Need help on port forward on 501 PIX

Hi guys,

I need your help here. It looks like pretty simple config, but I pulling my hair out on this one. I want outside to able to remote a server inside the LAN. The server running a HOST w/a ip 192.168.20.11. I post up my sh conf to guys to review.

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password kR2PqlMuctVWaS9A encrypted passwd kR2PqlMuctVWaS9A encrypted hostname 560-Pix domain-name mycompany.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name xx.xx.xx.xx Outside-IP name xx.xx.xx.xx Gateway name 192.168.20.2 Inside-File name xx.xx.xx.xx Outside-File name 192.168.20.254 Inside-IP name 192.168.20.11 pcanywhere access-list 560-604 permit ip 192.168.20.0 255.255.255.0 192.168.10.0

255. 5.0 access-list 560-152 permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255. 5.0 access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.25 0 access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.25 0 access-list inbound permit icmp any any echo-reply access-list inbound permit tcp any host Outside-File eq 3389 access-list outbound permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255 55.0 access-list outbound permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255 55.0 access-list outbound deny tcp any any eq 135 access-list outbound deny tcp any any eq 445 access-list outbound permit tcp any any eq ftp access-list outbound permit tcp any any eq ftp-data access-list outbound permit tcp any any eq telnet access-list outbound permit tcp any any eq smtp access-list outbound permit tcp any any eq www access-list outbound permit tcp any any eq pop3 access-list outbound permit tcp any any eq 3389 access-list outbound permit udp any any eq domain access-list outbound permit tcp any any eq https access-list outbound permit tcp any any eq citrix-ica access-list outbound permit tcp any any eq aol access-list outbound permit tcp any any eq 5900 access-list outbound permit tcp any any eq 4899 access-list outbound permit tcp any any eq ldap access-list outbound permit tcp any any eq pcanywhere-data access-list outbound permit udp any any eq pcanywhere-status access-list outbound permit tcp any any eq 3387 access-list outbound permit tcp any any eq 3388 access-list outbound permit tcp any any eq 3101 access-list outbound permit tcp any any eq 13501 access-list outbound permit tcp any any eq 13502 access-list outbound permit tcp any any eq 13503 access-list outbound permit tcp any any eq 548 access-list outbound permit icmp any any access-list outbound permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside Outside-IP 255.255.255.240 ip address inside Inside-IP 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.20.0 255.255.255.0 inside pdm location Inside-File 255.255.255.255 inside pdm location 192.168.10.0 255.255.255.0 outside pdm location 192.168.30.0 255.255.255.0 outside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface pcanywhere-data pcanywhere pcanywher netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5632 pcanywhere 5632 netmask 255.255 55 0 0 static (inside,outside) Outside-File Inside-File netmask 255.255.255.255 0 access-group inbound in interface outside access-group outbound in interface inside route outside 0.0.0.0 0.0.0.0 Gateway 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.20.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set Riese-tran esp-des esp-md5-hmac crypto dynamic-map Riese-DYN 21 set transform-set Riese-tran crypto map Roller-Map 19 ipsec-isakmp crypto map Roller-Map 19 match address 560-152 crypto map Roller-Map 19 set peer xx.xx.xx.xxx crypto map Roller-Map 19 set transform-set Riese-tran crypto map Roller-Map 20 ipsec-isakmp crypto map Roller-Map 20 match address 560-604 crypto map Roller-Map 20 set peer xx.xx.xx.xxx crypto map Roller-Map 20 set transform-set Riese-tran crypto map Roller-Map interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.xxx netmask 255.255.255.255 no-xauth fig-mode isakmp key ******** address xx.xx.xx.xxx netmask 255.255.255.255 no-xauth fig-mode isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 64800 telnet 192.168.20.0 255.255.255.0 inside telnet timeout 60 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 30 console timeout 0 terminal width 80 Cryptochecksum:8c1ac935d454ac42bf2bcecf8e36fd00 560-Pix# 560-Pix# 560-Pix#
Reply to
kennylee88
Loading thread data ...

In article , wrote: : I need your help here. It looks like pretty simple config, but I :pulling my hair out on this one. I want outside to able to remote a :server inside the LAN.

Your lines are truncated so we can't tell exactly what they read.

What you do need to know is that the pcanywhere status port is UDP instead of TCP.

Reply to
Walter Roberson

Sorry, okay here are the 2 lines.

static (inside,outside) tcp interface pcanywhere-data pcanywhere pcanywhere netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5632 pcanywhere 5632 netmask

255.255.55 0 0
Reply to
kennylee88

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.