Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 501 unable to map port. Plx help

Reply
Thread Tools

PIX 501 unable to map port. Plx help

 
 
noway
Guest
Posts: n/a
 
      08-30-2006
Need to map ports through on a PIX 501, and have the following static rules
setup:

static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
255.255.255.255 0 0
static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0

The rest of the network uses pat on 66.x.x.98. We have .98 - .102 available
for outside.

Can't seem to get the access rule to work for the incoming port 5051, or any
other port for that matter. Or maybe there is a problem with the static
rules.

Any help would be much appreciated.

Thanks.



Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password jgnwagB3rxzkm2J7 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
255.255.255.192
pager lines 24
logging on
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.98 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.1.221-192.168.1.245
pdm location RWSFPS 255.255.255.255 inside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location 192.168.1.192 255.255.255.192 outside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 66.x.x.99 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
255.255.255.255 0 0
static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 66.x.x.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.1 reward timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local ippool
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.1
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.12-192.168.1.100 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:558bf1ecd1951ae19f65df59c885d4fa
: end
[OK]



 
Reply With Quote
 
 
 
 
chris
Guest
Posts: n/a
 
      08-30-2006

"noway" <(E-Mail Removed)> wrote in message newslkJg.6377$SZ3.5942@dukeread04...
> Need to map ports through on a PIX 501, and have the following static
> rules setup:
>
> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
> 255.255.255.255 0 0
> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
>
> The rest of the network uses pat on 66.x.x.98. We have .98 - .102
> available for outside.
>
> Can't seem to get the access rule to work for the incoming port 5051, or
> any other port for that matter. Or maybe there is a problem with the
> static rules.
>
> Any help would be much appreciated.
>
> Thanks.
>


You have a static ..

static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0

... but I can't see an ACL allowing port 5051 in. A static on it's own isn't
enough.

Not sure what you're trying to do with that other back to front static ..

static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
> 255.255.255.255 0 0

??

Chris.


 
Reply With Quote
 
 
 
 
mcaissie
Guest
Posts: n/a
 
      08-30-2006
First regarding your translation rules ;

static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0

This line is ok and will translate the inside 192.168.1.5 with the outside
66.x.x.99 192 wich is what you want.
If you want to limit to a single tcp port , it's this rule that you have to
modify.

Your second rule is useless and faulty

static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
255.255.255.255 0 0

This line means that the real outside IP 66.x.x.99 is translated on the
inside with 192.168.1.5.
It's faulty because 192.168.1.5 is already assign on the inside so you
can't use it for translation
and 66.x.x.99 is already assigned to the outside PIX so it doesn't make
sens to translate it.
But obviously here you just misunderstood the static syntax.

static (outside,inside) means that you want to mask an outside address ,
while
static (inside,outside) means that you want to mask an inside address.

Next creating a translation is one thing but you also have to permit the
traffic
on your outside interface , using an access-group.

access-list outside_inbound_acl permit ip any 66.x.x.99
access-group outside_inbound_acl in interface outside



In conclusion ,

no static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
255.255.255.255 0 0
clear xlate
access-list outside_inbound_acl permit ip any 66.x.x.99
access-group outside_inbound_acl in interface outside

Be aware the clear xlate will reset all existing session s, but you
better do it
when modifying static rules , to clean up existing translations.



"noway" <(E-Mail Removed)> wrote in message newslkJg.6377$SZ3.5942@dukeread04...
> Need to map ports through on a PIX 501, and have the following static
> rules setup:
>
> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
> 255.255.255.255 0 0
> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
>
> The rest of the network uses pat on 66.x.x.98. We have .98 - .102
> available for outside.
>
> Can't seem to get the access rule to work for the incoming port 5051, or
> any other port for that matter. Or maybe there is a problem with the
> static rules.
>
> Any help would be much appreciated.
>
> Thanks.
>
>
>
> Building configuration...
> : Saved
> :
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password jgnwagB3rxzkm2J7 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname pixfirewall
> domain-name ciscopix.com
> clock timezone CST -6
> clock summer-time CDT recurring
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
>
> access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
> 255.255.255.224
> access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
> 255.255.255.192
> pager lines 24
> logging on
> icmp permit any inside
> mtu outside 1500
> mtu inside 1500
> ip address outside 66.x.x.98 255.255.255.248
> ip address inside 192.168.1.254 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool ippool 192.168.1.221-192.168.1.245
> pdm location RWSFPS 255.255.255.255 inside
> pdm location 192.168.1.192 255.255.255.224 outside
> pdm location 192.168.1.192 255.255.255.192 outside
> pdm location 192.168.1.5 255.255.255.255 inside
> pdm location 66.x.x.99 255.255.255.255 outside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 10 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 10 0.0.0.0 0.0.0.0 0 0
> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
> 255.255.255.255 0 0
> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
> route outside 0.0.0.0 0.0.0.0 66.x.x.97 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server RADIUS (inside) host 192.168.1.1 reward timeout 10
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-pptp
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> vpdn group PPTP-VPDN-GROUP accept dialin pptp
> vpdn group PPTP-VPDN-GROUP ppp authentication chap
> vpdn group PPTP-VPDN-GROUP ppp authentication mschap
> vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
> vpdn group PPTP-VPDN-GROUP client configuration address local ippool
> vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.1
> vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
> vpdn group PPTP-VPDN-GROUP client accounting RADIUS
> vpdn group PPTP-VPDN-GROUP pptp echo 60
> vpdn enable outside
> vpdn enable inside
> dhcpd address 192.168.1.12-192.168.1.100 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> terminal width 80
> Cryptochecksum:558bf1ecd1951ae19f65df59c885d4fa
> : end
> [OK]
>
>
>



