• cabling news
  Newsletter Industry News Our Site News
• help
  Home Cabling Guide Cabling FAQ Free Helpdesk Forums Learn Cabling
• resources
  Color Codes Pin Layouts Links E-books Bookstore Online Tools Downloads
• this site
  Home Page Contact us Advertise Here Link to us
• this page
  Bookmark It! Print
• +

Cisco Systems cisco pix 515 port forwarding - NOT possible? hard to believe..

Bookmark this page:   Yahoo!   Google   Windows Live   del.icio.us   digg   Netscape

Subject Author Date cisco pix 515 port forwarding - NOT possible? hard to believe.. google 07-27-05  Re: cisco pix 515 port forwarding - NOT possible? ... Martin Kayes 07-27-05  Re: cisco pix 515 port forwarding - NOT possible? ... google 07-27-05  Re: cisco pix 515 port forwarding - NOT possible? ... Walter Roberson 07-27-05  Re: cisco pix 515 port forwarding - NOT possible? ... google 07-27-05  Re: cisco pix 515 port forwarding - NOT possible? ... Walter Roberson 07-27-05  Re: cisco pix 515 port forwarding - NOT possible? ... google 07-27-05  Re: cisco pix 515 port forwarding - NOT possible? ... Walter Roberson 07-27-05  Re: cisco pix 515 port forwarding - NOT possible? ... google 07-28-05  Re: cisco pix 515 port forwarding - NOT possible? ... KLO11 07-27-05  Re: cisco pix 515 port forwarding - NOT possible? ... google 07-27-05

Posted by on July 27, 2005, 12:23 am Please log in for more thread options Hi, i don't understand why this can not be done. i have a cisco pix 515 with a pool of static IP addresss (14IPs) assigned by ISP. My internal network is 10.10.0.0/24. the pix has 2 interfaces. web and ssh traffic from outside to internal web/ssh server is fine. internal client have no problems accessing the internet. i have nagios clients NRPE installed on the internal network and nagios monitor server installed outside of the pix firewall. i would like to allow the nagios server to monitor the server behind the firewall. to save IPs, i am using 1 static IP address for mapping and use it to port forward to all internal IP addresses at 5666. for testing, i telnet from outside the firewall to x.x.x.146 x.x.x.147 port 5666 5667 5668 5669 all fails except to port 5666 on x.x.x.147. here is my current config. any help would be greatly appreciated! g. mypix# show run : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xQIfy7TWQw.w encrypted passwd T7Jj6BURLPDx encrypted hostname mypix domain-name cisco.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit tcp any host x.x.112.147 eq www access-list 100 permit tcp any host x.x.112.147 eq ssh access-list 100 permit tcp any host x.x.112.147 eq 5666 access-list 100 permit tcp any host x.x.112.147 eq 5667 access-list 100 permit tcp any host x.x.112.147 eq 5668 access-list 100 permit tcp any host x.x.112.147 eq 5669 access-list 100 permit tcp any host x.x.112.146 eq 5666 access-list 100 permit tcp any host x.x.112.146 eq 5667 access-list 100 permit tcp any host x.x.112.146 eq 5668 access-list 100 permit tcp any host x.x.112.146 eq 5669 access-list split permit ip 10.10.0.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list nonat permit ip 10.10.0.0 255.255.255.0 10.1.2.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside x.x.112.146 255.255.255.240 ip address inside 10.10.0.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool poolclient 10.1.2.1-10.1.2.254 pdm location 10.10.0.0 255.255.255.0 inside pdm history enable arp timeout 14400 global (outside) 1 x.x.112.150-x.x.112.157 global (outside) 1 interface global (outside) 1 x.x.112.158 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) x.x.112.147 10.10.0.101 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5666 10.10.0.103 5666 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5667 10.10.0.104 5666 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5668 10.10.0.105 5666 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5669 10.10.0.106 5666 netmask 255.255.255.255 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.145 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.10.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap client authentication LOCAL crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn3000 address-pool poolclient vpngroup vpn3000 dns-server x.x.x.1 vpngroup vpn3000 split-tunnel split vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** telnet x.x.x.253 255.255.255.255 outside telnet 10.10.0.0 255.255.255.0 inside telnet timeout 5 ssh x.x.115.0 255.255.255.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 10.10.0.0 255.255.255.0 inside ssh timeout 5 console timeout 0 username x01 password zyjVE5 encrypted privilege 2 username x03 password Vct8HaSB encrypted privilege 2 username x2 password hXVsT encrypted privilege 2 username x5 password . szmqxT encrypted privilege 2 username x4 password tUTLfiAnl encrypted privilege 2 username x7 password fJst049 encrypted privilege 2 username x8 password SqKcA/Nc encrypted privilege 2 username x9 password JMOSfRm7mx encrypted privilege 2 username x8 password kTTR8uWaa encrypted privilege 2 terminal width 80 Cryptochecksum:e65b29b7262d0c17d8610ec75d9351b6 : end

