Need help on port forward on 501 PIX

Discussion in 'Cisco' started by kennylee88@gmail.com, Sep 20, 2005.

  1. Guest

    Hi guys,

    I need your help here. It looks like pretty simple config, but I
    pulling my hair out on this one. I want outside to able to remote a
    server inside the LAN. The server running a HOST w/a ip 192.168.20.11.
    I post up my sh conf to guys to review.

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password kR2PqlMuctVWaS9A encrypted
    passwd kR2PqlMuctVWaS9A encrypted
    hostname 560-Pix
    domain-name mycompany.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name xx.xx.xx.xx Outside-IP
    name xx.xx.xx.xx Gateway
    name 192.168.20.2 Inside-File
    name xx.xx.xx.xx Outside-File
    name 192.168.20.254 Inside-IP
    name 192.168.20.11 pcanywhere
    access-list 560-604 permit ip 192.168.20.0 255.255.255.0 192.168.10.0
    255.
    5.0
    access-list 560-152 permit ip 192.168.20.0 255.255.255.0 192.168.30.0
    255.
    5.0
    access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.10.0
    255.25
    0
    access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.30.0
    255.25
    0
    access-list inbound permit icmp any any echo-reply
    access-list inbound permit tcp any host Outside-File eq 3389
    access-list outbound permit ip 192.168.20.0 255.255.255.0 192.168.10.0
    255
    55.0
    access-list outbound permit ip 192.168.20.0 255.255.255.0 192.168.30.0
    255
    55.0
    access-list outbound deny tcp any any eq 135
    access-list outbound deny tcp any any eq 445
    access-list outbound permit tcp any any eq ftp
    access-list outbound permit tcp any any eq ftp-data
    access-list outbound permit tcp any any eq telnet
    access-list outbound permit tcp any any eq smtp
    access-list outbound permit tcp any any eq www
    access-list outbound permit tcp any any eq pop3
    access-list outbound permit tcp any any eq 3389
    access-list outbound permit udp any any eq domain
    access-list outbound permit tcp any any eq https
    access-list outbound permit tcp any any eq citrix-ica
    access-list outbound permit tcp any any eq aol
    access-list outbound permit tcp any any eq 5900
    access-list outbound permit tcp any any eq 4899
    access-list outbound permit tcp any any eq ldap
    access-list outbound permit tcp any any eq pcanywhere-data
    access-list outbound permit udp any any eq pcanywhere-status
    access-list outbound permit tcp any any eq 3387
    access-list outbound permit tcp any any eq 3388
    access-list outbound permit tcp any any eq 3101
    access-list outbound permit tcp any any eq 13501
    access-list outbound permit tcp any any eq 13502
    access-list outbound permit tcp any any eq 13503
    access-list outbound permit tcp any any eq 548
    access-list outbound permit icmp any any
    access-list outbound permit ip any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside Outside-IP 255.255.255.240
    ip address inside Inside-IP 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.20.0 255.255.255.0 inside
    pdm location Inside-File 255.255.255.255 inside
    pdm location 192.168.10.0 255.255.255.0 outside
    pdm location 192.168.30.0 255.255.255.0 outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data pcanywhere
    pcanywher
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5632 pcanywhere 5632 netmask
    255.255
    55 0 0
    static (inside,outside) Outside-File Inside-File netmask
    255.255.255.255 0
    access-group inbound in interface outside
    access-group outbound in interface inside
    route outside 0.0.0.0 0.0.0.0 Gateway 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.20.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set Riese-tran esp-des esp-md5-hmac
    crypto dynamic-map Riese-DYN 21 set transform-set Riese-tran
    crypto map Roller-Map 19 ipsec-isakmp
    crypto map Roller-Map 19 match address 560-152
    crypto map Roller-Map 19 set peer xx.xx.xx.xxx
    crypto map Roller-Map 19 set transform-set Riese-tran
    crypto map Roller-Map 20 ipsec-isakmp
    crypto map Roller-Map 20 match address 560-604
    crypto map Roller-Map 20 set peer xx.xx.xx.xxx
    crypto map Roller-Map 20 set transform-set Riese-tran
    crypto map Roller-Map interface outside
    isakmp enable outside
    isakmp key ******** address xx.xx.xx.xxx netmask 255.255.255.255
    no-xauth
    fig-mode
    isakmp key ******** address xx.xx.xx.xxx netmask 255.255.255.255
    no-xauth
    fig-mode
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 64800
    telnet 192.168.20.0 255.255.255.0 inside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 30
    console timeout 0
    terminal width 80
    Cryptochecksum:8c1ac935d454ac42bf2bcecf8e36fd00
    560-Pix#
    560-Pix#
    560-Pix#
     
    , Sep 20, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    : I need your help here. It looks like pretty simple config, but I
    :pulling my hair out on this one. I want outside to able to remote a
    :server inside the LAN.

    >static (inside,outside) tcp interface pcanywhere-data pcanywhere pcanywher
    > netmask 255.255.255.255 0 0


    >static (inside,outside) tcp interface 5632 pcanywhere 5632 netmask 255.255
    >55 0 0


    Your lines are truncated so we can't tell exactly what they read.

    What you do need to know is that the pcanywhere status port is UDP
    instead of TCP.
    --
    Daylight is a trademark of OSRAM SYLVANIA INC.
     
    Walter Roberson, Sep 20, 2005
    #2
    1. Advertising

  3. Guest

    Sorry, okay here are the 2 lines.

    static (inside,outside) tcp interface pcanywhere-data pcanywhere
    pcanywhere netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5632 pcanywhere 5632 netmask
    255.255.55 0 0
     
    , Sep 20, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    806
    Andre
    Feb 20, 2005
  2. William Bain

    Cisco 501 port forward PDM

    William Bain, May 2, 2005, in forum: Cisco
    Replies:
    1
    Views:
    6,183
  3. Michael

    port forward / port changing

    Michael, Jul 17, 2005, in forum: Cisco
    Replies:
    1
    Views:
    589
    Michael
    Jul 17, 2005
  4. Replies:
    10
    Views:
    3,078
    dclarolh
    Oct 1, 2006
  5. rickbath
    Replies:
    0
    Views:
    1,208
    rickbath
    May 30, 2012
Loading...

Share This Page