 
Reply With Quote
 
mcaissie
Guest
Posts: n/a
 
      08-30-2006
Correction
> access-list outside_inbound_acl permit ip any 66.x.x.99


access-list outside_inbound_acl permit ip any host 66.x.x.99
or
access-list outside_inbound_acl permit tcp any host 66.x.x.99 eq 5051






"mcaissie" <(E-Mail Removed)> wrote in message
news:lulJg.23251$tP4.11932@clgrps12...
> First regarding your translation rules ;
>
> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
>
> This line is ok and will translate the inside 192.168.1.5 with the outside
> 66.x.x.99 192 wich is what you want.
> If you want to limit to a single tcp port , it's this rule that you have
> to modify.
>
> Your second rule is useless and faulty
>
> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
> 255.255.255.255 0 0
>
> This line means that the real outside IP 66.x.x.99 is translated on the
> inside with 192.168.1.5.
> It's faulty because 192.168.1.5 is already assign on the inside so you
> can't use it for translation
> and 66.x.x.99 is already assigned to the outside PIX so it doesn't make
> sens to translate it.
> But obviously here you just misunderstood the static syntax.
>
> static (outside,inside) means that you want to mask an outside address ,
> while
> static (inside,outside) means that you want to mask an inside address.
>
> Next creating a translation is one thing but you also have to permit the
> traffic
> on your outside interface , using an access-group.
>
> access-list outside_inbound_acl permit ip any 66.x.x.99
> access-group outside_inbound_acl in interface outside
>
>
>
> In conclusion ,
>
> no static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
> 255.255.255.255 0 0
> clear xlate
> access-list outside_inbound_acl permit ip any 66.x.x.99
> access-group outside_inbound_acl in interface outside
>
> Be aware the clear xlate will reset all existing session s, but you
> better do it
> when modifying static rules , to clean up existing translations.
>
>
>
> "noway" <(E-Mail Removed)> wrote in message
> newslkJg.6377$SZ3.5942@dukeread04...
>> Need to map ports through on a PIX 501, and have the following static
>> rules setup:
>>
>> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
>> 255.255.255.255 0 0
>> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
>>
>> The rest of the network uses pat on 66.x.x.98. We have .98 - .102
>> available for outside.
>>
>> Can't seem to get the access rule to work for the incoming port 5051, or
>> any other port for that matter. Or maybe there is a problem with the
>> static rules.
>>
>> Any help would be much appreciated.
>>
>> Thanks.
>>
>>
>>
>> Building configuration...
>> : Saved
>> :
>> PIX Version 6.3(3)
>> interface ethernet0 auto
>> interface ethernet1 100full
>> nameif ethernet0 outside security0
>> nameif ethernet1 inside security100
>> enable password jgnwagB3rxzkm2J7 encrypted
>> passwd 2KFQnbNIdI.2KYOU encrypted
>> hostname pixfirewall
>> domain-name ciscopix.com
>> clock timezone CST -6
>> clock summer-time CDT recurring
>> fixup protocol dns maximum-length 512
>> fixup protocol ftp 21
>> fixup protocol h323 h225 1720
>> fixup protocol h323 ras 1718-1719
>> fixup protocol http 80
>> fixup protocol rsh 514
>> fixup protocol rtsp 554
>> fixup protocol sip 5060
>> fixup protocol sip udp 5060
>> fixup protocol skinny 2000
>> fixup protocol smtp 25
>> fixup protocol sqlnet 1521
>> fixup protocol tftp 69
>>
>> access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
>> 255.255.255.224
>> access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
>> 255.255.255.192
>> pager lines 24
>> logging on
>> icmp permit any inside
>> mtu outside 1500
>> mtu inside 1500
>> ip address outside 66.x.x.98 255.255.255.248
>> ip address inside 192.168.1.254 255.255.255.0
>> ip audit info action alarm
>> ip audit attack action alarm
>> ip local pool ippool 192.168.1.221-192.168.1.245
>> pdm location RWSFPS 255.255.255.255 inside
>> pdm location 192.168.1.192 255.255.255.224 outside
>> pdm location 192.168.1.192 255.255.255.192 outside
>> pdm location 192.168.1.5 255.255.255.255 inside
>> pdm location 66.x.x.99 255.255.255.255 outside
>> pdm logging informational 100
>> pdm history enable
>> arp timeout 14400
>> global (outside) 10 interface
>> nat (inside) 0 access-list inside_outbound_nat0_acl
>> nat (inside) 10 0.0.0.0 0.0.0.0 0 0
>> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
>> 255.255.255.255 0 0
>> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
>> route outside 0.0.0.0 0.0.0.0 66.x.x.97 1
>> timeout xlate 0:05:00
>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
>> 1:00:00
>> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>> timeout uauth 0:05:00 absolute
>> aaa-server TACACS+ protocol tacacs+
>> aaa-server RADIUS protocol radius
>> aaa-server RADIUS (inside) host 192.168.1.1 reward timeout 10
>> aaa-server LOCAL protocol local
>> http server enable
>> http 192.168.1.0 255.255.255.0 inside
>> no snmp-server location
>> no snmp-server contact
>> snmp-server community public
>> no snmp-server enable traps
>> floodguard enable
>> sysopt connection permit-pptp
>> telnet 192.168.1.0 255.255.255.0 inside
>> telnet timeout 5
>> ssh timeout 5
>> console timeout 0
>> vpdn group PPTP-VPDN-GROUP accept dialin pptp
>> vpdn group PPTP-VPDN-GROUP ppp authentication chap
>> vpdn group PPTP-VPDN-GROUP ppp authentication mschap
>> vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
>> vpdn group PPTP-VPDN-GROUP client configuration address local ippool
>> vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.1
>> vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
>> vpdn group PPTP-VPDN-GROUP client accounting RADIUS
>> vpdn group PPTP-VPDN-GROUP pptp echo 60
>> vpdn enable outside
>> vpdn enable inside
>> dhcpd address 192.168.1.12-192.168.1.100 inside
>> dhcpd lease 3600
>> dhcpd ping_timeout 750
>> dhcpd auto_config outside
>> terminal width 80
>> Cryptochecksum:558bf1ecd1951ae19f65df59c885d4fa
>> : end
>> [OK]
>>
>>
>>

