PIX 501 unable to map port. Plx help

Discussion in 'Cisco' started by noway, Aug 30, 2006.

  1. noway

    noway Guest

    Need to map ports through on a PIX 501, and have the following static rules
    setup:

    static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    255.255.255.255 0 0
    static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0

    The rest of the network uses pat on 66.x.x.98. We have .98 - .102 available
    for outside.

    Can't seem to get the access rule to work for the incoming port 5051, or any
    other port for that matter. Or maybe there is a problem with the static
    rules.

    Any help would be much appreciated.

    Thanks.



    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password jgnwagB3rxzkm2J7 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69

    access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
    255.255.255.224
    access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
    255.255.255.192
    pager lines 24
    logging on
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 66.x.x.98 255.255.255.248
    ip address inside 192.168.1.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.1.221-192.168.1.245
    pdm location RWSFPS 255.255.255.255 inside
    pdm location 192.168.1.192 255.255.255.224 outside
    pdm location 192.168.1.192 255.255.255.192 outside
    pdm location 192.168.1.5 255.255.255.255 inside
    pdm location 66.x.x.99 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    255.255.255.255 0 0
    static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
    route outside 0.0.0.0 0.0.0.0 66.x.x.97 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.1.1 reward timeout 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication chap
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    vpdn group PPTP-VPDN-GROUP client configuration address local ippool
    vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.1
    vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
    vpdn group PPTP-VPDN-GROUP client accounting RADIUS
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn enable outside
    vpdn enable inside
    dhcpd address 192.168.1.12-192.168.1.100 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:558bf1ecd1951ae19f65df59c885d4fa
    : end
    [OK]
     
    noway, Aug 30, 2006
    #1
    1. Advertising

  2. noway

    chris Guest

    "noway" <> wrote in message news:eek:lkJg.6377$SZ3.5942@dukeread04...
    > Need to map ports through on a PIX 501, and have the following static
    > rules setup:
    >
    > static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
    >
    > The rest of the network uses pat on 66.x.x.98. We have .98 - .102
    > available for outside.
    >
    > Can't seem to get the access rule to work for the incoming port 5051, or
    > any other port for that matter. Or maybe there is a problem with the
    > static rules.
    >
    > Any help would be much appreciated.
    >
    > Thanks.
    >


    You have a static ..

    static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0

    ... but I can't see an ACL allowing port 5051 in. A static on it's own isn't
    enough.

    Not sure what you're trying to do with that other back to front static ..

    static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    > 255.255.255.255 0 0

    ??

    Chris.
     
    chris, Aug 30, 2006
    #2
    1. Advertising

  3. noway

    mcaissie Guest

    First regarding your translation rules ;

    static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0

    This line is ok and will translate the inside 192.168.1.5 with the outside
    66.x.x.99 192 wich is what you want.
    If you want to limit to a single tcp port , it's this rule that you have to
    modify.

    Your second rule is useless and faulty

    static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    255.255.255.255 0 0

    This line means that the real outside IP 66.x.x.99 is translated on the
    inside with 192.168.1.5.
    It's faulty because 192.168.1.5 is already assign on the inside so you
    can't use it for translation
    and 66.x.x.99 is already assigned to the outside PIX so it doesn't make
    sens to translate it.
    But obviously here you just misunderstood the static syntax.

    static (outside,inside) means that you want to mask an outside address ,
    while
    static (inside,outside) means that you want to mask an inside address.

    Next creating a translation is one thing but you also have to permit the
    traffic
    on your outside interface , using an access-group.

    access-list outside_inbound_acl permit ip any 66.x.x.99
    access-group outside_inbound_acl in interface outside



    In conclusion ,

    no static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    255.255.255.255 0 0
    clear xlate
    access-list outside_inbound_acl permit ip any 66.x.x.99
    access-group outside_inbound_acl in interface outside

    Be aware the clear xlate will reset all existing session s, but you
    better do it
    when modifying static rules , to clean up existing translations.



    "noway" <> wrote in message news:eek:lkJg.6377$SZ3.5942@dukeread04...
    > Need to map ports through on a PIX 501, and have the following static
    > rules setup:
    >
    > static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
    >
    > The rest of the network uses pat on 66.x.x.98. We have .98 - .102
    > available for outside.
    >
    > Can't seem to get the access rule to work for the incoming port 5051, or
    > any other port for that matter. Or maybe there is a problem with the
    > static rules.
    >
    > Any help would be much appreciated.
    >
    > Thanks.
    >
    >
    >
    > Building configuration...
    > : Saved
    > :
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password jgnwagB3rxzkm2J7 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname pixfirewall
    > domain-name ciscopix.com
    > clock timezone CST -6
    > clock summer-time CDT recurring
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    >
    > access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
    > 255.255.255.224
    > access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
    > 255.255.255.192
    > pager lines 24
    > logging on
    > icmp permit any inside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 66.x.x.98 255.255.255.248
    > ip address inside 192.168.1.254 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ippool 192.168.1.221-192.168.1.245
    > pdm location RWSFPS 255.255.255.255 inside
    > pdm location 192.168.1.192 255.255.255.224 outside
    > pdm location 192.168.1.192 255.255.255.192 outside
    > pdm location 192.168.1.5 255.255.255.255 inside
    > pdm location 66.x.x.99 255.255.255.255 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 10 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    > static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
    > route outside 0.0.0.0 0.0.0.0 66.x.x.97 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS (inside) host 192.168.1.1 reward timeout 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-pptp
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > vpdn group PPTP-VPDN-GROUP accept dialin pptp
    > vpdn group PPTP-VPDN-GROUP ppp authentication chap
    > vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    > vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    > vpdn group PPTP-VPDN-GROUP client configuration address local ippool
    > vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.1
    > vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
    > vpdn group PPTP-VPDN-GROUP client accounting RADIUS
    > vpdn group PPTP-VPDN-GROUP pptp echo 60
    > vpdn enable outside
    > vpdn enable inside
    > dhcpd address 192.168.1.12-192.168.1.100 inside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > terminal width 80
    > Cryptochecksum:558bf1ecd1951ae19f65df59c885d4fa
    > : end
    > [OK]
    >
    >
    >
     
