Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Port Forwarding and PIX 501

Reply
Thread Tools

Port Forwarding and PIX 501

 
 
Robert McIntosh
Guest
Posts: n/a
 
      09-02-2004
Hi,

I was using a Linksys 4-port Router product to forward packets to
various ports; 80, 25, 995, 443, 22. I've upgraded to a PIX 501 and am
lost on how to specify something as straight-forward as port forwarding
in the PDM interface. It's a simple network...just inside and outside
interfaces.

I simply want to forward TCP requests to my ip 1.2.3.4 to inside IPs
like this;

1.2.3.4 80 -> 10.0.0.7 80
1.2.3.4 443 -> 10.0.0.7 443
1.2.3.4 25 -> 10.0.0.3 25
1.2.3.4 22 -> 10.0.0.7 22
1.2.3.4 995 -> 10.0.0.3 995

Help!


Thank you,
Robert

 
Reply With Quote
 
 
 
 
Ivan Ostres
Guest
Posts: n/a
 
      09-03-2004
In article <M1MZc.278569$eM2.209014@attbi_s51>, http://www.velocityreviews.com/forums/(E-Mail Removed)
says...
> Hi,
>
> I was using a Linksys 4-port Router product to forward packets to
> various ports; 80, 25, 995, 443, 22. I've upgraded to a PIX 501 and am
> lost on how to specify something as straight-forward as port forwarding
> in the PDM interface. It's a simple network...just inside and outside
> interfaces.
>
> I simply want to forward TCP requests to my ip 1.2.3.4 to inside IPs
> like this;
>
> 1.2.3.4 80 -> 10.0.0.7 80
> 1.2.3.4 443 -> 10.0.0.7 443
> 1.2.3.4 25 -> 10.0.0.3 25
> 1.2.3.4 22 -> 10.0.0.7 22
> 1.2.3.4 995 -> 10.0.0.3 995
>
>


This is the most simple thing you can do with pix. Just look at CCO for
'static' command on pix.

--
-Ivan.

*** Use Rot13 to see my eMail address ***
 
Reply With Quote
 
 
 
 
Robert McIntosh
Guest
Posts: n/a
 
      09-03-2004
Thanks Ivan,

I think I've got it set-up, however when I attempt to connect to the WAN
IP, the connection times out. Here's my conf file. I don't know what's
wrong with it. Everything seems to be configured properly.

TIA,
Robert

--
>show conf

: Saved
: Written by robert at 08:01:36.639 PDT Fri Sep 3 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname giggles
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.7 europa
name 10.0.0.3 ganymede
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq ssh
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq 995
access-list outside_in permit tcp any interface outside eq www
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.6 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.255.255.255 inside
pdm location ganymede 255.255.255.255 inside
pdm location europa 255.255.255.255 inside
pdm location 24.21.109.35 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 europa-10.0.0.253 netmask 255.255.255.0
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface https europa https netmask
255.255.255.255
0 0
static (inside,outside) tcp interface ssh europa ssh netmask
255.255.255.255 0 0

static (inside,outside) tcp interface smtp ganymede smtp netmask
255.255.255.255
0 0
static (inside,outside) tcp interface 995 ganymede 995 netmask
255.255.255.255 0
0
static (inside,outside) tcp interface www europa www netmask
255.255.255.255 0 0

access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 45
console timeout 0
dhcpd address europa-10.0.0.134 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80


Ivan Ostres wrote:
> In article <M1MZc.278569$eM2.209014@attbi_s51>, (E-Mail Removed)
> says...
>
>>Hi,
>>
>>I was using a Linksys 4-port Router product to forward packets to
>>various ports; 80, 25, 995, 443, 22. I've upgraded to a PIX 501 and am
>>lost on how to specify something as straight-forward as port forwarding
>>in the PDM interface. It's a simple network...just inside and outside
>>interfaces.
>>
>>I simply want to forward TCP requests to my ip 1.2.3.4 to inside IPs
>>like this;
>>
>>1.2.3.4 80 -> 10.0.0.7 80
>>1.2.3.4 443 -> 10.0.0.7 443
>>1.2.3.4 25 -> 10.0.0.3 25
>>1.2.3.4 22 -> 10.0.0.7 22
>>1.2.3.4 995 -> 10.0.0.3 995
>>
>>

>
>
> This is the most simple thing you can do with pix. Just look at CCO for
> 'static' command on pix.
>

 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      09-03-2004

"Robert McIntosh" <(E-Mail Removed)> wrote in message
news:E_5_c.233825$8_6.36186@attbi_s04...
> Thanks Ivan,
>
> I think I've got it set-up, however when I attempt to connect to the WAN
> IP, the connection times out. Here's my conf file. I don't know what's
> wrong with it. Everything seems to be configured properly.




