1. Home
  2. Cisco Systems
  3. Port forward not working

Port forward not working

Guys i've setup a static statement and believe i've put in the necessary access list to allow the required ports to be forwarded could you have a look over this and see if i've missed anything obvious

By the way this PIX is behind a managed router but i've been told all ports are open

any help would be appreciated

Paul

PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto shutdown interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 state security10 hostname pixfirewall domain-name ciscopix.com clock timezone GMT/BST 0 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip 192.168.100.0

255.255.252.0 192.1 68.91.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.1 68.92.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.1 68.200.0 255.255.248.0 access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.16 8.200.0 255.255.248.0 access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.16 8.92.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.16 8.91.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.1 00.21.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.10 0.21.0 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 192.168.92.0 255.255.255.0 access-list VPN_splitTunnelAcl permit ip 192.168.100.0 255.255.252.0 any access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.252.0 192.168.2 00.0 255.255.248.0 access-list outside_cryptomap_20 permit ip 192.100.20.0 255.255.255.0 192.168.20 0.0 255.255.248.0 access-list outside_cryptomap_40 permit ip 192.168.100.0 255.255.252.0 192.100.2 1.0 255.255.255.0 access-list outside_cryptomap_40 permit ip 192.100.20.0 255.255.255.0 192.100.21 .0 255.255.255.0 access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq https access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq https access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq pptp access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq pptp access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq smtp access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq smtp access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq www access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq www pager lines 24 logging on mtu outside 1500 mtu inside 1500 mtu intf2 1500 mtu intf3 1500 mtu intf4 1500 mtu state 1500 ip address outside xxx.xxx.xxx.109 255.255.255.240 ip address inside 192.168.102.33 255.255.252.0 no ip address intf2 no ip address intf3 no ip address intf4 ip address state 192.168.90.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool PPTP 192.168.91.1-192.168.91.254 ip local pool IPSEC 192.168.92.1-192.168.92.254 failover failover timeout 0:00:00 failover poll 15 failover ip address outside xxx.xxx.xxx.108 failover ip address inside 192.168.102.32 no failover ip address intf2 no failover ip address intf3 no failover ip address intf4 failover ip address state 192.168.90.2 failover link inside pdm location 192.168.102.12 255.255.255.255 inside pdm location 192.168.91.0 255.255.255.0 outside pdm location 192.168.200.0 255.255.255.0 outside pdm location 192.100.20.0 255.255.255.0 inside pdm location 192.100.21.0 255.255.255.0 outside pdm location 192.168.200.0 255.255.255.255 outside pdm location 192.168.200.0 255.255.248.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (inside,outside) xxx.xxx.xxx.105 192.168.101.93 netmask 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1 route inside 192.100.20.0 255.255.255.0 192.168.102.3 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.200.0 255.255.248.0 outside http 192.168.100.0 255.255.252.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer yyy.yyy.yyy.140 crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 40 ipsec-isakmp crypto map outside_map 40 match address outside_cryptomap_40 crypto map outside_map 40 set peer zzz.zzz.zzz.189 crypto map outside_map 40 set transform-set ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication RADIUS crypto map outside_map interface outside isakmp enable outside isakmp key ******** address yyy.yyy.yyy.140 netmask 255.255.255.255 no-xauth no-con fig-mode isakmp key ******** address zzz.zzz.zzz.189 netmask 255.255.255.255 no-xauth no-c onfig-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup VPN address-pool IPSEC vpngroup VPN dns-server 192.168.102.6 vpngroup VPN wins-server 192.168.102.6 192.168.102.14 vpngroup VPN split-tunnel VPN_splitTunnelAcl vpngroup VPN idle-time 1800 vpngroup VPN password ******** telnet 192.168.200.0 255.255.248.0 outside telnet 192.168.100.0 255.255.252.0 inside telnet timeout 5 ssh 192.168.200.0 255.255.248.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 192.168.100.0 255.255.252.0 inside ssh timeout 5 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local PPTP vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username administrator password ******** vpdn username remote password ******** vpdn enable outside terminal width 80
Reply to
paul_tomlin
Loading thread data ...

You didn't apply your access-list

ip access-group out-acl in interface outside

Everything else looks fine.

Reply to
Brian V

6.3(5)112 mitigates a security attack, but you might have to open a case to get it.
192.168.91.0 255.255.255.0
192.168.92.0 255.255.255.0
192.168.200.0 255.255.248.0

So far that implies that 192.168.100.0 255.255.252.0 is internal and

192.168.91/24, 192.168.92/24, and 192.168.200.0 255.255.248.0 are outside (or lower security)
192.168.200.0 255.255.248.0
192.168.92.0 255.255.255.0
192.168.91.0 255.255.255.0

Those have the same outside destinations but suggest 192.100.20.0 is internal. 192.100.20/24 is *public* IP space (avenet.com)

192.100.21.0 255.255.255.0

Which suggests that 192.100.21/24 (Coalition for Networked Information) is external

192.100.21.0 255.255.255.0

That's consistant, 192.100.20/24 internal, 192.100.21/24 external.

Again consistant, 192.168.100.0 255.255.252.0 and 192.100.20/24 internal.

But it just seems unlikely -- if you are the Coalition for Networked Information of Washington DC, then why would you have a VPN to Avnet Inc of Chandler Arizona??

I gather that xxx.xxx.xxx.105 is one of your public IPs. If so, then get rid of all of the lines "permit tcp host".

You appear to be missing,

access-group out-acl in interface outside

You do not appear to do anything with the 'state' interface other than set up failover for it?

DES MD5 is more often group 1; you might want to add another policy with a higher policy number to support that case.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.