?
Solved

QNAP server using VMobile and remote connect via Cisco 501

Posted on 2011-04-18
9
Medium Priority
?
2,682 Views
Last Modified: 2012-05-11
I am trying to get a remote app called Vmobile working on my iPhone.

The server is inside my network behind a PIX501, I have set the server that the app is on to use port 81 and when connecting from my iphone within the network I can get it working using this setup, however I am struggling to get the same setup working from the other side of the firewall.

Could someone step me through the setup via the (Shudder...I know) the PDM, alternatively a step through from command line accessed through PDM

Internal IP is 192..168.0.238 Port 81
Call the outside IP 203.97.x.x

So far I have tried setting up a host on the PDM
Have tried setting translation rules
Have tried setting access rules

Yes, I have no idea...hence the post :)

Highly appreciate a resolution to this!

TIA!!
0
Comment
Question by:parimp
  • 5
  • 4
9 Comments
 
LVL 1

Author Comment

by:parimp
ID: 35422106
I am open to answer any questions! Please can I get some assistance?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35422883
Well if you don't mind CLI ;)

Try:

Static (inside,outside) tcp 203.97.x.x 81 192.168.0.238 81 netmask 255.255.255.255
access-list outside permit tcp any host 203.97.x.x eq 81
access-group outside in interface outside


I assumed here that:
-interface names are default: inside and outside
-the ip on the outside interface is 203.97.x.x (and statically assigned).

This should do the trick.

To be sure do a clear xlate after you made the changes.
0
 
LVL 1

Author Comment

by:parimp
ID: 35429259
Hi Ernie,

I have done as you have suggested and logged in via telnet and enabled and conf t and then run the commands and it still will not show the app from outside the network, it still works from inside the network using the 192.x.x.x on the app but not from the outside when using 203.97.x.x

Any ideas?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35433291
Could you past a sanitized config over here for us to have a look at?
0
 
LVL 1

Author Comment

by:parimp
ID: 35436373
Result of firewall command: "sh run"
 
