cisco pix 515 port forwarding - NOT possible? hard to believe..

Discussion in 'Cisco' started by google@pilotsupplies.com, Jul 27, 2005.

  1. Guest

    Hi,

    i don't understand why this can not be done.

    i have a cisco pix 515 with a pool of static IP addresss (14IPs)
    assigned by ISP. My internal network is 10.10.0.0/24. the pix has 2
    interfaces. web and ssh traffic from outside to internal web/ssh server
    is fine. internal client have no problems accessing the internet.

    i have nagios clients NRPE installed on the internal network and nagios
    monitor server installed outside of the pix firewall. i would like to
    allow the nagios server to monitor the server behind the firewall.
    to save IPs, i am using 1 static IP address for mapping and use it to
    port forward to all internal IP addresses at 5666. for testing, i
    telnet from outside the firewall to x.x.x.146 x.x.x.147 port 5666 5667
    5668 5669 all fails except to port 5666 on x.x.x.147.




    here is my current config. any help would be greatly appreciated!

    g.



    mypix# show run
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xQIfy7TWQw.w encrypted
    passwd T7Jj6BURLPDx encrypted
    hostname mypix
    domain-name cisco.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit tcp any host x.x.112.147 eq www
    access-list 100 permit tcp any host x.x.112.147 eq ssh
    access-list 100 permit tcp any host x.x.112.147 eq 5666
    access-list 100 permit tcp any host x.x.112.147 eq 5667
    access-list 100 permit tcp any host x.x.112.147 eq 5668
    access-list 100 permit tcp any host x.x.112.147 eq 5669
    access-list 100 permit tcp any host x.x.112.146 eq 5666
    access-list 100 permit tcp any host x.x.112.146 eq 5667
    access-list 100 permit tcp any host x.x.112.146 eq 5668
    access-list 100 permit tcp any host x.x.112.146 eq 5669
    access-list split permit ip 10.10.0.0 255.255.255.0 10.1.2.0
    255.255.255.0
    access-list nonat permit ip 10.10.0.0 255.255.255.0 10.1.2.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.112.146 255.255.255.240
    ip address inside 10.10.0.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool poolclient 10.1.2.1-10.1.2.254
    pdm location 10.10.0.0 255.255.255.0 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 x.x.112.150-x.x.112.157
    global (outside) 1 interface
    global (outside) 1 x.x.112.158
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) x.x.112.147 10.10.0.101 netmask 255.255.255.255
    0 0
    static (inside,outside) tcp interface 5666 10.10.0.103 5666 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 5667 10.10.0.104 5666 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 5668 10.10.0.105 5666 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 5669 10.10.0.106 5666 netmask
    255.255.255.255 0 0
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.145 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.10.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap client authentication LOCAL
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpn3000 address-pool poolclient
    vpngroup vpn3000 dns-server x.x.x.1
    vpngroup vpn3000 split-tunnel split
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password ********
    telnet x.x.x.253 255.255.255.255 outside
    telnet 10.10.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh x.x.115.0 255.255.255.0 outside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 10.10.0.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    username x01 password zyjVE5 encrypted privilege 2
    username x03 password Vct8HaSB encrypted privilege 2
    username x2 password hXVsT encrypted privilege 2
    username x5 password . szmqxT encrypted privilege 2
    username x4 password tUTLfiAnl encrypted privilege 2
    username x7 password fJst049 encrypted privilege 2
    username x8 password SqKcA/Nc encrypted privilege 2
    username x9 password JMOSfRm7mx encrypted privilege 2
    username x8 password kTTR8uWaa encrypted privilege 2
    terminal width 80
    Cryptochecksum:e65b29b7262d0c17d8610ec75d9351b6
    : end
     
    , Jul 27, 2005
    #1
    1. Advertising

  2. Martin Kayes Guest

    I am surprised that the PIX didn't complain when you entered the last 3
    static commands. The problem you have is that you are trying to static all
    4 566x ports to the same inside port 5666,

    What do you see for these 4 lines if you do a "show xlate" ?