Are you trying to connect to the public IP address from the inside?

>
> --
> >show conf

> : Saved
> : Written by robert at 08:01:36.639 PDT Fri Sep 3 2004
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname giggles
> clock timezone PST -8
> clock summer-time PDT recurring
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 10.0.0.7 europa
> name 10.0.0.3 ganymede
> access-list outside_in permit tcp any interface outside eq https
> access-list outside_in permit tcp any interface outside eq ssh
> access-list outside_in permit tcp any interface outside eq smtp
> access-list outside_in permit tcp any interface outside eq 995
> access-list outside_in permit tcp any interface outside eq www
> pager lines 24
> logging on
> logging console informational
> mtu outside 1500
> mtu inside 1500
> ip address outside dhcp setroute
> ip address inside 10.0.0.6 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm location 10.0.0.0 255.255.255.255 inside
> pdm location ganymede 255.255.255.255 inside
> pdm location europa 255.255.255.255 inside
> pdm location 24.21.109.35 255.255.255.255 outside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> global (inside) 2 europa-10.0.0.253 netmask 255.255.255.0
> nat (inside) 1 10.0.0.0 255.255.255.0 0 0
> static (inside,outside) tcp interface https europa https netmask
> 255.255.255.255
> 0 0
> static (inside,outside) tcp interface ssh europa ssh netmask
> 255.255.255.255 0 0
>
> static (inside,outside) tcp interface smtp ganymede smtp netmask
> 255.255.255.255
> 0 0
> static (inside,outside) tcp interface 995 ganymede 995 netmask
> 255.255.255.255 0
> 0
> static (inside,outside) tcp interface www europa www netmask
> 255.255.255.255 0 0
>
> access-group outside_in in interface outside
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa authentication enable console LOCAL
> aaa authentication ssh console LOCAL
> http server enable
> http 10.0.0.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet timeout 5
> ssh 10.0.0.0 255.255.255.0 inside
> ssh timeout 45
> console timeout 0
> dhcpd address europa-10.0.0.134 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> terminal width 80
>
>
> Ivan Ostres wrote:
>> In article <M1MZc.278569$eM2.209014@attbi_s51>, (E-Mail Removed)
>> says...
>>
>>>Hi,
>>>
>>>I was using a Linksys 4-port Router product to forward packets to various
>>>ports; 80, 25, 995, 443, 22. I've upgraded to a PIX 501 and am lost on
>>>how to specify something as straight-forward as port forwarding in the
>>>PDM interface. It's a simple network...just inside and outside
>>>interfaces.
>>>
>>>I simply want to forward TCP requests to my ip 1.2.3.4 to inside IPs like
>>>this;
>>>
>>>1.2.3.4 80 -> 10.0.0.7 80
>>>1.2.3.4 443 -> 10.0.0.7 443
>>>1.2.3.4 25 -> 10.0.0.3 25
>>>1.2.3.4 22 -> 10.0.0.7 22
>>>1.2.3.4 995 -> 10.0.0.3 995
>>>
>>>

>>
>>
>> This is the most simple thing you can do with pix. Just look at CCO for
>> 'static' command on pix.
>>



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-04-2004
In article <E_5_c.233825$8_6.36186@attbi_s04>,
Robert McIntosh <(E-Mail Removed)> wrote:
: however when I attempt to connect to the WAN
:IP, the connection times out. Here's my conf file.

:global (outside) 1 interface
:global (inside) 2 europa-10.0.0.253 netmask 255.255.255.0
:nat (inside) 1 10.0.0.0 255.255.255.0 0 0

It won't solve your problem, but get rid of that second 'global'.
There is no point having a global (inside) unless you are doing
reverse nat complete with a nat (outside) statement.
--
csh is bad drugs.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Port forwarding on a PIX 501 at 6.3 Kirk Goins Cisco 5 10-12-2008 08:53 PM
How to setup port forwarding in PIX 501? signal Cisco 16 03-17-2008 11:04 AM
Quick help: PIX 501 and Port Forwarding Sascha E. Pollok Cisco 3 08-09-2006 01:34 PM
PIX 501 and port forwarding problems and timeouts Graeme Geldenhuys Cisco 2 04-14-2005 10:30 AM
PIX 501 - Inbound Port Forwarding/Translation? Paul Hutchings Cisco 6 01-12-2004 07:49 AM



Advertisments