Solved

Port forwarding to VNC Server through Cisco PIX 501

Posted on 2009-05-08
12
983 Views
Last Modified: 2012-05-06
I am setting up a secure VNC connection to one of my Servers and will access it through a browser by entering http://xxx.xxx.xxx.xxx:5800.  xxx.xxx.xxx.xxx is our public IP address.
I am trying to figure out how to configure the PIX to perform port forwarding to the internal IP of that Server.  Supposedly I need ports 5800 and 5900 to forward to that internal IP.
Thanks for your input  
0
Comment
Question by:baggio8
  • 5
  • 4
  • 3
12 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24337480
Here is an example:

static (inside,outside) tcp interface 5800 x.x.x.x 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 x.x.x.x 5900 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 5800
access-list outside_access_in extended permit tcp any interface outside eq 5900
access-group outside_access_in in interface outside

This is assuming you have no access-list currently and are going to use the PIX outside interface IP address as the public IP for the server.  x.x.x.x is the internal IP of the server.
0
 

Author Comment

by:baggio8
ID: 24338161
Hi JFredercik29,
I'm a novice with PIX, so I really don't know the answer to that, but here is my config:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname pix-veits
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 64.219.161.225 NetworkPartnersSyslogServer
name 192.168.78.2 Server
object-group service Service-service-group tcp
  port-object eq ident
  port-object eq https
  port-object eq smtp
  port-object eq www
access-list outside_access_in permit tcp any host 67.91.xx.xx object-group Service-service-group log
access-list outside_access_in permit icmp any host 67.91.xx.xx5 echo-reply log
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 3389
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 4125
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 444
access-list outside_access_in permit tcp any host 667.91.xx.xx eq www
access-list outside_access_in permit tcp any host 67.91.xx.xx eq https
access-list outside_access_in permit tcp any host 67.91.xx.xx eq smtp
access-list outside_access_in permit tcp any host 67.91.xx.xx eq pop3
access-list inside_outbound_nat0_acl permit ip 192.168.78.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.78.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inbound permit tcp any interface outside eq 3389
access-list inmap permit tcp any host 67.91.xx.xx eq 3389
pager lines 24
logging on
logging timestamp
logging monitor informational
logging device-id ipaddress outside
logging host outside NetworkPartnersSyslogServer
mtu outside 1500
mtu inside 1500
ip address outside 67.91.xx.xx 255.255.255.224
ip address inside 192.168.78.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.100-192.168.100.115
pdm location 205.172.249.0 255.255.255.0 outside
pdm location 192.168.0.2 255.255.255.255 inside
pdm location NetworkPartnersSyslogServer 255.255.255.255 outside
pdm location 64.233.245.0 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm location 192.168.78.96 255.255.255.224 outside
pdm location 192.168.78.0 255.255.255.0 inside
pdm location Server 255.255.255.255 inside
pdm location 67.91.xx.xx 255.255.255.255 outside
pdm location 192.168.78.3 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.78.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 67.91.xx.xx Server dns netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.91.19.33 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host Server xxxxxxxpllc timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 192.5.41.209 source outside
http server enable
http 205.172.249.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.78.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside Server C:\TFTP-Root
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool vpnpool
vpngroup vpngroup dns-server Server
vpngroup vpngroup wins-server Server
vpngroup vpngroup default-domain xxxxxxoup.local
vpngroup vpngroup split-tunnel vpngroup_splitTunnelAcl
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
telnet timeout 5
ssh 205.172.249.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 64.233.245.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access outside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username xxxxxx password xxxxxxxxxxxxxxx encrypted privilege 3
username xxxxxx password xxxxxxxxxxxxxxx encrypted privilege 15
username xxxxxx password xxxxxxxxxxxxxxx encrypted privilege 3

privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx
: end
[OK]
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24338183
Is 192.168.78.2 the VNC server?

If so, there is already a NAT statement in place and you only need to add the access-list entries:

access-list outside_access_in permit tcp any host 67.91.xx.xx eq 5800
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 5900

0
 

Author Comment

by:baggio8
ID: 24341635
The VNC Server is 192.168.78.3
0
 
LVL 3

Expert Comment

by:DavezDesignz
ID: 24341714
Port 5800 is for the using an internet browser to access vnc server and port 5900 is for vnc viewer to connect to vnc server. these are the default ports.

I would think that your config should be
access-list outside_access_in permit tcp any host 192.168.78.3 eq 5900
to connect to this outside the network where the service resides you will need to know your public IP and use that  or use a service like no-ip to create an easy to remember domain name.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24341845
Okay, so back to this:

static (inside,outside) tcp interface 5800 192.168.78.3 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 192.168.78.3 5900 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 5800
access-list outside_access_in extended permit tcp any interface outside eq 5900

You can use a free IP from your block of addresses if you don't want to use the outside interface IP address.  The public IP to connect to in the example above uses the IP assigned to the outside interface.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Expert Comment

by:DavezDesignz
ID: 24346072
If you are running windows where the server is installed be sure you check to make sure the firewall is not turned on as well and if it is and you wish to keep that on to, you need to make sure the vnc server application is in the exceptions. The conifuration for the PIX should be something like below for vnc

access-list inbound permit icmp any any
access-list inbound permit tcp any host 67.91.xx.xx eq 5900
access-list inbound permit udp any host 67.91.xx.xx eq 5900
access-list inbound permit tcp any host 67.91.xx.xx eq 5800
access-list inbound permit udp any host 67.91.xx.xx eq 5800
access-group inbound in interface outside
static (inside,outside) 67.91.xx.xx 192.168.78.3 netmask 255.255.255.255 0 0
0
 

Author Comment

by:baggio8
ID: 24346669
JFrederick29:
When I entered the first two lines they were fine, but the third command gives the following:
Result of firewall command: "access-list outside_access_in extended permit tcp any interface outside eq 5800"
 
ERROR:<extended> not a valid permission
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

0
 
LVL 3

Expert Comment

by:DavezDesignz
ID: 24348819
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24353498
Sorry, syntax is slightly different with 6.x code.

Try this instead:

access-list outside_access_in permit tcp any interface outside eq 5800
access-list outside_access_in permit tcp any interface outside eq 5900
0
 

Author Comment

by:baggio8
ID: 24371480
JFrederick29: Thanks, that worked, but how would I use a free IP address?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24373644
The commands change to this if you want to use a free IP from your public block to dedicate to the 192.168.78.3 server.

static (inside,outside) 67.91.xx.xx 192.168.78.3 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 67.91.xx.xx eq 5800
access-list outside_access_in permit tcp any host 67.91.xx.xx eq 5900

Where 67.91.xx.xx is a free IP from your block.  You'll need to remove the other commands first before adding these.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now