Pix 501, Help the newbie

Discussion in 'Cisco' started by mkerner, Oct 22, 2003.

  1. mkerner

    mkerner Guest

    pixfirewall# sh conf
    : Saved
    :
    PIX Version 6.1(4)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password F2izeCCM7gqR/Ut7 encrypted
    passwd 7qFKWNrYgAU4ASQj encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    name 192.168.1.145 Chris
    name 66.180.111.171 Tracking
    access-list ipsec permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list outside_access_in permit udp any eq 22335 any
    access-list outside_access_in permit udp any eq 17335 any
    pager lines 24
    logging on
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside 66.180.111.170 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 0.0.0.0 255.255.255.0 outside
    pdm location 0.0.0.0 255.255.255.0 inside
    pdm location Chris 255.255.255.255 inside
    pdm location Tracking 255.255.255.255 outside
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 192.168.2.0 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) Tracking Chris netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 66.180.111.169 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set avalanche esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map forsberg 21 ipsec-isakmp
    crypto map forsberg 21 match address ipsec
    crypto map forsberg 21 set peer 64.233.84.122
    crypto map forsberg 21 set transform-set avalanche
    crypto map forsberg interface outside
    isakmp enable outside
    isakmp key ******** address 64.233.84.122 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 21 authentication pre-share
    isakmp policy 21 encryption des
    isakmp policy 21 hash md5
    isakmp policy 21 group 1
    isakmp policy 21 lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    dhcpd address 192.168.1.20-192.168.1.51 inside
    dhcpd dns 66.180.96.12 64.238.96.12
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:850cf549ca4bbdd64f5be8cb8799f99d
    pixfirewall# sh ont
    Type help or '?' for a list of available commands.

    I tried to add the line:
    static (inside, outside) tcp 1.2.3.4 5900 192.168.1.150 5900 netmask
    255.255.255.255 0 0
    but it didn't work
    help.
    mkerner, Oct 22, 2003
    #1
    1. Advertising

  2. In article <>,
    mkerner <> wrote:
    :pixfirewall# sh conf

    :ip address outside 66.180.111.170 255.255.255.248
    :ip address inside 192.168.1.1 255.255.255.0

    :global (outside) 1 interface
    :nat (inside) 0 access-list nonat
    :nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    The 0.0.0.0 0.0.0.0 is a superset of the 192.168.1.0 so you don't
    need the 192.168.1 nat.

    :static (inside,outside) Tracking Chris netmask 255.255.255.255 0 0


    :I tried to add the line:
    :static (inside, outside) tcp 1.2.3.4 5900 192.168.1.150 5900 netmask
    :255.255.255.255 0 0
    :but it didn't work

    You need to be more specific about what happened when you tried.

    What is the relationship between 1.2.3.4 and 66.180.111.170 ?

    If you were trying to forward port 5900 of the outside IP address,
    then you need to use

    static (inside, outside) tcp interface 5900 192.168.1.150 5900 netmask 255.255.255.255 0 0


    As you did say you were a newbie, it isn't clear to us that
    you gave the command configure terminal before you typed
    in the 'static' command that you wanted.
    --
    Perposterous!! Where would all the calculators go?!
    Walter Roberson, Oct 22, 2003
    #2
    1. Advertising

  3. In article <1066793044.168847@cache3>,
    Matthew Kerner <> wrote:
    :Sorry, the first few lines of my post are missing.....
    :I was handed a new client and they recently purchaed a Pix 501 (totally
    :eek:verkill for them). All i really need to do is have a port forward command
    :to let us administrator the server with vnc (5900). I don't know the Pix at
    :all and the guy who set it up never finished. I tried the line:
    :static (inside, outside) tcp 1.2.3.4 5900 192.168.1.150 5900 netmask
    :255.255.255.255 0 0
    :it didn't work. could someone look over this config and tell me what's up?