    Martin


    <> wrote in message
    news:...
    > Hi,
    >
    > i don't understand why this can not be done.
    >
    > i have a cisco pix 515 with a pool of static IP addresss (14IPs)
    > assigned by ISP. My internal network is 10.10.0.0/24. the pix has 2
    > interfaces. web and ssh traffic from outside to internal web/ssh server
    > is fine. internal client have no problems accessing the internet.
    >
    > i have nagios clients NRPE installed on the internal network and nagios
    > monitor server installed outside of the pix firewall. i would like to
    > allow the nagios server to monitor the server behind the firewall.
    > to save IPs, i am using 1 static IP address for mapping and use it to
    > port forward to all internal IP addresses at 5666. for testing, i
    > telnet from outside the firewall to x.x.x.146 x.x.x.147 port 5666 5667
    > 5668 5669 all fails except to port 5666 on x.x.x.147.
    >
    >
    >
    >
    > here is my current config. any help would be greatly appreciated!
    >
    > g.
    >
    >
    >
    > mypix# show run
    > : Saved
    > :
    > PIX Version 6.3(4)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password xQIfy7TWQw.w encrypted
    > passwd T7Jj6BURLPDx encrypted
    > hostname mypix
    > domain-name cisco.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list 100 permit icmp any any echo-reply
    > access-list 100 permit icmp any any time-exceeded
    > access-list 100 permit tcp any host x.x.112.147 eq www
    > access-list 100 permit tcp any host x.x.112.147 eq ssh
    > access-list 100 permit tcp any host x.x.112.147 eq 5666
    > access-list 100 permit tcp any host x.x.112.147 eq 5667
    > access-list 100 permit tcp any host x.x.112.147 eq 5668
    > access-list 100 permit tcp any host x.x.112.147 eq 5669
    > access-list 100 permit tcp any host x.x.112.146 eq 5666
    > access-list 100 permit tcp any host x.x.112.146 eq 5667
    > access-list 100 permit tcp any host x.x.112.146 eq 5668
    > access-list 100 permit tcp any host x.x.112.146 eq 5669
    > access-list split permit ip 10.10.0.0 255.255.255.0 10.1.2.0
    > 255.255.255.0
    > access-list nonat permit ip 10.10.0.0 255.255.255.0 10.1.2.0
    > 255.255.255.0
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside x.x.112.146 255.255.255.240
    > ip address inside 10.10.0.254 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool poolclient 10.1.2.1-10.1.2.254
    > pdm location 10.10.0.0 255.255.255.0 inside
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 x.x.112.150-x.x.112.157
    > global (outside) 1 interface
    > global (outside) 1 x.x.112.158
    > nat (inside) 0 access-list nonat
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) x.x.112.147 10.10.0.101 netmask 255.255.255.255
    > 0 0
    > static (inside,outside) tcp interface 5666 10.10.0.103 5666 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 5667 10.10.0.104 5666 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 5668 10.10.0.105 5666 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 5669 10.10.0.106 5666 netmask
    > 255.255.255.255 0 0
    > access-group 100 in interface outside
    > route outside 0.0.0.0 0.0.0.0 x.x.x.145 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 10.10.0.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > crypto dynamic-map dynmap 10 set transform-set myset
    > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > crypto map mymap client configuration address initiate
    > crypto map mymap client configuration address respond
    > crypto map mymap client authentication LOCAL
    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp identity address
    > isakmp nat-traversal 20
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup vpn3000 address-pool poolclient
    > vpngroup vpn3000 dns-server x.x.x.1
    > vpngroup vpn3000 split-tunnel split
    > vpngroup vpn3000 idle-time 1800
    > vpngroup vpn3000 password ********
    > telnet x.x.x.253 255.255.255.255 outside
    > telnet 10.10.0.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh x.x.115.0 255.255.255.0 outside
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh 10.10.0.0 255.255.255.0 inside
    > ssh timeout 5
    > console timeout 0
    > username x01 password zyjVE5 encrypted privilege 2
    > username x03 password Vct8HaSB encrypted privilege 2
    > username x2 password hXVsT encrypted privilege 2
    > username x5 password . szmqxT encrypted privilege 2
    > username x4 password tUTLfiAnl encrypted privilege 2
    > username x7 password fJst049 encrypted privilege 2
    > username x8 password SqKcA/Nc encrypted privilege 2
    > username x9 password JMOSfRm7mx encrypted privilege 2
    > username x8 password kTTR8uWaa encrypted privilege 2
    > terminal width 80
    > Cryptochecksum:e65b29b7262d0c17d8610ec75d9351b6
    > : end
    >
     
    Martin Kayes, Jul 27, 2005
    #2
    1. Advertising

  3. KLO11 Guest

    wrote:
    > Hi,
    >
    > i don't understand why this can not be done.
    >
    > i have a cisco pix 515 with a pool of static IP addresss (14IPs)
    > assigned by ISP. My internal network is 10.10.0.0/24. the pix has 2
    > interfaces. web and ssh traffic from outside to internal web/ssh server
    > is fine. internal client have no problems accessing the internet.
    >
    > i have nagios clients NRPE installed on the internal network and nagios
    > monitor server installed outside of the pix firewall. i would like to
    > allow the nagios server to monitor the server behind the firewall.
    > to save IPs, i am using 1 static IP address for mapping and use it to
    > port forward to all internal IP addresses at 5666. for testing, i
    > telnet from outside the firewall to x.x.x.146 x.x.x.147 port 5666 5667
    > 5668 5669 all fails except to port 5666 on x.x.x.147.
    >



    Yo, G.

