address-pool bigpool
vpngroup vpn3000-all dns-server Blue
vpngroup vpn3000-all idle-time 1800
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.0 outside
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 30
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username chris password *********

vpdn enable outside
vpdn enable inside
username webuser password ********* encrypted privilege 15

terminal width 80
Cryptochecksum:7122efe7fbeabfb8b748f9c968179e90
: end
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24292711
hey there

Ok you already have an outside access list applied so in order to keep things aok for your current setup you can use either the PIX interface or the spare public ip.  As you already have a device port forwarded using the PIX interface we can use that.

commands to do this as follows:

conf t

access-list outside_access_in line 4 permit tcp host 174.129.x.x interface outside eq 162
static (inside,outside) tcp interface 162 192.168.0.163 162 netmask 255.255.255.255
access-group outside_access_in in interface outside
clear xlate


BTW - you have a massive security risk on this firewall:
access-list outside_access_in permit ip any any

This line is allowing any node on the internet through your firewall to the inside - you need to get rid of this asap!
The trouble is that you have several statics in place and I am betting that these are working because they are getting picked up in the "allow all" nature of this line.  By removing it, you will knock out access to everything else.  

To fix this you will need to figure out exactly what are the necessary services you need to allow in.  Check everything on the statics list and ensure that everything is required.  When you have this, you can then create individual access-list entries to allow the required ports through the firewall and when you have them all working ok, you can remove the permit ip any any.

I am sure you don't want to read this but with that permit ip any any rule, you are rendering the firewall useless as its not stopping anything.

cheers
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 24299298
thanks for that,
could you please point me to the lines that could be effected by remowing
access-list outside_access_in permit ip any any

i will try to figure out what are they used for.

Thanks

Ps. I have added the lines you have posted....just waiting for trply if they can connect
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 24299389
Ok
So far you have
static (inside,outside) tcp x.x.x.x www brown www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x https brown https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x smtp brown smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x 3389 Blue 3389 netmask 255.255.255.2550 0
static (inside,outside) tcp x.x.x.x 3389 192.168.0.111 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x www 192.168.0.111 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x 1433 192.168.0.111 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x5900 192.168.0.111 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x 3000 192.168.0.111 3000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 993 brown 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x 5500 192.168.0.167 5500 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x 5501 192.168.0.169 5501 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x 8080 192.168.0.111 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x ftp 192.168.0.111 ftp netmask 255.255.255.255 0 0

First things first - you need to find out which of these are definitely in use.
Your current access-list
access-list outside_access_in permit tcp any host x.x.x.x eq www
access-list outside_access_in permit tcp any host x.x.x.x eq 5900
access-list outside_access_in permit icmp any host x.x.x.x
access-list outside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq 993

When you remove the permit ip any any line, the only working acl lines relating to your statics are for www, 5900 and 993.  You will need to create relevant access-lists for every required port.  Then remove the permit ip any any and ensure they work ok.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 24299570
all of them are in use ( im not sure about 993 tho )
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now