Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Port forwarding to VNC Server through Cisco PIX 501

Posted on 2009-05-08
12
Medium Priority
?
1,022 Views
Last Modified: 2012-05-06
I am setting up a secure VNC connection to one of my Servers and will access it through a browser by entering http://xxx.xxx.xxx.xxx:5800.  xxx.xxx.xxx.xxx is our public IP address.
I am trying to figure out how to configure the PIX to perform port forwarding to the internal IP of that Server.  Supposedly I need ports 5800 and 5900 to forward to that internal IP.
Thanks for your input  
0
Comment
Question by:baggio8
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
12 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24337480
Here is an example:

static (inside,outside) tcp interface 5800 x.x.x.x 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 x.x.x.x 5900 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 5800
access-list outside_access_in extended permit tcp any interface outside eq 5900
access-group outside_access_in in interface outside

This is assuming you have no access-list currently and are going to use the PIX outside interface IP address as the public IP for the server.  x.x.x.x is the internal IP of the server.
0
 

Author Comment

by:baggio8
ID: 24338161
Hi JFredercik29,
I'm a novice with PIX, so I really don't know the answer to that, but here is my config:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname pix-veits
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 64.219.161.225 NetworkPartnersSyslogServer
name 192.168.78.2 Server
object-group service Service-service-group tcp
  port-object eq ident
  port-object eq https
  port-object eq smtp
  port-object eq www
access-list outside_access_in permit tcp any host 67.91.xx.xx object-group Service-service-group log
access-list outside_access_in permit icmp any host 67.91.xx.xx5 echo-reply log
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 3389
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 4125
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 444
access-list outside_access_in permit tcp any host 667.91.xx.xx eq www
access-list outside_access_in permit tcp any host 67.91.xx.xx eq https
access-list outside_access_in permit tcp any host 67.91.xx.xx eq smtp
access-list outside_access_in permit tcp any host 67.91.xx.xx eq pop3
access-list inside_outbound_nat0_acl permit ip 192.168.78.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.78.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inbound permit tcp any interface outside eq 3389
access-list inmap permit tcp any host 67.91.xx.xx eq 3389
pager lines 24
logging on
logging timestamp
logging monitor informational
logging device-id ipaddress outside
logging host outside NetworkPartnersSyslogServer
mtu outside 1500
mtu inside 1500
ip address outside 67.91.xx.xx 255.255.255.224
ip address inside 192.168.78.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.100-192.168.100.115
pdm location 205.172.249.0 255.255.255.0 outside
pdm location 192.168.0.2 255.255.255.255 inside
pdm location NetworkPartnersSyslogServer 255.255.255.255 outside
pdm location 64.233.245.0 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm location 192.168.78.96 255.255.255.224 outside
pdm location 192.168.78.0 255.255.255.0 inside
pdm location Server 255.255.255.255 inside
pdm location 67.91.xx.xx 255.255.255.255 outside
pdm location 192.168.78.3 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.78.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 67.91.xx.xx Server dns netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.91.19.33 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host Server xxxxxxxpllc timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 192.5.41.209 source outside
http server enable
http 205.172.249.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.78.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside Server C:\TFTP-Root
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool vpnpool
vpngroup vpngroup dns-server Server
vpngroup vpngroup wins-server Server
vpngroup vpngroup default-domain xxxxxxoup.local
vpngroup vpngroup split-tunnel vpngroup_splitTunnelAcl
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
telnet timeout 5
ssh 205.172.249.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 64.233.245.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access outside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username xxxxxx password xxxxxxxxxxxxxxx encrypted privilege 3
username xxxxxx password xxxxxxxxxxxxxxx encrypted privilege 15
username xxxxxx password xxxxxxxxxxxxxxx encrypted privilege 3

privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx
: end
[OK]
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24338183
Is 192.168.78.2 the VNC server?

If so, there is already a NAT statement in place and you only need to add the access-list entries:

access-list outside_access_in permit tcp any host 67.91.xx.xx eq 5800
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 5900

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:baggio8
ID: 24341635
The VNC Server is 192.168.78.3
0
 
LVL 3

Expert Comment

by:DavezDesignz
ID: 24341714
Port 5800 is for the using an internet browser to access vnc server and port 5900 is for vnc viewer to connect to vnc server. these are the default ports.

I would think that your config should be
access-list outside_access_in permit tcp any host 192.168.78.3 eq 5900
to connect to this outside the network where the service resides you will need to know your public IP and use that  or use a service like no-ip to create an easy to remember domain name.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24341845
Okay, so back to this:

static (inside,outside) tcp interface 5800 192.168.78.3 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 192.168.78.3 5900 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 5800
access-list outside_access_in extended permit tcp any interface outside eq 5900

You can use a free IP from your block of addresses if you don't want to use the outside interface IP address.  The public IP to connect to in the example above uses the IP assigned to the outside interface.
0
 
LVL 3

Expert Comment

by:DavezDesignz
ID: 24346072
If you are running windows where the server is installed be sure you check to make sure the firewall is not turned on as well and if it is and you wish to keep that on to, you need to make sure the vnc server application is in the exceptions. The conifuration for the PIX should be something like below for vnc

access-list inbound permit icmp any any
access-list inbound permit tcp any host 67.91.xx.xx eq 5900
access-list inbound permit udp any host 67.91.xx.xx eq 5900
access-list inbound permit tcp any host 67.91.xx.xx eq 5800
access-list inbound permit udp any host 67.91.xx.xx eq 5800
access-group inbound in interface outside
static (inside,outside) 67.91.xx.xx 192.168.78.3 netmask 255.255.255.255 0 0
0
 

Author Comment

by:baggio8
ID: 24346669
JFrederick29:
When I entered the first two lines they were fine, but the third command gives the following:
Result of firewall command: "access-list outside_access_in extended permit tcp any interface outside eq 5800"
 
ERROR:<extended> not a valid permission
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24353498
Sorry, syntax is slightly different with 6.x code.

Try this instead:

access-list outside_access_in permit tcp any interface outside eq 5800
access-list outside_access_in permit tcp any interface outside eq 5900
0
 

Author Comment

by:baggio8
ID: 24371480
JFrederick29: Thanks, that worked, but how would I use a free IP address?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24373644
The commands change to this if you want to use a free IP from your public block to dedicate to the 192.168.78.3 server.

static (inside,outside) 67.91.xx.xx 192.168.78.3 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 67.91.xx.xx eq 5800
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 5900

Where 67.91.xx.xx is a free IP from your block.  You'll need to remove the other commands first before adding these.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question