    It would be smarter to xxx your encrypted password than your outside IP
    address since a simple look at the message source pretty much revealed
    where you're coming from with a couple guesses. I recommend immediately
    changing your PIX passwords and enable. Also, limit your SSH source
    connectivity.

    Charles U. Farley
     
    KLO11, Jul 27, 2005
    #3
  4. Guest

    Hi,

    thanx for the quite response. could you elaborate a bit more what you
    mean. i am a bit confused. the static commands are no difference than
    say, port forwarding web traffic on port 80 to internal port 8088,
    8081, 8088, etc... when i do a show xlate, it gives me the
    translation, correctly. in this scenerio, i am asking all traffics
    comming to x.x.112.147 or x.x.112.146 with destination port of 5666
    5667 5668 5669 to point to internal hosts 10.10.0.3 10.10.0.4
    10.10.0.5 10.10.0.6 to their ports 5666. what am i missing? is this
    possible, or my syntex is incorrect..

    thanx for your help.
     
    , Jul 27, 2005
    #4
  5. Guest

    Hi,

    thanx for the clarification. yes, i should limit ssh access. the
    encrypted password and the password are cutted, and modified from the
    originall.

    g

    KLO11 wrote:
    > wrote:
    > > Hi,
    > >
    > > i don't understand why this can not be done.
    > >
    > > i have a cisco pix 515 with a pool of static IP addresss (14IPs)
    > > assigned by ISP. My internal network is 10.10.0.0/24. the pix has 2
    > > interfaces. web and ssh traffic from outside to internal web/ssh server
    > > is fine. internal client have no problems accessing the internet.
    > >
    > > i have nagios clients NRPE installed on the internal network and nagios
    > > monitor server installed outside of the pix firewall. i would like to
    > > allow the nagios server to monitor the server behind the firewall.
    > > to save IPs, i am using 1 static IP address for mapping and use it to
    > > port forward to all internal IP addresses at 5666. for testing, i
    > > telnet from outside the firewall to x.x.x.146 x.x.x.147 port 5666 5667
    > > 5668 5669 all fails except to port 5666 on x.x.x.147.
    > >

    >
    >
    > Yo, G.
    >
    > It would be smarter to xxx your encrypted password than your outside IP
    > address since a simple look at the message source pretty much revealed
    > where you're coming from with a couple guesses. I recommend immediately
    > changing your PIX passwords and enable. Also, limit your SSH source
    > connectivity.
    >
    > Charles U. Farley
     
    , Jul 27, 2005
    #5
  6. In article <>,
    <> wrote:
    :in this scenerio, i am asking all traffics
    :comming to x.x.112.147 or x.x.112.146 with destination port of 5666
    :5667 5668 5669 to point to internal hosts 10.10.0.3 10.10.0.4
    :10.10.0.5 10.10.0.6 to their ports 5666. what am i missing? is this
    :possible, or my syntex is incorrect..

    You can't do that. Each inside IP+port can be statically mapped
    to exactly one outside IP+port. Thus, you could have
    x.x.112.146 5666 map to 10.10.0.3 5666 but then you have
    "used up" 10.10.0.3 5666 and cannot -also- have x.x.112.147 5666
    go to the same place.


    Well... more than one mapping to an internal IP+port is possible,
    but only by using policy nat or policy static, in which case the
    remote machines IP+port can be part of the configuration. For example
    you could have x.x.112.146 5666 map to 10.10.0.3 5666 usually,
    but for source 22.33.44.55 you could have x.x.112.147 5666 map
    there instead.

    The important part to remember is that static mappings are
    reversible, and you can't have a single inside IP+port map to two
    different external IP+port (at least not without further qualification
    of when the different mapping should be used.)
    --
    'The short version of what Walter said is "You have asked a question
    which has no useful answer, please reconsider the nature of the
    problem you wish to solve".' -- Tony Mantler
     
    Walter Roberson, Jul 27, 2005
    #6
  7. Guest

    Hi,

    thank you for the quick response. let me be more clear. outsidide
    connections to

    x.x.112.147 with thd following destination ports:
    x.x.112.147 :5666
    x.x.112.147 :5667
    x.x.112.147: 5668
    x.x.112.147 5669

    i want it to point to internal hosts
    10.10.0.3 :5666
    10.10.0.4 :5666
    10.10.0.5 :5666
    10.10.0.6 :5666

    it does not seem to work.

    i also tried telneting on the pix IP x.x.112.146 with the destination
    ports and it also fails. howerver traffic to web, and ssh works on
    x.x.112.147 to 10.10.0.101.

    it may have something to do with "interface" in the static mapping
    definition.


