Port forwarding help?

Discussion in 'Cisco' started by stephenarbour@gmail.com, Jun 5, 2006.

  1. Guest

    I would like to RDP to the server inside our network through our pix
    515 by using a port forward. I have tried a number of times to connect
    with the assigned address and port (which works when I'm inside the
    lan) but failed to get through the firewall.

    Would someone please be kind and show me what additions need to be made
    to my config (below)

    The Server address and port are 99.99.99.228:4953 (I've changed the
    3389 to 4953)

    I've pasted a sterilized copy of our configuration below. Much
    appreciate any advice no matter how meager!


    User Access Verification

    Password:
    Type help or '?' for a list of available commands.
    HostPix> en
    Password: ******
    hostpix# show run
    : Saved
    :
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password XjdDOUfIwEBMJnWm encrypted
    passwd XjdDOUfIwEBMJnWm encrypted
    hostname hostpix
    domain-name ciscopix.com
    fixup protocol esp-ike
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 3000
    fixup protocol http 3002
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list outside permit icmp any any
    access-list outside permit tcp any host 99.99.99.231 eq pop3
    access-list outside permit tcp any host 99.99.99.231 eq smtp
    access-list outside permit tcp any host 99.99.99.231 eq www
    access-list outside permit tcp any host 99.99.99.229 eq www
    access-list outside permit udp any host 99.99.99.228 eq isakmp
    access-list outside permit tcp any host 99.99.99.228 eq 1701
    access-list outside permit udp any host 99.99.99.228 eq netbios-ns
    access-list outside permit udp any host 99.99.99.228 eq netbios-dgm
    access-list outside permit tcp any host 99.99.99.232 eq www
    access-list outside permit ip host 99.99.99.207 99.99.99.224
    255.255.255.224

    access-list outside permit ip host 88.88.88.232 99.99.99.224
    255.255.255.224

    access-list outside permit esp host 88.88.88.207 99.99.99.224
    255.255.255.22
    4
    access-list outside permit esp host 88.88.88.232 99.99.99.224
    255.255.255.22
    4
    access-list outside permit udp any 99.99.99.224 255.255.255.254 eq
    isakmp
    access-list outside permit esp any 99.99.99.224 255.255.255.254
    access-list outside permit gre any host 99.99.99.228
    access-list outside permit esp any host 99.99.99.228
    access-list outside permit tcp any host 99.99.99.224 eq pptp
    access-list outside permit tcp any host 99.99.99.228 eq pptp
    access-list outside permit tcp any host 99.99.99.231 eq https
    access-list outside permit tcp any host 99.99.99.233
    pager lines 24
    logging on
    logging trap informational
    logging host inside 192.168.4.11
    mtu outside 1500
    mtu inside 1500
    ip address outside 99.99.99.227 255.255.255.224
    ip address inside 192.168.4.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.4.11 255.255.255.255 inside
    pdm location 192.168.4.12 255.255.255.255 inside
    pdm location 192.168.4.13 255.255.255.255 inside
    pdm location 192.168.4.14 255.255.255.255 inside
    pdm location 192.168.4.15 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 99.99.99.254
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 99.99.99.228 192.168.4.11 netmask
    255.255.255.255 0 0
    static (inside,outside) 99.99.99.229 192.168.4.14 netmask
    255.255.255.255 0 0
    static (inside,outside) 99.99.99.230 192.168.4.12 netmask
    255.255.255.255 0 0
    static (inside,outside) 99.99.99.231 192.168.4.13 netmask
    255.255.255.255 0 0
    static (inside,outside) 99.99.99.232 192.168.4.15 netmask
    255.255.255.255 0 0
    static (inside,outside) 99.99.99.233 192.168.4.16 netmask
    255.255.255.255 0 0
    access-group outside in interface outside
    route outside 0.0.0.0 0.0.0.0 99.99.99.225 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.4.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.4.0 255.255.255.0 inside
    telnet timeout 10
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:856fa28ba29f09d458fecf67c2328d80
    : end
    hostpix#
     