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxx encrypted
hostname Pix501
domain-name PIL.local
clock timezone NZST 12
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.4.0
name 192.168.10.0
name 192.168.2.0
name 192.168.7.0
name 192.168.0.231
object-group service utorrent tcp
  port-object range 5960 5970
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit udp any any eq 45682
access-list outside_access_in permit tcp any any eq 45682
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp host 60.234.187.27 any eq pptp
access-list outside_access_in permit tcp host 222.154.240.186 any eq pptp
access-list outside_access_in permit tcp host 222.154.240.185 any eq pptp
access-list outside_access_in permit tcp host 222.154.246.126 any eq pptp
access-list outside_access_in permit tcp host 125.236.197.89 any eq pptp
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq telnet
access-list outside_access_in permit tcp any any eq 5000
access-list outside_access_in permit udp any any eq 5000
access-list outside_access_in remark pptp
access-list outside_access_in permit tcp any 192.168.0.0 255.255.255.0 eq pptp
access-list outside_access_in permit tcp any host 203.97.205.12 eq 81
access-list inside_access_in permit tcp host 192.168.0.100 any eq smtp
access-list inside_access_in deny tcp any any eq smtp log 4
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq https
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq ftp
access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq isakmp
access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq 4500
access-list inside_access_in permit esp 192.168.0.0 255.255.255.0 any
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 3389
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq pop3
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 8080
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in remark Sam P
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 9217
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq www
access-list inside_access_in remark mysql
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 3306
access-list inside_access_in permit tcp host 192.168.0.102 192.168.254.0 255.255.255.0
access-list inside_access_in permit ip host 192.168.0.100 192.168.254.0 255.255.255.0
access-list inside_access_in permit ip host cima 192.168.254.0 255.255.255.0
access-list inside_access_in remark SSH
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 4643
access-list inside_access_in remark Plesk
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 8443
access-list inside_access_in remark SMTP freeparking
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 2525
access-list inside_access_in remark SSH
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq ssh
access-list inside_access_in remark PS
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 1168
access-list inside_access_in remark PS
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 26002
access-list inside_access_in remark MSN Live
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 1863
access-list inside_access_in remark ipoker
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any range 4400 4450
access-list inside_access_in remark ipoker
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any range 4600 4630
access-list inside_access_in remark ipoker
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any range 5220 5240
access-list inside_access_in remark ipoker
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any range 6460 6560
access-list inside_access_in remark zYNGA
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 9339
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 East_Tamaki 255.255.255.0
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 Newmarke 255.255.255.0
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 Constellation 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.0.102 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 East_Tamaki 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 Newmarke 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 Constellation 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.0.135 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 Queenst 255.255.255.0
access-list staff_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.0
access-list OUTSIDE_AXS_IN permit tcp any gt 5960 interface outside object-group utorrent
access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 East_Tamaki 255.255.255.0
access-list outside_cryptomap_60 permit ip 192.168.0.0 255.255.255.0 Newmarke 255.255.255.0
access-list outside_cryptomap_80 permit ip 192.168.0.0 255.255.255.0 Constellation 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.254.0 255.255.255.0
access-list outside_cryptomap_100 permit ip 192.168.0.0 255.255.255.0 Queenst 255.255.255.0
access-list allow_uTorrent permit udp any interface outside eq 36412
access-list allow_uTorrent permit tcp any interface outside eq 36412
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit udp any interface outside eq 8000
access-list outside_in permit tcp any interface outside eq 5960
access-list outside_in permit udp any interface outside eq 5960
access-list outside_in permit tcp any host 203.97.205.12 eq smtp
access-list outside_in permit udp any interface outside eq 81
access-list outside_in permit tcp any interface outside eq 81
access-list outside permit tcp any eq smtp interface outside eq smtp
access-list outside permit tcp any host 203.97.205.12 eq 81
no pager
logging on
logging timestamp
logging console critical
logging monitor debugging
logging buffered warnings
logging trap warnings
logging queue 0
logging host inside 192.168.0.100
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any traceroute outside
icmp permit 192.168.0.0 255.255.255.0 inside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.1.1.11 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.254.1-192.168.254.254
ip local pool PPTP 192.168.253.1-192.168.253.254
ip local pool Pool2 192.168.0.104-192.168.0.106
pdm location 192.168.0.201 255.255.255.255 inside
pdm location 203.97.50.97 255.255.255.255 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.254.0 255.255.255.0 outside
pdm location 192.168.0.102 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.0.0 255.255.0.0 outside
pdm location 60.234.187.27 255.255.255.255 outside
pdm location 125.236.197.89 255.255.255.255 outside
pdm location 192.168.0.103 255.255.255.255 outside
pdm location 192.168.0.104 255.255.255.252 outside
pdm location 192.168.0.108 255.255.255.255 outside
pdm location 192.168.0.109 255.255.255.255 outside
pdm location 222.154.240.185 255.255.255.255 outside
pdm location 222.154.240.186 255.255.255.255 outside
pdm location 222.154.246.126 255.255.255.255 outside
pdm location 192.168.0.100 255.255.255.255 outside
pdm location 192.168.253.0 255.255.255.0 outside
pdm location East_Tamaki 255.255.255.0 outside
pdm location 60.234.220.91 255.255.255.255 outside
pdm location Newmarke 255.255.255.0 outside
pdm location Constellation 255.255.255.0 outside
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location Queenst 255.255.255.0 outside
pdm location cima 255.255.255.255 inside
pdm location 192.168.0.135 255.255.255.255 inside
pdm location 192.168.8.0 255.255.255.0 outside
pdm location 192.168.0.238 255.255.255.255 inside
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.100 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.0.100 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.0.100 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.0.100 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5960 192.168.0.201 5960 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.100 www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5960 192.168.0.201 5960 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 8000 192.168.0.2 8000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 203.97.205.12 81 192.168.0.238 81 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
route inside 192.168.0.2 255.255.255.255 192.168.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 11645
aaa-server radius-acctport 11646
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.0.100 radiuskey timeout 5
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 203.97.50.97 255.255.255.255 outside
http 60.234.220.91 255.255.255.255 outside
http 192.168.0.201 255.255.255.255 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set peer 125.236.197.89
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
! Incomplete
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 222.154.240.185
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 125.236.224.138
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer 222.154.240.186
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 210.54.88.192
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 125.236.197.89 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 222.154.240.185 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 125.236.224.138 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 222.154.240.186 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 210.54.88.192 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup staff address-pool VPN
vpngroup staff dns-server 192.168.0.100
vpngroup staff split-tunnel staff_splitTunnelAcl
vpngroup staff idle-time 1800
vpngroup staff password ********
vpngroup pilvpn address-pool VPN
vpngroup pilvpn dns-server 192.168.0.100
vpngroup pilvpn idle-time 1800
vpngroup pilvpn password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 203.97.50.x 255.255.255.255 outside
ssh 192.168.0.100 255.255.255.255 inside
ssh 192.168.0.201 255.255.255.255 inside
ssh timeout 30
console timeout 30
vpdn group test1 accept dialin pptp
vpdn group test1 ppp authentication pap
vpdn group test1 ppp authentication chap
vpdn group test1 ppp authentication mschap
vpdn group test1 ppp encryption mppe auto
vpdn group test1 client configuration address local Pool2
vpdn group test1 client configuration dns 192.168.0.100
vpdn group test1 pptp echo 60
vpdn group test1 client authentication local
vpdn enable outside
username xxx password xx encrypted privilege 5
username xxx password xx encrypted privilege 5
username xxx password xx encrypted privilege 5
username xxx password xx encrypted privilege 5
username xxx password xx encrypted privilege 15
username xxx password xx encrypted privilege 5
username xxx password xx encrypted privilege 15
terminal width 80
banner login ###############################################################
banner login Changes only to be made to this PIX if authorized by xxx
banner login THERE ARE NO EXCEPTIONS!
banner login ###############################################################
banner motd ###############################################################
banner motd Changes only to be made to this PIX if authorized by xxx
banner motd THERE ARE NO EXCEPTIONS!
banner motd ###############################################################
Cryptochecksum:11173f0ca449ac9f1b54de2af07c6986
: end

0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 2000 total points
ID: 35439287
Try adding this line:
access-list inside_access_in permit ip host 192.168.0.238 any
0
 
LVL 1

Author Comment

by:parimp
ID: 35443639
Hi Ernie, I have added that in CLI and wr mem (no errors) and still no go from my iphone app...am I doing something wrong?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35446801
I don't think so.

What we could do is have a look at the logs and see what comes up for the 192.168.0.238 when you try to connect.
0
 
LVL 1

Author Closing Comment

by:parimp
ID: 35450737
Your solutions were correct, I couldnt figure this out why it wasnt working. I enabled logging as suggested but was getting no messages on the syslog at all. I tried changing the port to port 85 (81 must already be in use or something?) and BOOM, worked straight away.
Thanks Ernie for all your time!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question