    so i created the following maping and access_list

    static (inside,outside) x.x.112.147 10.10.0.101 netmask
    255.255.255.255
    0 0
    static (inside,outside) tcp interface 5666 10.10.0.103 5666 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 5667 10.10.0.104 5666 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 5668 10.10.0.105 5666 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 5669 10.10.0.106 5666 netmask
    255.255.255.255 0 0
    access-group 100 in interface outside

    access-list 100 permit tcp any host x.x.112.147 eq 5666
    access-list 100 permit tcp any host x.x.112.147 eq 5667
    access-list 100 permit tcp any host x.x.112.147 eq 5668
    access-list 100 permit tcp any host x.x.112.147 eq 5669
    access-list 100 permit tcp any host x.x.112.146 eq 5666
    access-list 100 permit tcp any host x.x.112.146 eq 5667
    access-list 100 permit tcp any host x.x.112.146 eq 5668
    access-list 100 permit tcp any host x.x.112.146 eq 5669

    g.
     
    , Jul 27, 2005
    #7
  8. In article <>,
    <> wrote:
    :let me be more clear. outsidide
    :connections to

    :x.x.112.147 with thd following destination ports:
    :x.x.112.147 :5666
    :x.x.112.147 :5667
    :x.x.112.147: 5668
    :x.x.112.147 5669

    :i want it to point to internal hosts
    :10.10.0.3 :5666
    :10.10.0.4 :5666
    :10.10.0.5 :5666
    :10.10.0.6 :5666

    That part itself should be fine.

    :i also tried telneting on the pix IP x.x.112.146 with the destination
    :ports and it also fails. howerver traffic to web, and ssh works on
    :x.x.112.147 to 10.10.0.101.

    :it may have something to do with "interface" in the static mapping
    :definition.

    Close.

    :so i created the following maping and access_list

    : static (inside,outside) x.x.112.147 10.10.0.101 netmask 255.255.255.255 0 0

    Do not mix mapping an entire IP with mapping ports of the same IP.
    The mapping of the entire IP will take precidence.

    :static (inside,outside) tcp interface 5666 10.10.0.103 5666 netmask 255.255.255.255 0 0

    :access-group 100 in interface outside

    :access-list 100 permit tcp any host x.x.112.147 eq 5666

    :access-list 100 permit tcp any host x.x.112.146 eq 5666

    As x.x.112.146 is the outside IP, you need to use a different form:

    access-list 100 permit tcp any host interface outside eq 5666

    This only applies to the interface IP: you would still use host x.x.112.147
    for that IP.
    --
    'The short version of what Walter said is "You have asked a question
    which has no useful answer, please reconsider the nature of the
    problem you wish to solve".' -- Tony Mantler
     
    Walter Roberson, Jul 27, 2005
    #8
  9. Guest

    Walter,

    thank you for your response, but i don't understand what you mean by
    "As x.x.112.146 is the outside IP, you need to use a different form:"

    G
     
    , Jul 27, 2005
    #9
  10. In article <>,
    <> wrote:
    :thank you for your response, but i don't understand what you mean by
    :"As x.x.112.146 is the outside IP, you need to use a different form:"

    Your original posting indicated that,

    ip address outside x.x.112.146 255.255.255.240

    So x.x.112.146 is your PIX's outside interface address. When you
    want to refer to your PIX's outside interface address in an ACL
    in PIX 6.3, you need to use a special keyword instead of the IP itself.
    In particular, instead of using host x.x.112.146 you need
    to use interface outside

    For example, the following is wrong for your situation:

    : wrong!
    access-list 100 permit tcp any host x.x.112.146 eq www

    Instead you must use,

    : okay!
    access-list 100 permit tcp any interface outside eq www


    This special case -only- applies to IP addresses which are
    named in 'ip address' statements on the PIX.
    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
     
    Walter Roberson, Jul 27, 2005
    #10
  11. Guest

    Walter,

    thank you for all your help! i will give it a try and see if it works.

    g
     
    , Jul 28, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Corbin O'Reilly

    [HELP] Cisco PIX 515 Port Forwarding

    Corbin O'Reilly, Sep 26, 2003, in forum: Cisco
    Replies:
    4
    Views:
    8,333
    Walter Roberson
    Sep 26, 2003
  2. Renaud
    Replies:
    2
    Views:
    2,585
    Renaud
    Feb 20, 2004
  3. Andras Kende
    Replies:
    1
    Views:
    7,174
    Walter Roberson
    Apr 29, 2004
  4. Scott Townsend
    Replies:
    8
    Views:
    755
    Roman Nakhmanson
    Feb 22, 2006
  5. Bucky Breeder
    Replies:
    0
    Views:
    553
    Bucky Breeder
    May 23, 2007
Loading...

Share This Page