    , Jun 5, 2006
    #1
    1. Advertising

  2. NETADMIN Guest

    Why dont you use Static NAT for this

    wrote:
    > I would like to RDP to the server inside our network through our pix
    > 515 by using a port forward. I have tried a number of times to connect
    > with the assigned address and port (which works when I'm inside the
    > lan) but failed to get through the firewall.
    >
    > Would someone please be kind and show me what additions need to be made
    > to my config (below)
    >
    > The Server address and port are 99.99.99.228:4953 (I've changed the
    > 3389 to 4953)
    >
    > I've pasted a sterilized copy of our configuration below. Much
    > appreciate any advice no matter how meager!
    >
    >
    > User Access Verification
    >
    > Password:
    > Type help or '?' for a list of available commands.
    > HostPix> en
    > Password: ******
    > hostpix# show run
    > : Saved
    > :
    > PIX Version 6.3(1)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password XjdDOUfIwEBMJnWm encrypted
    > passwd XjdDOUfIwEBMJnWm encrypted
    > hostname hostpix
    > domain-name ciscopix.com
    > fixup protocol esp-ike
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol http 3000
    > fixup protocol http 3002
    > fixup protocol ils 389
    > fixup protocol pptp 1723
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > names
    > access-list outside permit icmp any any
    > access-list outside permit tcp any host 99.99.99.231 eq pop3
    > access-list outside permit tcp any host 99.99.99.231 eq smtp
    > access-list outside permit tcp any host 99.99.99.231 eq www
    > access-list outside permit tcp any host 99.99.99.229 eq www
    > access-list outside permit udp any host 99.99.99.228 eq isakmp
    > access-list outside permit tcp any host 99.99.99.228 eq 1701
    > access-list outside permit udp any host 99.99.99.228 eq netbios-ns
    > access-list outside permit udp any host 99.99.99.228 eq netbios-dgm
    > access-list outside permit tcp any host 99.99.99.232 eq www
    > access-list outside permit ip host 99.99.99.207 99.99.99.224
    > 255.255.255.224
    >
    > access-list outside permit ip host 88.88.88.232 99.99.99.224
    > 255.255.255.224
    >
    > access-list outside permit esp host 88.88.88.207 99.99.99.224
    > 255.255.255.22
    > 4
    > access-list outside permit esp host 88.88.88.232 99.99.99.224
    > 255.255.255.22
    > 4
    > access-list outside permit udp any 99.99.99.224 255.255.255.254 eq
    > isakmp
    > access-list outside permit esp any 99.99.99.224 255.255.255.254
    > access-list outside permit gre any host 99.99.99.228
    > access-list outside permit esp any host 99.99.99.228
    > access-list outside permit tcp any host 99.99.99.224 eq pptp
    > access-list outside permit tcp any host 99.99.99.228 eq pptp
    > access-list outside permit tcp any host 99.99.99.231 eq https
    > access-list outside permit tcp any host 99.99.99.233
    > pager lines 24
    > logging on
    > logging trap informational
    > logging host inside 192.168.4.11
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 99.99.99.227 255.255.255.224
    > ip address inside 192.168.4.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location 192.168.4.11 255.255.255.255 inside
    > pdm location 192.168.4.12 255.255.255.255 inside
    > pdm location 192.168.4.13 255.255.255.255 inside
    > pdm location 192.168.4.14 255.255.255.255 inside
    > pdm location 192.168.4.15 255.255.255.255 inside
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 99.99.99.254
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) 99.99.99.228 192.168.4.11 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 99.99.99.229 192.168.4.14 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 99.99.99.230 192.168.4.12 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 99.99.99.231 192.168.4.13 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 99.99.99.232 192.168.4.15 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) 99.99.99.233 192.168.4.16 netmask
    > 255.255.255.255 0 0
    > access-group outside in interface outside
    > route outside 0.0.0.0 0.0.0.0 99.99.99.225 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.4.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > telnet 192.168.4.0 255.255.255.0 inside
    > telnet timeout 10
    > ssh timeout 5
    > console timeout 0
    > terminal width 80
    > Cryptochecksum:856fa28ba29f09d458fecf67c2328d80
    > : end
    > hostpix#
     
    NETADMIN, Jun 5, 2006
    #2
    1. Advertising

  3. Guest

    NETADMIN wrote:
    > Why dont you use Static NAT for this


    I'm not very skilled. Port forwarding seemed the right tool for the
    job. I would be more than happy to implemet "Static NAT if it would
    suit the need better.

    I believe I need (and have) an extra address for this. If you think
    this would be a better solution? Can you elaborate some?
    Thanks
     
    , Jun 5, 2006
    #3
  4. In article <>,
    <> wrote:
    >I would like to RDP to the server inside our network through our pix
    >515 by using a port forward.


    >Would someone please be kind and show me what additions need to be made
    >to my config (below)


    >The Server address and port are 99.99.99.228:4953 (I've changed the
    >3389 to 4953)


    >PIX Version 6.3(1)


    #include "upgrade_to_6.3(5)_for_free.txt"

    >access-list outside permit icmp any any


    Don't do that unless you want people to be able to steal your
    outgoing connections. Only permit the icmp that you need.

    >access-list outside permit udp any host 99.99.99.228 eq isakmp
    >access-list outside permit tcp any host 99.99.99.228 eq 1701
    >access-list outside permit udp any host 99.99.99.228 eq netbios-ns
    >access-list outside permit udp any host 99.99.99.228 eq netbios-dgm


    Add:
    access-list outside permit tcp any host 99.99.99.228 eq 4953

    >static (inside,outside) 99.99.99.228 192.168.4.11 netmask 255.255.255.255 0 0



    >515 by using a port forward.


    You already have all ports forwarded for 99.99.99.228 so there is
    no point in handling this by port forwarding. If you REALLY want
    to use port forwarding, then you will have to remove the above static
    and put in port forwarding for isakmp, 1701, netbios-ns, netbios-dgm
     
    Walter Roberson, Jun 6, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Corbin O'Reilly

    [HELP] Cisco PIX 515 Port Forwarding

    Corbin O'Reilly, Sep 26, 2003, in forum: Cisco
    Replies:
    4
    Views:
    8,335
    Walter Roberson
    Sep 26, 2003
  2. ComputerMan
    Replies:
    3
    Views:
    3,068
  3. Rodney Hall
    Replies:
    9
    Views:
    8,592
    Walter Roberson
    Jan 13, 2005
  4. congoclash
    Replies:
    4
    Views:
    3,257
    congoclash
    May 14, 2005
  5. ToyalP2
    Replies:
    7
    Views:
    1,580
    ToyalP2
    Jan 7, 2008
Loading...

Share This Page