PIX 501 unable to map port. Plx help

- N
- noway
  
  Contact options for registered users
posted
17 years ago

Wed, Aug 30, 2006 5:58 PM

Need to map ports through on a PIX 501, and have the following static rules setup:

static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask

255.255.255.255 0 0 static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0

The rest of the network uses pat on 66.x.x.98. We have .98 - .102 available for outside.

Can't seem to get the access rule to work for the incoming port 5051, or any other port for that matter. Or maybe there is a problem with the static rules.

Any help would be much appreciated.

Thanks.

Building configuration... : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password jgnwagB3rxzkm2J7 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com clock timezone CST -6 clock summer-time CDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69

access-list inside_outbound_nat0_acl permit ip any 192.168.1.192

255.255.255.224 access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.192 pager lines 24 logging on icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 66.x.x.98 255.255.255.248 ip address inside 192.168.1.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 192.168.1.221-192.168.1.245 pdm location RWSFPS 255.255.255.255 inside pdm location 192.168.1.192 255.255.255.224 outside pdm location 192.168.1.192 255.255.255.192 outside pdm location 192.168.1.5 255.255.255.255 inside pdm location 66.x.x.99 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 66.x.x.97 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 192.168.1.1 reward timeout 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local ippool vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.1 vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS vpdn group PPTP-VPDN-GROUP client accounting RADIUS vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn enable outside vpdn enable inside dhcpd address 192.168.1.12-192.168.1.100 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:558bf1ecd1951ae19f65df59c885d4fa : end [OK]

- C
- chris
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Wed, Aug 30, 2006 7:12 PM

You have a static ..

static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0

.. but I can't see an ACL allowing port 5051 in. A static on it's own isn't enough.

Not sure what you're trying to do with that other back to front static ..

static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask

??

Chris.

- M
- mcaissie
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Wed, Aug 30, 2006 7:16 PM

First regarding your translation rules ;

static (inside,outside) 66.x.x.99 192.168.1.5 netmask 255.255.255.255 0 0

This line is ok and will translate the inside 192.168.1.5 with the outside

66.x.x.99 192 wich is what you want. If you want to limit to a single tcp port , it's this rule that you have to modify.

Your second rule is useless and faulty

static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask

255.255.255.255 0 0

This line means that the real outside IP 66.x.x.99 is translated on the inside with 192.168.1.5. It's faulty because 192.168.1.5 is already assign on the inside so you can't use it for translation and 66.x.x.99 is already assigned to the outside PIX so it doesn't make sens to translate it. But obviously here you just misunderstood the static syntax.

static (outside,inside) means that you want to mask an outside address , while static (inside,outside) means that you want to mask an inside address.

Next creating a translation is one thing but you also have to permit the traffic on your outside interface , using an access-group.

access-list outside_inbound_acl permit ip any 66.x.x.99 access-group outside_inbound_acl in interface outside

In conclusion ,

no static (outside,inside) tcp 192.168.1.5 5051 66.x.x.99 5051 netmask

255.255.255.255 0 0 clear xlate access-list outside_inbound_acl permit ip any 66.x.x.99 access-group outside_inbound_acl in interface outside

Be aware the clear xlate will reset all existing session s, but you better do it when modifying static rules , to clean up existing translations.

- M
- mcaissie
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Wed, Aug 30, 2006 7:18 PM

Correction

access-list outside_inbound_acl permit ip any host 66.x.x.99 or access-list outside_inbound_acl permit tcp any host 66.x.x.99 eq 5051

- M
- mak
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Thu, Aug 31, 2006 12:24 PM

right, wasted once about 2 hours. you HAVE to clear xlate , otherwise it will show correct in sh static, and in sh xlate...but it won't work.

other option is reboot :-)

- N
- noway
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Fri, Sep 8, 2006 5:44 PM

The static outbound is to force outgoing traffic on that server to ip address .99.

The ACL the configuration utility puts in is the following:

access-list outside_access_in permit tcp host 192.168.1.5 eq 5150 host

192.168.1.5 eq 5150

and I've tried several others also. Can't seem to get traffic through.

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Fri, Sep 8, 2006 6:00 PM

No, that second static means "If you see traffic coming in to the inside interface with a destination IP of 192.168.1.5 then the destination IP is to be translated to 66.x.x.99 as the packet goes out.

Notice that's *destination*, not *source*. The standard static (inside,outside) takes care of the source IP for outgoing traffic.