Need help Port forwarding on PIX 501

Discussion in 'Cisco' started by kennylee88, Sep 14, 2006.

  1. kennylee88

    kennylee88 Guest

    Hey guys,

    I just got my pix 501 working, Im no near a PIX guru here, Im just a
    noobie. We used have a Netgear FS318, btw can I bridge them together??
    Now, I want to opens up few port 3389, smtp, www,ftp and pop. I have
    an MS Exchange 2003 running and one ftp server fyi.


    Here's how my network was setup and I included sh config.
    Can some verify if this line config it correct?

    [LAN]------>inside192.168.1.1{pix}outside PPPoE----------->( cloud )

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ******************* encrypted
    passwd **********************encrypted
    hostname 199pix
    domain-name katapole
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any unreachable
    access-list outbound permit tcp any any eq 3389
    access-list outbound permit tcp any any eq smtp
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.1.2 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask
    255.255.255.255 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname USRNAME
    vpdn group pppoe_group ppp authentication pap
    vpdn username USRNAME password *********
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username admin password 1ZXpWLcm3C.25OQ/ encrypted privilege 15
    terminal width 80
    Cryptochecksum:93b3f2cf0e1fcf9a5c357d2b3d6404a9
     
    kennylee88, Sep 14, 2006
    #1
    1. Advertisements

  2. kennylee88

    mak Guest

    access-list outbound permit tcp any host 192.168.1.2 eq smtp
    is sufficient,
    also:
    you have to define an access-group that the access-list applies to:

    access-group outbound in interface outside
    (even though the name is confusing, you shoul call it "inbound" "outside_in" or something
    looks good,
    M
     
    mak, Sep 14, 2006
    #2
    1. Advertisements

  3. kennylee88

    kennylee88 Guest

    Mak,

    What about the port 3389, does that look right to you?

    I should change to this:
    access-list outbound permit tcp any host 192.168.1.2 eq smtp


    thanks
    ken

     
    kennylee88, Sep 14, 2006
    #3
  4. No, that's wrong.

    access-list outbound permit tcp any interface outside eq smtp
    access-list outbound permit tcp any interface outside eq 3389

    In the case of the original poster who only has a single outside
    IP (the one assigned to the PIX), there is only very marginal
    extra security in specifying 'interface outside' instead of 'any'
    (i.e., better security in the theoretical chance that the PPPoE
    connection would eventually be converted to a non-PPPoE connection
    and multiple public IPs assigned.)
    Yes, the access-group is a necessity.
     
    Walter Roberson, Sep 14, 2006
    #4
  5. Queue my usual advice to upgrade to 6.3(5)112 as soon as practical.
    The upgrade is free and available to any original owner of a PIX
    running 6.3 . [If you got the device used and did not pay the
    'relicensing' fee, then you could try asking the person you got it
    from for the update; if you aren't the registered owner then Cisco
    probably won't release the software to you.]
     
    Walter Roberson, Sep 14, 2006
    #5
  6. kennylee88

    kennylee88 Guest

    Thanks for the rpely guys.
    Anyone have PPPoE setup here? I know the static IP is tabid easier to
    config than the dymanic IP.



     
    kennylee88, Sep 14, 2006
    #6
  7. I've done it. The examples in the configuration guide should work
    for you.
     
    Walter Roberson, Sep 14, 2006
    #7
  8. kennylee88

    kennylee88 Guest

    Yeah that example you see here that came out from my pix 501.
    I got everything to work(surfing the internet part anyway).

    Now I need to do some port forwarding. How do you config FTP port 21?
    Same way like I entered for port 3389?

    thanks all.
     
    kennylee88, Sep 14, 2006
    #8
  9. Yes. In particular, do NOT configure for port 20 (FTP's control port),
    only permit port 21 and only static port 21;
    but DO configure fixup ftp 21 (which is on by default)
    and the PIX will take care of all the other details of port 20 and
    negotiated PORT commands
     
    Walter Roberson, Sep 14, 2006
    #9
  10. kennylee88

    ahmad.lists Guest

    without protocol FIXUP ftp always create issues


     
    ahmad.lists, Sep 14, 2006
    #10
  11. kennylee88

    dclarolh

    Joined:
    Oct 1, 2006
    Messages:
    1
    Likes Received:
    0
    I am trying to configure port forwarding also for smtp... here is my running config. Please help.