Posted by Martin Kayes on July 27, 2005, 8:45 am Please log in for more thread options I am surprised that the PIX didn't complain when you entered the last 3 static commands. The problem you have is that you are trying to static all 4 566x ports to the same inside port 5666, What do you see for these 4 lines if you do a "show xlate" ? Martin > Hi, > > i don't understand why this can not be done. > > i have a cisco pix 515 with a pool of static IP addresss (14IPs) > assigned by ISP. My internal network is 10.10.0.0/24. the pix has 2 > interfaces. web and ssh traffic from outside to internal web/ssh server > is fine. internal client have no problems accessing the internet. > > i have nagios clients NRPE installed on the internal network and nagios > monitor server installed outside of the pix firewall. i would like to > allow the nagios server to monitor the server behind the firewall. > to save IPs, i am using 1 static IP address for mapping and use it to > port forward to all internal IP addresses at 5666. for testing, i > telnet from outside the firewall to x.x.x.146 x.x.x.147 port 5666 5667 > 5668 5669 all fails except to port 5666 on x.x.x.147. > > > > > here is my current config. any help would be greatly appreciated! > > g. > > > > mypix# show run > : Saved > : > PIX Version 6.3(4) > interface ethernet0 auto > interface ethernet1 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password xQIfy7TWQw.w encrypted > passwd T7Jj6BURLPDx encrypted > hostname mypix > domain-name cisco.com > fixup protocol dns maximum-length 512 > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol tftp 69 > names > access-list 100 permit icmp any any echo-reply > access-list 100 permit icmp any any time-exceeded > access-list 100 permit tcp any host x.x.112.147 eq www > access-list 100 permit tcp any host x.x.112.147 eq ssh > access-list 100 permit tcp any host x.x.112.147 eq 5666 > access-list 100 permit tcp any host x.x.112.147 eq 5667 > access-list 100 permit tcp any host x.x.112.147 eq 5668 > access-list 100 permit tcp any host x.x.112.147 eq 5669 > access-list 100 permit tcp any host x.x.112.146 eq 5666 > access-list 100 permit tcp any host x.x.112.146 eq 5667 > access-list 100 permit tcp any host x.x.112.146 eq 5668 > access-list 100 permit tcp any host x.x.112.146 eq 5669 > access-list split permit ip 10.10.0.0 255.255.255.0 10.1.2.0 > 255.255.255.0 > access-list nonat permit ip 10.10.0.0 255.255.255.0 10.1.2.0 > 255.255.255.0 > pager lines 24 > mtu outside 1500 > mtu inside 1500 > ip address outside x.x.112.146 255.255.255.240 > ip address inside 10.10.0.254 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > ip local pool poolclient 10.1.2.1-10.1.2.254 > pdm location 10.10.0.0 255.255.255.0 inside > pdm