Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Port forwarding help?

Reply
Thread Tools

Port forwarding help?

 
 
stephenarbour@gmail.com
Guest
Posts: n/a
 
      06-05-2006
I would like to RDP to the server inside our network through our pix
515 by using a port forward. I have tried a number of times to connect
with the assigned address and port (which works when I'm inside the
lan) but failed to get through the firewall.

Would someone please be kind and show me what additions need to be made
to my config (below)

The Server address and port are 99.99.99.228:4953 (I've changed the
3389 to 4953)

I've pasted a sterilized copy of our configuration below. Much
appreciate any advice no matter how meager!


User Access Verification

Password:
Type help or '?' for a list of available commands.
HostPix> en
Password: ******
hostpix# show run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XjdDOUfIwEBMJnWm encrypted
passwd XjdDOUfIwEBMJnWm encrypted
hostname hostpix
domain-name ciscopix.com
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 3000
fixup protocol http 3002
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside permit icmp any any
access-list outside permit tcp any host 99.99.99.231 eq pop3
access-list outside permit tcp any host 99.99.99.231 eq smtp
access-list outside permit tcp any host 99.99.99.231 eq www
access-list outside permit tcp any host 99.99.99.229 eq www
access-list outside permit udp any host 99.99.99.228 eq isakmp
access-list outside permit tcp any host 99.99.99.228 eq 1701
access-list outside permit udp any host 99.99.99.228 eq netbios-ns
access-list outside permit udp any host 99.99.99.228 eq netbios-dgm
access-list outside permit tcp any host 99.99.99.232 eq www
access-list outside permit ip host 99.99.99.207 99.99.99.224
255.255.255.224

access-list outside permit ip host 88.88.88.232 99.99.99.224
255.255.255.224

access-list outside permit esp host 88.88.88.207 99.99.99.224
255.255.255.22
4
access-list outside permit esp host 88.88.88.232 99.99.99.224
255.255.255.22
4
access-list outside permit udp any 99.99.99.224 255.255.255.254 eq
isakmp
access-list outside permit esp any 99.99.99.224 255.255.255.254
access-list outside permit gre any host 99.99.99.228
access-list outside permit esp any host 99.99.99.228
access-list outside permit tcp any host 99.99.99.224 eq pptp
access-list outside permit tcp any host 99.99.99.228 eq pptp
access-list outside permit tcp any host 99.99.99.231 eq https
access-list outside permit tcp any host 99.99.99.233
pager lines 24
logging on
logging trap informational
logging host inside 192.168.4.11
mtu outside 1500
mtu inside 1500
ip address outside 99.99.99.227 255.255.255.224
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.4.11 255.255.255.255 inside
pdm location 192.168.4.12 255.255.255.255 inside
pdm location 192.168.4.13 255.255.255.255 inside
pdm location 192.168.4.14 255.255.255.255 inside
pdm location 192.168.4.15 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 99.99.99.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 99.99.99.228 192.168.4.11 netmask
255.255.255.255 0 0
static (inside,outside) 99.99.99.229 192.168.4.14 netmask
255.255.255.255 0 0
static (inside,outside) 99.99.99.230 192.168.4.12 netmask
255.255.255.255 0 0
static (inside,outside) 99.99.99.231 192.168.4.13 netmask
255.255.255.255 0 0
static (inside,outside) 99.99.99.232 192.168.4.15 netmask
255.255.255.255 0 0
static (inside,outside) 99.99.99.233 192.168.4.16 netmask
255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 99.99.99.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:856fa28ba29f09d458fecf67c2328d80
: end
hostpix#

 
Reply With Quote
 
 
 