    : Saved
    :
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password encrypted
    passwd encrypted
    hostname Mcell-PIX
    domain-name millenniumcell.local
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    no fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name x.x.x.x FrontBridge9
    name x.x.x.x FrontBridge11
    name x.x.x.x FrontBridge3
    name x.x.x.x FrontBridge5
    name x.x.x.x FrontBridge10
    name x.x.x.x FrontBridge7
    name x.x.x.x FrontBridge4
    name x.x.x.x FrontBridge6
    name x.x.x.x FrontBridge8
    name x.x.x.x FrontBridge1
    name x.x.x.x FrontBridge12
    name x.x.x.x FrontBridge2
    object-group service GeneralInboundAcces tcp
    description Accepted Inbound Protcols
    port-object eq daytime
    port-object eq pop3
    port-object eq imap4
    port-object eq nntp
    port-object eq pop2
    port-object eq aol
    port-object eq www
    object-group network FrontBridgeMailServers
    network-object FrontBridge1 255.255.255.255
    network-object FrontBridge2 255.255.255.255
    network-object FrontBridge10 255.255.255.255
    network-object FrontBridge3 255.255.255.255
    network-object FrontBridge4 255.255.255.255
    network-object FrontBridge5 255.255.255.255
    network-object FrontBridge11 255.255.255.255
    network-object FrontBridge8 255.255.255.255
    network-object FrontBridge6 255.255.255.255
    network-object FrontBridge7 255.255.255.255
    network-object FrontBridge9 255.255.255.255
    network-object FrontBridge12 255.255.255.255
    access-list mail permit tcp object-group FrontBridgeMailServers host
    access-list mail permit tcp any any eq smtp
    access-list mail permit tcp any host 192.168.0.16 eq smtp
    access-list mail permit tcp any interface outside eq smtp
    access-list inside_outbound_nat0_acl permit ip any 192.168.0.224 255.255.255.224

    access-list 100 permit tcp any any eq smtp
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.x.x 255.255.255.x
    ip address inside 192.168.0.7 255.255.255.0
    ip verify reverse-path interface outside
    ip audit name AttackDrop attack action drop
    ip audit name InfoDrop info action drop
    ip audit name InfoAlarm info action alarm
    ip audit name AttackAlarm attack action alarm drop
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPool 192.168.0.225-192.168.0.250
    pdm location 192.168.0.8 255.255.255.255 inside
    pdm location 192.168.0.2 255.255.255.255 inside
    pdm location FrontBridge1 255.255.255.255 outside
    pdm location FrontBridge10 255.255.255.255 outside
    pdm location FrontBridge3 255.255.255.255 outside
    pdm location FrontBridge4 255.255.255.255 outside
    pdm location FrontBridge5 255.255.255.255 outside
    pdm location FrontBridge11 255.255.255.255 outside
    pdm location FrontBridge8 255.255.255.255 outside
    pdm location FrontBridge6 255.255.255.255 outside
    pdm location FrontBridge7 255.255.255.255 outside
    pdm location FrontBridge9 255.255.255.255 outside
    pdm location FrontBridge2 255.255.255.255 outside
    pdm location FrontBridge12 255.255.255.255 outside
    pdm location 192.168.0.224 255.255.255.224 outside
    pdm group FrontBridgeMailServers outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 192.168.0.0 255.255.255.0 0 0
    static (inside,outside) tcp interface smtp 192.168.0.16 smtp netmask 255.255.255
    .255 0 0
    static (inside,outside) x.x.x.x 192.168.0.2 netmask 255.255.255.255 0 0
    access-group mail in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server x.x.x.x source outside
    ntp server 128.118.25.3 source outside prefer
    http server enable
    http 192.168.0.8 255.255.255.255 inside
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.0.8 C:\Progra~1\CiscoS~1\CiscoT~1
    floodguard enable
    sysopt connection permit-pptp
    service resetinbound
    telnet 192.168.0.2 255.255.255.255 inside
    telnet 192.168.0.8 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40 required
    vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
    vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.0.2
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local

    vpdn enable outside
    terminal width 80
    Cryptochecksum:fc29d2a4fa9fd7860c6c48a967a90d4c


    Some info: I have done everything described in this article. My mail server is on 192.168.0.16, it used to be configured for 192.168.0.2 i think. I don't know where I am wrong.
     
    Last edited: Oct 4, 2006
    dclarolh, Oct 1, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.