Solved

Cisco Pix and Port Fowarding

Posted on 2009-07-15
9
355 Views
Last Modified: 2012-08-14
Hey guys.

I am having some difficulty getting my one server in our production environment to communicate with another server on our internal network.
I have a Production server with IP 196.1.115.X and an internal server with IP 10.47.134.10, I need the Production server to be able to access the internal server on port 580 and port 5443.

At our office our internet connectivity is controlled by a Cisco Pix FW (pix #show configure - pasted in code snippet below). From our internal network we can access the Production server on its name (dns is configured for it) or IP with no problem. But from the production environment the server sees our WHOLE network as one IP 10.47.136.1. This I believe is done by a NAT that is on the Cisco Pix (showed in code below).

What can I change or set on the Pix firewall to allow communication from the production server on IP 196.1.114.X ro the internal server at 10.47.134.10 on port 580 and 5443?

Please note with the Code snipet below I removed a few ACL rules to keep the code snippet a bit shorter. Interface "bry" is the connection to our production environment.

Hendrik
fw01# show configure

: Saved

: Written by enable_15 at 09:55:36.911 SAST Mon Jun 15 2009

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 bry security10

nameif ethernet1 inside security100

nameif ethernet2 outside security0

clock timezone SAST 2

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip any any

access-list internet_outbound permit udp any any

access-list internet_outbound permit tcp any 196.1.115.0 255.255.255.0 range 0 60000

access-list internet_outbound permit tcp host 10.47.135.252 any

access-list internet_outbound permit tcp host 10.47.135.213 any

access-list internet_outbound permit tcp host 10.47.134.49 any

access-list internet_outbound permit tcp host 10.47.135.222 any

access-list internet_outbound permit tcp host 10.47.135.127 any

access-list internet_outbound deny ip any any

access-list internet_inbound permit udp host 196.37.142.20 host 196.211.63.172 range 1812 1813

access-list internet_inbound deny ip any any

access-list bry_outbound permit tcp any any

pager lines 40

logging on

logging timestamp

logging standby

logging buffered debugging

logging trap debugging

logging facility 23

logging host inside 10.47.134.20

icmp permit any bry

icmp permit any echo bry

icmp permit any inside

icmp deny any outside

mtu bry 1500

mtu inside 1500

mtu outside 1500

ip address bry 10.47.136.1 255.255.255.0

ip address inside 10.47.134.1 255.255.254.0

ip address outside 196.214.88.70 255.255.255.248

ip audit info action alarm

ip audit attack action alarm

pdm location 10.47.135.20 255.255.255.255 inside

pdm location 172.20.6.9 255.255.255.255 bry

pdm location 196.4.164.121 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (bry) 1 interface

global (outside) 1 interface

nat (inside) 1 access-list internet_outbound 0 0  

static (inside,outside) tcp 196.214.88.73 https 10.47.134.31 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 196.214.88.73 smtp 10.47.134.31 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 196.214.88.73 8888 10.47.135.93 8888 netmask 255.255.255.255 0 0

static (inside,bry) tcp 10.47.136.10 smtp 10.47.134.31 smtp netmask 255.255.255.255 0 0

static (inside,outside) 196.214.88.72 10.47.134.27 netmask 255.255.255.255 0 0

static (inside,outside) 196.214.88.74 10.47.134.25 netmask 255.255.255.255 0 0

access-group bry_outbound in interface bry

access-group internet_outbound in interface inside

access-group internet_inbound in interface outside

route outside 0.0.0.0 0.0.0.0 196.214.88.70 2

route bry 196.1.115.0 255.255.255.0 10.47.136.2 1

route inside 196.214.87.0 255.255.254.0 196.214.88.70 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 1:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server 10.47.134.23 source inside

ntp server 10.47.134.21 source inside prefer

http 10.47.134.24 255.255.255.255 inside

http 10.47.135.100 255.255.255.255 inside

http 10.47.134.197 255.255.255.255 inside

Open in new window

0
Comment
Question by:Rigged
  • 5
  • 4
9 Comments
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24865090
You have already permitted all traffic on the bry interface, so what you need is a translation.  Since you are doing inbound connections (from less secure to more secure), you need either statics or NAT exemption - the former being the norm.