history enable > arp timeout 14400 > global (outside) 1 x.x.112.150-x.x.112.157 > global (outside) 1 interface > global (outside) 1 x.x.112.158 > nat (inside) 0 access-list nonat > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > static (inside,outside) x.x.112.147 10.10.0.101 netmask 255.255.255.255 > 0 0 > static (inside,outside) tcp interface 5666 10.10.0.103 5666 netmask > 255.255.255.255 0 0 > static (inside,outside) tcp interface 5667 10.10.0.104 5666 netmask > 255.255.255.255 0 0 > static (inside,outside) tcp interface 5668 10.10.0.105 5666 netmask > 255.255.255.255 0 0 > static (inside,outside) tcp interface 5669 10.10.0.106 5666 netmask > 255.255.255.255 0 0 > access-group 100 in interface outside > route outside 0.0.0.0 0.0.0.0 x.x.x.145 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 > 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server TACACS+ max-failed-attempts 3 > aaa-server TACACS+ deadtime 10 > aaa-server RADIUS protocol radius > aaa-server RADIUS max-failed-attempts 3 > aaa-server RADIUS deadtime 10 > aaa-server LOCAL protocol local > http server enable > http 10.10.0.0 255.255.255.0 inside > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > crypto ipsec transform-set myset esp-des esp-md5-hmac > crypto dynamic-map dynmap 10 set transform-set myset > crypto map mymap 10 ipsec-isakmp dynamic dynmap > crypto map mymap client configuration address initiate > crypto map mymap client configuration address respond > crypto map mymap client authentication LOCAL > crypto map mymap interface outside > isakmp enable outside > isakmp identity address > isakmp nat-traversal 20 > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash md5 > isakmp policy 10 group 2 > isakmp policy 10 lifetime 86400 > vpngroup vpn3000 address-pool poolclient > vpngroup vpn3000 dns-server x.x.x.1 > vpngroup vpn3000 split-tunnel split > vpngroup vpn3000 idle-time 1800 > vpngroup vpn3000 password ******** > telnet x.x.x.253 255.255.255.255 outside > telnet 10.10.0.0 255.255.255.0 inside > telnet timeout 5 > ssh x.x.115.0 255.255.255.0 outside > ssh 0.0.0.0 0.0.0.0 outside > ssh 10.10.0.0 255.255.255.0 inside > ssh timeout 5 > console timeout 0 > username x01 password zyjVE5 encrypted privilege 2 > username x03 password Vct8HaSB encrypted privilege 2 > username x2 password hXVsT encrypted privilege 2 > username x5 password . szmqxT encrypted privilege 2 > username x4 password tUTLfiAnl encrypted privilege 2 > username x7 password fJst049 encrypted privilege 2 > username x8 password SqKcA/Nc encrypted privilege 2 > username x9 password JMOSfRm7mx encrypted privilege 2 > username x8 password kTTR8uWaa encrypted privilege 2 > terminal width 80 > Cryptochecksum:e65b29b7262d0c17d8610ec75d9351b6 > : end >