    Your problem is that 1.2.3.4 is not routed to the PIX. The entire
    1.0.0.0/8 network is IANA Reserved, so it isn't going to be in anyone's
    BGP tables.
    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
    Walter Roberson, Oct 22, 2003
    #3
  4. Sorry, the first few lines of my post are missing.....
    I was handed a new client and they recently purchaed a Pix 501 (totally
    overkill for them). All i really need to do is have a port forward command
    to let us administrator the server with vnc (5900). I don't know the Pix at
    all and the guy who set it up never finished. I tried the line:
    static (inside, outside) tcp 1.2.3.4 5900 192.168.1.150 5900 netmask
    255.255.255.255 0 0
    it didn't work. could someone look over this config and tell me what's up?
    thanks.
    "mkerner" <> wrote in message
    news:...
    > pixfirewall# sh conf
    > : Saved
    > :
    > PIX Version 6.1(4)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password F2izeCCM7gqR/Ut7 encrypted
    > passwd 7qFKWNrYgAU4ASQj encrypted
    > hostname pixfirewall
    > domain-name ciscopix.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 1720
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > name 192.168.1.145 Chris
    > name 66.180.111.171 Tracking
    > access-list ipsec permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list outside_access_in permit udp any eq 22335 any
    > access-list outside_access_in permit udp any eq 17335 any
    > pager lines 24
    > logging on
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 66.180.111.170 255.255.255.248
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location 0.0.0.0 255.255.255.0 outside
    > pdm location 0.0.0.0 255.255.255.0 inside
    > pdm location Chris 255.255.255.255 inside
    > pdm location Tracking 255.255.255.255 outside
    > pdm location 192.168.2.0 255.255.255.0 inside
    > pdm location 192.168.2.0 255.255.255.0 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list nonat
    > nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) Tracking Chris netmask 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 66.180.111.169 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 si
    > p 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > no sysopt route dnat
    > crypto ipsec transform-set avalanche esp-des esp-md5-hmac
    > crypto ipsec security-association lifetime seconds 3600
    > crypto map forsberg 21 ipsec-isakmp
    > crypto map forsberg 21 match address ipsec
    > crypto map forsberg 21 set peer 64.233.84.122
    > crypto map forsberg 21 set transform-set avalanche
    > crypto map forsberg interface outside
    > isakmp enable outside
    > isakmp key ******** address 64.233.84.122 netmask 255.255.255.255
    > isakmp identity address
    > isakmp policy 21 authentication pre-share
    > isakmp policy 21 encryption des
    > isakmp policy 21 hash md5
    > isakmp policy 21 group 1
    > isakmp policy 21 lifetime 86400
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh timeout 5
    > dhcpd address 192.168.1.20-192.168.1.51 inside
    > dhcpd dns 66.180.96.12 64.238.96.12
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:850cf549ca4bbdd64f5be8cb8799f99d
    > pixfirewall# sh ont
    > Type help or '?' for a list of available commands.
    >
    > I tried to add the line:
    > static (inside, outside) tcp 1.2.3.4 5900 192.168.1.150 5900 netmask
    > 255.255.255.255 0 0
    > but it didn't work
    > help.
    Matthew Kerner, Oct 22, 2003
    #4
  5. Sorry hope you read the other post i added.
    I was in config t mode when i added that line. It went in to the config and
    i wrote it to memory. I just still couldn't get in through vnc. I didn't
    write any of this config. I picked it up after someone else set it up and
    then never returned the clients phone calls. I am starting a crash course
    in Pix tonight but need to get this up sooner than later if I can.

    static (inside,outside) Tracking Chris netmask 255.255.255.255 0 0
    I don't know exactly what this line is doing. Is it forwarding everything
    going to Tracking to Chris?

    1.2.3.4 is the 66.180.111.170. I thought I caught all of them in the post.
    Didn't want to publish the address, but alas I am an idiot. oops.