Normally you'd just create a full static, but I see you have this statement that would conflict:

static (inside,bry) tcp 10.47.136.10 smtp 10.47.134.31 smtp netmask 255.255.255.255

So to keep that, and still get what you want you'd forward the 2 ports you require in the same fashion:
static (inside,bry) tcp 10.47.136.10 580 10.47.134.10 580 netmask 255.255.255.255
static (inside,bry) tcp 10.47.136.10 5443 10.47.134.10 5443 netmask 255.255.255.255
---
If it is so that you are not actually using the smtp translation, you can remove that and just do 1-1:
static (inside,bry) 10.47.136.10 10.47.136.10 netm 255.255.255.255
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24865121
Oh, I notice I messed up a bit on those IPs not paying enough attention to the details (3rd octet).  You do not have any conflicts, so the solution is just 1 entry:

static (inside,bry) 10.47.134.10 10.47.134.10 netm 255.255.255.255

Sorry for the confusion :)
0
 
LVL 1

Author Comment

by:Rigged
ID: 24867199
Hi

Sorry if I am a bit unclear, but is that correct?
"static (inside,bry) 10.47.134.10 10.47.134.10 netm 255.255.255.255"

Should  the 134.10 adress be repeated twice?

Also with the rule specified what IP would I be using to acces the server on that port from the production? For egsample on our internal network we can enter http://10.47.134.10:580 to access the application, with the rule we specify would the production environment then access it on http://10.47.136.1:580 ?

Sorry I am not good with the Pix Routing/Fowarding and NATs.   :P
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24870436
It is correct to use the same IP twice, if you want it mapped as itself.  That is if you want to access it as 10.47.134.10 from bry.
If you want to NAT it into something else, then change the first part into that.
If the PIX isn't default gw for servers on Bry interface, you may need a static route - depending on the actual setup.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Rigged
ID: 24876353
Thanks for the info. Do you maybe know if I will need to run a command or save for the Static entry to become active, or will it be active as soon as the command is executed?
0
 
LVL 1

Author Comment

by:Rigged
ID: 24876705
Hey just checked my logs for the pix and saw the following message:

Jul 17 09:33:44 fw01 Jul 17 2009 10:06:21: %PIX-6-110001: No route to 196.1.115.249 from 196.214.88.73

How can I set a route for this? I believe this is where my problem is. The to address is the Production server outside our network and the from address is the address I mapped the internal server (10.47.134.10) to.
____
Below are the commands I ran to map the internal IP to the one that is displayed as the from address in the No Route log:
access-list internet_inbound line 9 permit tcp any host 196.214.88.173 eq 580
static (inside,outside) tcp 196.214.88.73 580 10.47.134.10 580 netmask 255.255.255.255 0 0
________________

I realise that I posted my question a bit funny actually - sorry.

What is happening is I have the internal server on IP 10.47.134.10 - the IP is inaccessible from the outside. Thus I mapped it to a available Address (196.214.88.73) we have that is accessible from the outside (mapping shown above - only mapped it for the specific port - 580).

Now I got the No Route message. So how do I get the IP 196.214.88.73 to route to 196.1.115.249
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 24877565
Is 196.1.115.249 located on the bry interface or on the outside?

You are getting the missing route entry becuz you have told the PIX lies :)
---
According to this static, you have mapped the address on the outside interface:
static (inside,outside) tcp 196.214.88.73 580 10.47.134.10 580 netmask 255.255.255.255 0 0

But if the server 196.1.115.249 is comming from the outside, to use that static then this following route statement must be errant:
route bry 196.1.115.0 255.255.255.0 10.47.136.2 1
---
I can't say which is true, but they can't both be :)
0
 
LVL 1

Author Comment

by:Rigged
ID: 24877854
HMMM, thought I was confusing the PIX somehow :P

So if i Remove:  route bry 196.1.115.0 255.255.255.0 10.47.136.2 1
What would you say should I do to get it working? I don't think the route entry is valid (thats why I want to remove it) coz the ip 10.47.136.2 I don't recognize from anywhere. There is a NAT entry in the config that nats our entire internal network (iprange 10.47.134.0 and 10.47.135.0) as 10.47.136.1, but I don't know if that route entry will affect that NAT entry.

Damn it, I need to go for some Cisco training  :P
0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 500 total points
ID: 24878531
If 196.1.115.0 is not located at the bry interface, including behind some router at that interface - then yes, remove the route.
The NAT entry you have is a policy NAT, and to me it looks a bit odd - not sure what it was meant to accomplish.
(It will not NAT the entire networks, only those connections that matches the access-list specified).
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
network monitoring tools / software 5 106
ipsec tunnel comme not up 10 73
Vlan to Vlan communication 9 73
Cisco 1811W VLAN configuration problem 3 4
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now