 
NETADMIN
Guest
Posts: n/a
 
      06-05-2006
Why dont you use Static NAT for this

http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> I would like to RDP to the server inside our network through our pix
> 515 by using a port forward. I have tried a number of times to connect
> with the assigned address and port (which works when I'm inside the
> lan) but failed to get through the firewall.
>
> Would someone please be kind and show me what additions need to be made
> to my config (below)
>
> The Server address and port are 99.99.99.228:4953 (I've changed the
> 3389 to 4953)
>
> I've pasted a sterilized copy of our configuration below. Much
> appreciate any advice no matter how meager!
>
>
> User Access Verification
>
> Password:
> Type help or '?' for a list of available commands.
> HostPix> en
> Password: ******
> hostpix# show run
> : Saved
> :
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password XjdDOUfIwEBMJnWm encrypted
> passwd XjdDOUfIwEBMJnWm encrypted
> hostname hostpix
> domain-name ciscopix.com
> fixup protocol esp-ike
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol http 3000
> fixup protocol http 3002
> fixup protocol ils 389
> fixup protocol pptp 1723
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> access-list outside permit icmp any any
> access-list outside permit tcp any host 99.99.99.231 eq pop3
> access-list outside permit tcp any host 99.99.99.231 eq smtp
> access-list outside permit tcp any host 99.99.99.231 eq www
> access-list outside permit tcp any host 99.99.99.229 eq www
> access-list outside permit udp any host 99.99.99.228 eq isakmp
> access-list outside permit tcp any host 99.99.99.228 eq 1701
> access-list outside permit udp any host 99.99.99.228 eq netbios-ns
> access-list outside permit udp any host 99.99.99.228 eq netbios-dgm
> access-list outside permit tcp any host 99.99.99.232 eq www
> access-list outside permit ip host 99.99.99.207 99.99.99.224
> 255.255.255.224
>
> access-list outside permit ip host 88.88.88.232 99.99.99.224
> 255.255.255.224
>
> access-list outside permit esp host 88.88.88.207 99.99.99.224
> 255.255.255.22
> 4
> access-list outside permit esp host 88.88.88.232 99.99.99.224
> 255.255.255.22
> 4
> access-list outside permit udp any 99.99.99.224 255.255.255.254 eq
> isakmp
> access-list outside permit esp any 99.99.99.224 255.255.255.254
> access-list outside permit gre any host 99.99.99.228
> access-list outside permit esp any host 99.99.99.228
> access-list outside permit tcp any host 99.99.99.224 eq pptp
> access-list outside permit tcp any host 99.99.99.228 eq pptp
> access-list outside permit tcp any host 99.99.99.231 eq https
> access-list outside permit tcp any host 99.99.99.233
> pager lines 24
> logging on
> logging trap informational
> logging host inside 192.168.4.11
> mtu outside 1500
> mtu inside 1500
> ip address outside 99.99.99.227 255.255.255.224
> ip address inside 192.168.4.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm location 192.168.4.11 255.255.255.255 inside
> pdm location 192.168.4.12 255.255.255.255 inside
> pdm location 192.168.4.13 255.255.255.255 inside
> pdm location 192.168.4.14 255.255.255.255 inside
> pdm location 192.168.4.15 255.255.255.255 inside
> pdm history enable
> arp timeout 14400
> global (outside) 1 99.99.99.254
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) 99.99.99.228 192.168.4.11 netmask
> 255.255.255.255 0 0
> static (inside,outside) 99.99.99.229 192.168.4.14 netmask
> 255.255.255.255 0 0
> static (inside,outside) 99.99.99.230 192.168.4.12 netmask
> 255.255.255.255 0 0
> static (inside,outside) 99.99.99.231 192.168.4.13 netmask
> 255.255.255.255 0 0
> static (inside,outside) 99.99.99.232 192.168.4.15 netmask
> 255.255.255.255 0 0
> static (inside,outside) 99.99.99.233 192.168.4.16 netmask
> 255.255.255.255 0 0
> access-group outside in interface outside
> route outside 0.0.0.0 0.0.0.0 99.99.99.225 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.4.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet 192.168.4.0 255.255.255.0 inside
> telnet timeout 10
> ssh timeout 5
> console timeout 0
> terminal width 80
> Cryptochecksum:856fa28ba29f09d458fecf67c2328d80
> : end
> hostpix#


 
Reply With Quote
 
 
 
 
stephenarbour@gmail.com
Guest
Posts: n/a
 
      06-05-2006

NETADMIN wrote:
> Why dont you use Static NAT for this


I'm not very skilled. Port forwarding seemed the right tool for the
job. I would be more than happy to implemet "Static NAT if it would
suit the need better.

I believe I need (and have) an extra address for this. If you think
this would be a better solution? Can you elaborate some?
Thanks

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      06-06-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>I would like to RDP to the server inside our network through our pix
>515 by using a port forward.


>Would someone please be kind and show me what additions need to be made
>to my config (below)


>The Server address and port are 99.99.99.228:4953 (I've changed the
>3389 to 4953)


>PIX Version 6.3(1)


#include "upgrade_to_6.3(5)_for_free.txt"

>access-list outside permit icmp any any


Don't do that unless you want people to be able to steal your
outgoing connections. Only permit the icmp that you need.

>access-list outside permit udp any host 99.99.99.228 eq isakmp
>access-list outside permit tcp any host 99.99.99.228 eq 1701
>access-list outside permit udp any host 99.99.99.228 eq netbios-ns
>access-list outside permit udp any host 99.99.99.228 eq netbios-dgm


Add:
access-list outside permit tcp any host 99.99.99.228 eq 4953

>static (inside,outside) 99.99.99.228 192.168.4.11 netmask 255.255.255.255 0 0



>515 by using a port forward.


You already have all ports forwarded for 99.99.99.228 so there is
no point in handling this by port forwarding. If you REALLY want
to use port forwarding, then you will have to remove the above static
and put in port forwarding for isakmp, 1701, netbios-ns, netbios-dgm
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
forwarding Args&&... vs forwarding Args... Andrew Tomazos C++ 5 01-05-2012 11:15 PM
Router Port forwarding/port triggering WHAT DO THEY DO? ToyalP2 Computer Support 7 01-07-2008 08:08 AM
Port forwarding problems with SP2 =?Utf-8?B?QW5keSBU?= Wireless Networking 1 03-29-2005 07:13 PM
Simple CGI port forwarding question Navic Perl 2 05-11-2004 11:40 AM
[HELP] Cisco PIX 515 Port Forwarding Corbin O'Reilly Cisco 4 09-26-2003 08:39 PM



Advertisments