    mcaissie, Aug 30, 2006
    #3
  4. noway

    mcaissie Guest

    Correction
    > access-list outside_inbound_acl permit ip any 66.x.x.99


    access-list outside_inbound_acl permit ip any host 66.x.x.99
    or
    access-list outside_inbound_acl permit tcp any host 66.x.x.99 eq 5051






    "mcaissie" <> wrote in message
    news:lulJg.23251$tP4.11932@clgrps12...
    > First regarding your translation rules ;
    >
    > static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
    >
    > This line is ok and will translate the inside 192.168.1.5 with the outside
    > 66.x.x.99 192 wich is what you want.
    > If you want to limit to a single tcp port , it's this rule that you have
    > to modify.
    >
    > Your second rule is useless and faulty
    >
    > static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    > 255.255.255.255 0 0
    >
    > This line means that the real outside IP 66.x.x.99 is translated on the
    > inside with 192.168.1.5.
    > It's faulty because 192.168.1.5 is already assign on the inside so you
    > can't use it for translation
    > and 66.x.x.99 is already assigned to the outside PIX so it doesn't make
    > sens to translate it.
    > But obviously here you just misunderstood the static syntax.
    >
    > static (outside,inside) means that you want to mask an outside address ,
    > while
    > static (inside,outside) means that you want to mask an inside address.
    >
    > Next creating a translation is one thing but you also have to permit the
    > traffic
    > on your outside interface , using an access-group.
    >
    > access-list outside_inbound_acl permit ip any 66.x.x.99
    > access-group outside_inbound_acl in interface outside
    >
    >
    >
    > In conclusion ,
    >
    > no static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    > 255.255.255.255 0 0
    > clear xlate
    > access-list outside_inbound_acl permit ip any 66.x.x.99
    > access-group outside_inbound_acl in interface outside
    >
    > Be aware the clear xlate will reset all existing session s, but you
    > better do it
    > when modifying static rules , to clean up existing translations.
    >
    >
    >
    > "noway" <> wrote in message
    > news:eek:lkJg.6377$SZ3.5942@dukeread04...
    >> Need to map ports through on a PIX 501, and have the following static
    >> rules setup:
    >>
    >> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    >> 255.255.255.255 0 0
    >> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
    >>
    >> The rest of the network uses pat on 66.x.x.98. We have .98 - .102
    >> available for outside.
    >>
    >> Can't seem to get the access rule to work for the incoming port 5051, or
    >> any other port for that matter. Or maybe there is a problem with the
    >> static rules.
    >>
    >> Any help would be much appreciated.
    >>
    >> Thanks.
    >>
    >>
    >>
    >> Building configuration...
    >> : Saved
    >> :
    >> PIX Version 6.3(3)
    >> interface ethernet0 auto
    >> interface ethernet1 100full
    >> nameif ethernet0 outside security0
    >> nameif ethernet1 inside security100
    >> enable password jgnwagB3rxzkm2J7 encrypted
    >> passwd 2KFQnbNIdI.2KYOU encrypted
    >> hostname pixfirewall
    >> domain-name ciscopix.com
    >> clock timezone CST -6
    >> clock summer-time CDT recurring
    >> fixup protocol dns maximum-length 512
    >> fixup protocol ftp 21
    >> fixup protocol h323 h225 1720
    >> fixup protocol h323 ras 1718-1719
    >> fixup protocol http 80
    >> fixup protocol rsh 514
    >> fixup protocol rtsp 554
    >> fixup protocol sip 5060
    >> fixup protocol sip udp 5060
    >> fixup protocol skinny 2000
    >> fixup protocol smtp 25
    >> fixup protocol sqlnet 1521
    >> fixup protocol tftp 69
    >>
    >> access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
    >> 255.255.255.224
    >> access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
    >> 255.255.255.192
    >> pager lines 24
    >> logging on
    >> icmp permit any inside
    >> mtu outside 1500
    >> mtu inside 1500
    >> ip address outside 66.x.x.98 255.255.255.248
    >> ip address inside 192.168.1.254 255.255.255.0
    >> ip audit info action alarm
    >> ip audit attack action alarm
    >> ip local pool ippool 192.168.1.221-192.168.1.245
    >> pdm location RWSFPS 255.255.255.255 inside
    >> pdm location 192.168.1.192 255.255.255.224 outside
    >> pdm location 192.168.1.192 255.255.255.192 outside
    >> pdm location 192.168.1.5 255.255.255.255 inside
    >> pdm location 66.x.x.99 255.255.255.255 outside
    >> pdm logging informational 100
    >> pdm history enable
    >> arp timeout 14400
    >> global (outside) 10 interface
    >> nat (inside) 0 access-list inside_outbound_nat0_acl
    >> nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    >> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    >> 255.255.255.255 0 0
    >> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
    >> route outside 0.0.0.0 0.0.0.0 66.x.x.97 1
    >> timeout xlate 0:05:00
    >> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    >> 1:00:00
    >> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >> timeout uauth 0:05:00 absolute
    >> aaa-server TACACS+ protocol tacacs+
    >> aaa-server RADIUS protocol radius
    >> aaa-server RADIUS (inside) host 192.168.1.1 reward timeout 10
    >> aaa-server LOCAL protocol local
    >> http server enable
    >> http 192.168.1.0 255.255.255.0 inside
    >> no snmp-server location
    >> no snmp-server contact
    >> snmp-server community public
    >> no snmp-server enable traps
    >> floodguard enable
    >> sysopt connection permit-pptp
    >> telnet 192.168.1.0 255.255.255.0 inside
    >> telnet timeout 5
    >> ssh timeout 5
    >> console timeout 0
    >> vpdn group PPTP-VPDN-GROUP accept dialin pptp
    >> vpdn group PPTP-VPDN-GROUP ppp authentication chap
    >> vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    >> vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    >> vpdn group PPTP-VPDN-GROUP client configuration address local ippool
    >> vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.1
    >> vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
    >> vpdn group PPTP-VPDN-GROUP client accounting RADIUS
    >> vpdn group PPTP-VPDN-GROUP pptp echo 60
    >> vpdn enable outside
    >> vpdn enable inside
    >> dhcpd address 192.168.1.12-192.168.1.100 inside
    >> dhcpd lease 3600
    >> dhcpd ping_timeout 750
    >> dhcpd auto_config outside
    >> terminal width 80
    >> Cryptochecksum:558bf1ecd1951ae19f65df59c885d4fa
    >> : end
    >> [OK]
    >>
    >>
    >>

