Troubleshooting port redirection on PIX 501 using Syslog - PDM3.0.jpg (0/1)

Discussion in 'Cisco' started by JohnA, Jul 20, 2005.

  1. JohnA

    JohnA Guest

    I have a PIX 501 and want to redirect VNC from the outside to a host
    on the inside. I've googled this & been to the Cisco website & still
    having no luck. I setup a Syslog server to help in troubleshooting
    this problem. Connectivity to the outside (web, outbound VNC
    connections) is not a problem. When I look at the logs I see the
    following:
    <167>Jul 20 2005 14:43:27 192.168.1.182 : %PIX-7-710005: TCP request
    discarded from xxx.xxx.xxx.xxx/62372 to outside:xxx.xxx.xxx.xxx/5900

    I used PDM 3.0 to setup the access rules. I've included a small
    screen shot as well as a running configuration. I'm very new to Cisco
    gear, but used Linux for my firewalls & VPNs for years. Any help
    would be appreciated.

    Thanks
    JA
    Result of firewall command: "sh run conf"

    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password XXXXXXXXXXXX encrypted
    passwd XXXXXXXXXXXXXXXX encrypted
    hostname XXXXXXXXXXX
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.240 Syslogger
    access-list outside_access_in permit tcp any eq 5900 host Syslogger eq
    5900 log 7
    pager lines 24
    logging on
    logging timestamp
    logging console informational
    logging buffered informational
    logging trap debugging
    logging device-id ipaddress inside
    logging host inside Syslogger
    mtu outside 1500
    mtu inside 1500
    ip address outside xxx.xxx.xxx.xxx 255.255.255.248
    ip address inside 192.168.1.182 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location Syslogger 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 192.168.1.182 192.168.1.182 netmask
    255.255.255.255 0 0
    static (inside,outside) Syslogger Syslogger netmask 255.255.255.255 0
    0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 64.5.213.33 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:4213557af54970a204d89fa90d55d411
    : end
     
    JohnA, Jul 20, 2005
    #1
    1. Advertisements

  2. If the public IP address is the IP address of the outside
    interface, then the syntax is:

    access-list outside_access_in permit tcp any interface outside eq 5900
    static (inside,outside) tcp interface 5900 192.168.1.X 5900

    If not, then use:

    access-list outside_access_in permit tcp any host X.X.X.X eq 5900
    static (inside,outside) tcp X.X.X.X 5900 192.168.1.X 5900
     
    Jyri Korhonen, Jul 20, 2005
    #2
    1. Advertisements

  3. JohnA

    JohnA Guest

    On Wed, 20 Jul 2005 22:47:02 +0300, "Jyri Korhonen"
    As the public IP is the IP address of the outside interface, I tried
    the first suggestion without success. I decided to start from scratch
    & reset the PIX 501 to the factory default configuration, and entered
    the commands again. I still can't connect, but, I am receiving the
    following message from syslog

    <162>Jul 21 2005 14:01:16: %PIX-2-106001: Inbound TCP connection
    denied from 142.xxx.xxx.xxx/63072 to 64.xxx.xxx.xxx/5900 flags SYN on
    interface outside

    What am I doing incorrectly???

    Here's the running config as well

    Building configuration...
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password XXXXXXXXXXXX encrypted
    passwd XXXXXXXXXXXXXX encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit tcp any interface outside eq 5900
    pager lines 24
    logging on
    logging timestamp
    logging trap warnings
    logging host inside 192.168.1.240
    mtu outside 1500
    mtu inside 1500
    ip address outside 64.xxx.xxx.xxx xxx.xxx.xxx.xxx
    ip address inside 192.168.1.182 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.1.240 255.255.255.255 inside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 5900 192.168.1.240 5900 netmask
    255.255.255.255 0 0
    route outside 0.0.0.0 0.0.0.0 64.xxx.xxx.xxx 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:635610f7eb18dfe873cc2425484d7ee4
    : end
    [OK]
     
    JohnA, Jul 21, 2005
    #3
  4. JohnA

    JohnA Guest

    On Wed, 20 Jul 2005 22:47:02 +0300, "Jyri Korhonen"
    Found the problem.
    I forgot to do a access-group outside_access_in in interface outside
    command. Once I did that it worked fine.

    Thanks again for the help!!!!
     
    JohnA, Jul 22, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.