Posted by on July 27, 2005, 10:15 am Please log in for more thread options Hi, thanx for the quite response. could you elaborate a bit more what you mean. i am a bit confused. the static commands are no difference than say, port forwarding web traffic on port 80 to internal port 8088, 8081, 8088, etc... when i do a show xlate, it gives me the translation, correctly. in this scenerio, i am asking all traffics comming to x.x.112.147 or x.x.112.146 with destination port of 5666 5667 5668 5669 to point to internal hosts 10.10.0.3 10.10.0.4 10.10.0.5 10.10.0.6 to their ports 5666. what am i missing? is this possible, or my syntex is incorrect.. thanx for your help.

Posted by Walter Roberson on July 27, 2005, 5:39 pm Please log in for more thread options :in this scenerio, i am asking all traffics :comming to x.x.112.147 or x.x.112.146 with destination port of 5666 :5667 5668 5669 to point to internal hosts 10.10.0.3 10.10.0.4 :10.10.0.5 10.10.0.6 to their ports 5666. what am i missing? is this :possible, or my syntex is incorrect.. You can't do that. Each inside IP+port can be statically mapped to exactly one outside IP+port. Thus, you could have x.x.112.146 5666 map to 10.10.0.3 5666 but then you have "used up" 10.10.0.3 5666 and cannot -also- have x.x.112.147 5666 go to the same place. Well... more than one mapping to an internal IP+port is possible, but only by using policy nat or policy static, in which case the remote machines IP+port can be part of the configuration. For example you could have x.x.112.146 5666 map to 10.10.0.3 5666 usually, but for source 22.33.44.55 you could have x.x.112.147 5666 map there instead. The important part to remember is that static mappings are reversible, and you can't have a single inside IP+port map to two different external IP+port (at least not without further qualification of when the different mapping should be used.) -- 'The short version of what Walter said is "You have asked a question which has no useful answer, please reconsider the nature of the problem you wish to solve".' -- Tony Mantler

Posted by on July 27, 2005, 11:39 am Please log in for more thread options Hi, thank you for the quick response. let me be more clear. outsidide connections to x.x.112.147 with thd following destination ports: x.x.112.147 :5666 x.x.112.147 :5667 x.x.112.147: 5668 x.x.112.147 5669 i want it to point to internal hosts 10.10.0.3 :5666 10.10.0.4 :5666 10.10.0.5 :5666 10.10.0.6 :5666 it does not seem to work. i also tried telneting on the pix IP x.x.112.146 with the destination ports and it also fails. howerver traffic to web, and ssh works on x.x.112.147 to 10.10.0.101. it may have something to do with "interface" in the static mapping definition. so i created the following maping and access_list static (inside,outside) x.x.112.147 10.10.0.101 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5666 10.10.0.103 5666 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5667 10.10.0.104 5666 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5668 10.10.0.105 5666 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5669 10.10.0.106 5666 netmask 255.255.255.255 0 0 access-group 100 in interface outside access-list 100 permit tcp any host x.x.112.147 eq 5666 access-list 100 permit tcp any host x.x.112.147 eq 5667 access-list 100 permit tcp any host x.x.112.147 eq 5668 access-list 100 permit tcp any host x.x.112.147 eq 5669 access-list 100 permit tcp any host x.x.112.146 eq 5666 access-list 100 permit tcp any host x.x.112.146 eq 5667 access-list 100 permit tcp any host x.x.112.146 eq 5668 access-list 100 permit tcp any host x.x.112.146 eq 5669 g.

Similar Threads	Posted
cisco pix 515 port forwarding - NOT possible? hard to believe..	July 27, 2005, 12:23 am
Port Forwarding with Cisco 871??	September 25, 2005, 12:58 pm
Cisco 871 router port forwarding	July 12, 2006, 8:41 pm
Cisco PIX 501 port forwarding trouble	September 24, 2006, 10:32 am
port mapping or forwarding on Cisco Pix 506E	August 5, 2005, 1:30 pm
Port forwarding from cisco 2600 to ASA-5510	July 20, 2006, 10:23 am
Port Forwarding / VPN Pass-Thru on a Cisco 2800	August 30, 2006, 3:20 pm
Cisco 2600 + DSL + Cable -> Failover and port forwarding	July 2, 2008, 12:47 am
Port forwarding	February 2, 2006, 3:05 pm
Port forwarding help?	June 4, 2006, 10:23 pm
Need help Port forwarding on PIX 501	September 14, 2006, 9:18 am
Port 21 forwarding on PIX 501	September 15, 2006, 11:56 pm
PIX Port Forwarding	November 15, 2006, 2:42 pm
port forwarding	December 13, 2006, 9:39 am
Port Forwarding	October 7, 2008, 9:36 am

Contact Us | Privacy Policy