    >
    >
     
    mcaissie, Aug 30, 2006
    #4
  5. noway

    mak Guest

    mcaissie wrote:

    > In conclusion ,
    >
    > no static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    > 255.255.255.255 0 0
    > clear xlate
    > access-list outside_inbound_acl permit ip any 66.x.x.99
    > access-group outside_inbound_acl in interface outside
    >
    > Be aware the clear xlate will reset all existing session s, but you
    > better do it

    right, wasted once about 2 hours.
    you HAVE to clear xlate , otherwise it will show correct in sh static, and in sh xlate...but it won't work.

    other option is reboot :)
     
    mak, Aug 31, 2006
    #5
  6. noway

    noway Guest

    > You have a static ..
    >
    > static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0
    >
    > .. but I can't see an ACL allowing port 5051 in. A static on it's own
    > isn't enough.
    >
    > Not sure what you're trying to do with that other back to front static ..
    >
    > static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    >> 255.255.255.255 0 0

    > ??
    >
    > Chris.


    The static outbound is to force outgoing traffic on that server to ip
    address .99.

    The ACL the configuration utility puts in is the following:

    access-list outside_access_in permit tcp host 192.168.1.5 eq 5150 host
    192.168.1.5 eq 5150

    and I've tried several others also. Can't seem to get traffic through.
     
    noway, Sep 8, 2006
    #6
  7. In article <a_hMg.20532$SZ3.16135@dukeread04>, noway <> wrote:
    >> You have a static ..


    >> static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0


    >> Not sure what you're trying to do with that other back to front static ..


    >> static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask
    >>> 255.255.255.255 0 0


    >The static outbound is to force outgoing traffic on that server to ip
    >address .99.


    No, that second static means "If you see traffic coming in to the
    inside interface with a destination IP of 192.168.1.5 then the
    destination IP is to be translated to 66.x.x.99 as the packet goes out.

    Notice that's *destination*, not *source*. The standard
    static (inside,outside) takes care of the source IP for outgoing traffic.
     
    Walter Roberson, Sep 8, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    804
    Andre
    Feb 20, 2005
  2. Hank Zoeller
    Replies:
    2
    Views:
    6,613
    Hank Zoeller
    Jan 21, 2006
  3. boysr2003
    Replies:
    0
    Views:
    720
    boysr2003
    Dec 18, 2006
  4. jayasekar

    PLX Device Driver problem

    jayasekar, May 27, 2008, in forum: Hardware
    Replies:
    0
    Views:
    1,033
    jayasekar
    May 27, 2008
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    583
    bod43
    Jul 27, 2009
Loading...

Share This Page