>
>



 
Reply With Quote
 
mak
Guest
Posts: n/a
 
      08-31-2006
mcaissie wrote:

> In conclusion ,
>
> no static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
> 255.255.255.255 0 0
> clear xlate
> access-list outside_inbound_acl permit ip any 66.x.x.99
> access-group outside_inbound_acl in interface outside
>
> Be aware the clear xlate will reset all existing session s, but you
> better do it

right, wasted once about 2 hours.
you HAVE to clear xlate , otherwise it will show correct in sh static, and in sh xlate...but it won't work.

other option is reboot
 
Reply With Quote
 
noway
Guest
Posts: n/a
 
      09-08-2006
> You have a static ..
>
> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
>
> .. but I can't see an ACL allowing port 5051 in. A static on it's own
> isn't enough.
>
> Not sure what you're trying to do with that other back to front static ..
>
> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
>> 255.255.255.255 0 0

> ??
>
> Chris.


The static outbound is to force outgoing traffic on that server to ip
address .99.

The ACL the configuration utility puts in is the following:

access-list outside_access_in permit tcp host 192.168.1.5 eq 5150 host
192.168.1.5 eq 5150

and I've tried several others also. Can't seem to get traffic through.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-08-2006
In article <a_hMg.20532$SZ3.16135@dukeread04>, noway <(E-Mail Removed)> wrote:
>> You have a static ..


>> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0


>> Not sure what you're trying to do with that other back to front static ..


>> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
>>> 255.255.255.255 0 0


>The static outbound is to force outgoing traffic on that server to ip
>address .99.


No, that second static means "If you see traffic coming in to the
inside interface with a destination IP of 192.168.1.5 then the
destination IP is to be translated to 66.x.x.99 as the packet goes out.

Notice that's *destination*, not *source*. The standard
static (inside,outside) takes care of the source IP for outgoing traffic.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PLX Device Driver problem jayasekar Hardware 0 05-27-2008 02:06 PM
Silly li'l perl script, plx improve. George Orwell Perl Misc 5 01-04-2007 04:44 PM
Compatibility of the PLX PCI 9656 card with the PCI X slot boysr2003 Computer Support 0 12-18-2006 10:44 PM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
.plx Robin Perl Misc 14 04-24-2004 07:10 PM



Advertisments