Cisco Pix and Port Fowarding

Hey guys.

I am having some difficulty getting my one server in our production environment to communicate with another server on our internal network.
I have a Production server with IP 196.1.115.X and an internal server with IP, I need the Production server to be able to access the internal server on port 580 and port 5443.

At our office our internet connectivity is controlled by a Cisco Pix FW (pix #show configure - pasted in code snippet below). From our internal network we can access the Production server on its name (dns is configured for it) or IP with no problem. But from the production environment the server sees our WHOLE network as one IP This I believe is done by a NAT that is on the Cisco Pix (showed in code below).

What can I change or set on the Pix firewall to allow communication from the production server on IP 196.1.114.X ro the internal server at on port 580 and 5443?

Please note with the Code snipet below I removed a few ACL rules to keep the code snippet a bit shorter. Interface "bry" is the connection to our production environment.

fw01# show configure
: Saved
: Written by enable_15 at 09:55:36.911 SAST Mon Jun 15 2009
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 bry security10
nameif ethernet1 inside security100
nameif ethernet2 outside security0
clock timezone SAST 2
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_access_in permit ip any any
access-list internet_outbound permit udp any any
access-list internet_outbound permit tcp any range 0 60000
access-list internet_outbound permit tcp host any
access-list internet_outbound permit tcp host any
access-list internet_outbound permit tcp host any
access-list internet_outbound permit tcp host any
access-list internet_outbound permit tcp host any
access-list internet_outbound deny ip any any
access-list internet_inbound permit udp host host range 1812 1813
access-list internet_inbound deny ip any any
access-list bry_outbound permit tcp any any
pager lines 40
logging on
logging timestamp
logging standby
logging buffered debugging
logging trap debugging
logging facility 23
logging host inside
icmp permit any bry
icmp permit any echo bry
icmp permit any inside
icmp deny any outside
mtu bry 1500
mtu inside 1500
mtu outside 1500
ip address bry
ip address inside
ip address outside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location bry
pdm location inside
pdm history enable
arp timeout 14400
global (bry) 1 interface
global (outside) 1 interface
nat (inside) 1 access-list internet_outbound 0 0  
static (inside,outside) tcp https https netmask 0 0
static (inside,outside) tcp smtp smtp netmask 0 0
static (inside,outside) tcp 8888 8888 netmask 0 0
static (inside,bry) tcp smtp smtp netmask 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
access-group bry_outbound in interface bry
access-group internet_outbound in interface inside
access-group internet_inbound in interface outside
route outside 2
route bry 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 1:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server source inside
ntp server source inside prefer
http inside
http inside
http inside

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You have already permitted all traffic on the bry interface, so what you need is a translation.  Since you are doing inbound connections (from less secure to more secure), you need either statics or NAT exemption - the former being the norm.

Normally you'd just create a full static, but I see you have this statement that would conflict:

static (inside,bry) tcp smtp smtp netmask

So to keep that, and still get what you want you'd forward the 2 ports you require in the same fashion:
static (inside,bry) tcp 580 580 netmask
static (inside,bry) tcp 5443 5443 netmask
If it is so that you are not actually using the smtp translation, you can remove that and just do 1-1:
static (inside,bry) netm
Oh, I notice I messed up a bit on those IPs not paying enough attention to the details (3rd octet).  You do not have any conflicts, so the solution is just 1 entry:

static (inside,bry) netm

Sorry for the confusion :)
RiggedAuthor Commented:

Sorry if I am a bit unclear, but is that correct?
"static (inside,bry) netm"

Should  the 134.10 adress be repeated twice?

Also with the rule specified what IP would I be using to acces the server on that port from the production? For egsample on our internal network we can enter to access the application, with the rule we specify would the production environment then access it on ?

Sorry I am not good with the Pix Routing/Fowarding and NATs.   :P
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

It is correct to use the same IP twice, if you want it mapped as itself.  That is if you want to access it as from bry.
If you want to NAT it into something else, then change the first part into that.
If the PIX isn't default gw for servers on Bry interface, you may need a static route - depending on the actual setup.
RiggedAuthor Commented:
Thanks for the info. Do you maybe know if I will need to run a command or save for the Static entry to become active, or will it be active as soon as the command is executed?
RiggedAuthor Commented:
Hey just checked my logs for the pix and saw the following message:

Jul 17 09:33:44 fw01 Jul 17 2009 10:06:21: %PIX-6-110001: No route to from

How can I set a route for this? I believe this is where my problem is. The to address is the Production server outside our network and the from address is the address I mapped the internal server ( to.
Below are the commands I ran to map the internal IP to the one that is displayed as the from address in the No Route log:
access-list internet_inbound line 9 permit tcp any host eq 580
static (inside,outside) tcp 580 580 netmask 0 0

I realise that I posted my question a bit funny actually - sorry.

What is happening is I have the internal server on IP - the IP is inaccessible from the outside. Thus I mapped it to a available Address ( we have that is accessible from the outside (mapping shown above - only mapped it for the specific port - 580).

Now I got the No Route message. So how do I get the IP to route to
Is located on the bry interface or on the outside?

You are getting the missing route entry becuz you have told the PIX lies :)
According to this static, you have mapped the address on the outside interface:
static (inside,outside) tcp 580 580 netmask 0 0

But if the server is comming from the outside, to use that static then this following route statement must be errant:
route bry 1
I can't say which is true, but they can't both be :)
RiggedAuthor Commented:
HMMM, thought I was confusing the PIX somehow :P

So if i Remove:  route bry 1
What would you say should I do to get it working? I don't think the route entry is valid (thats why I want to remove it) coz the ip I don't recognize from anywhere. There is a NAT entry in the config that nats our entire internal network (iprange and as, but I don't know if that route entry will affect that NAT entry.

Damn it, I need to go for some Cisco training  :P
If is not located at the bry interface, including behind some router at that interface - then yes, remove the route.
The NAT entry you have is a policy NAT, and to me it looks a bit odd - not sure what it was meant to accomplish.
(It will not NAT the entire networks, only those connections that matches the access-list specified).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.