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bn4skk$lds$...
    > In article <>,
    > mkerner <> wrote:
    > :pixfirewall# sh conf
    >
    > :ip address outside 66.180.111.170 255.255.255.248
    > :ip address inside 192.168.1.1 255.255.255.0
    >
    > :global (outside) 1 interface
    > :nat (inside) 0 access-list nonat
    > :nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    > :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > The 0.0.0.0 0.0.0.0 is a superset of the 192.168.1.0 so you don't
    > need the 192.168.1 nat.
    >
    > :static (inside,outside) Tracking Chris netmask 255.255.255.255 0 0
    >
    >
    > :I tried to add the line:
    > :static (inside, outside) tcp 1.2.3.4 5900 192.168.1.150 5900 netmask
    > :255.255.255.255 0 0
    > :but it didn't work
    >
    > You need to be more specific about what happened when you tried.
    >
    > What is the relationship between 1.2.3.4 and 66.180.111.170 ?
    >
    > If you were trying to forward port 5900 of the outside IP address,
    > then you need to use
    >
    > static (inside, outside) tcp interface 5900 192.168.1.150 5900 netmask

    255.255.255.255 0 0
    >
    >
    > As you did say you were a newbie, it isn't clear to us that
    > you gave the command configure terminal before you typed
    > in the 'static' command that you wanted.
    > --
    > Perposterous!! Where would all the calculators go?!
    Matthew Kerner, Oct 22, 2003
    #5
  6. So the 1.2.3.4 is the outside ip. So it is routed to the Pix.
    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bn4t8u$lmg$...
    > In article <1066793044.168847@cache3>,
    > Matthew Kerner <> wrote:
    > :Sorry, the first few lines of my post are missing.....
    > :I was handed a new client and they recently purchaed a Pix 501 (totally
    > :eek:verkill for them). All i really need to do is have a port forward

    command
    > :to let us administrator the server with vnc (5900). I don't know the Pix

    at
    > :all and the guy who set it up never finished. I tried the line:
    > :static (inside, outside) tcp 1.2.3.4 5900 192.168.1.150 5900 netmask
    > :255.255.255.255 0 0
    > :it didn't work. could someone look over this config and tell me what's

    up?
    >
    > Your problem is that 1.2.3.4 is not routed to the PIX. The entire
    > 1.0.0.0/8 network is IANA Reserved, so it isn't going to be in anyone's
    > BGP tables.
    > --
    > Live it up, rip it up, why so lazy?
    > Give it out, dish it out, let's go crazy, yeah!
    > -- Supertramp (The USENET Song)
    Matthew Kerner, Oct 22, 2003
    #6
  7. "mkerner" <> wrote:

    > I tried to add the line:
    >
    > static (inside, outside) tcp 1.2.3.4 5900 192.168.1.150 5900 netmask 255.255.255.255 0 0
    >
    > but it didn't work
    > help.


    Did you also add a correct access-list entry to the
    access-group of the outside interface?
    Jyri Korhonen, Oct 22, 2003
    #7
  8. In article <1066793438.181591@cache1>,
    Matthew Kerner <> wrote:
    >Sorry hope you read the other post i added.

    :1.2.3.4 is the 66.180.111.170.

    As that is your outside IP, you need to substitute the word 'interface'
    in place of the IP in the 'static' command.
    --
    Look out, there are llamas!
    Walter Roberson, Oct 22, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew

    Help with PIX 501 (Newbie)

    Andrew, Nov 19, 2003, in forum: Cisco
    Replies:
    0
    Views:
    375
    Andrew
    Nov 19, 2003
  2. Greg Gibson

    PIX 501 newbie aaa servers for pix

    Greg Gibson, May 6, 2004, in forum: Cisco
    Replies:
    3
    Views:
    558
    Adrian Grigorof
    May 9, 2004
  3. Andre
    Replies:
    7
    Views:
    715
    Andre
    Feb 20, 2005
  4. Zand

    Help Pix 501 Newbie VPN

    Zand, Mar 8, 2006, in forum: Cisco
    Replies:
    3
    Views:
    509
  5. Replies:
    4
    Views:
    405
    James
    Dec 17, 2006
Loading...

Share This Page