1. Home
  2. Cisco Systems
  3. Port forwarding help?

Port forwarding help?

I would like to RDP to the server inside our network through our pix

515 by using a port forward. I have tried a number of times to connect with the assigned address and port (which works when I'm inside the lan) but failed to get through the firewall.

Would someone please be kind and show me what additions need to be made to my config (below)

The Server address and port are 99.99.99.228:4953 (I've changed the

3389 to 4953)

I've pasted a sterilized copy of our configuration below. Much appreciate any advice no matter how meager!

User Access Verification

Password: Type help or '?' for a list of available commands. HostPix> en Password: ****** hostpix# show run : Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XjdDOUfIwEBMJnWm encrypted passwd XjdDOUfIwEBMJnWm encrypted hostname hostpix domain-name ciscopix.com fixup protocol esp-ike fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol http 3000 fixup protocol http 3002 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list outside permit icmp any any access-list outside permit tcp any host 99.99.99.231 eq pop3 access-list outside permit tcp any host 99.99.99.231 eq smtp access-list outside permit tcp any host 99.99.99.231 eq www access-list outside permit tcp any host 99.99.99.229 eq www access-list outside permit udp any host 99.99.99.228 eq isakmp access-list outside permit tcp any host 99.99.99.228 eq 1701 access-list outside permit udp any host 99.99.99.228 eq netbios-ns access-list outside permit udp any host 99.99.99.228 eq netbios-dgm access-list outside permit tcp any host 99.99.99.232 eq www access-list outside permit ip host 99.99.99.207 99.99.99.224

255.255.255.224

access-list outside permit ip host 88.88.88.232 99.99.99.224

255.255.255.224

access-list outside permit esp host 88.88.88.207 99.99.99.224

255.255.255.22 4 access-list outside permit esp host 88.88.88.232 99.99.99.224 255.255.255.22 4 access-list outside permit udp any 99.99.99.224 255.255.255.254 eq isakmp access-list outside permit esp any 99.99.99.224 255.255.255.254 access-list outside permit gre any host 99.99.99.228 access-list outside permit esp any host 99.99.99.228 access-list outside permit tcp any host 99.99.99.224 eq pptp access-list outside permit tcp any host 99.99.99.228 eq pptp access-list outside permit tcp any host 99.99.99.231 eq https access-list outside permit tcp any host 99.99.99.233 pager lines 24 logging on logging trap informational logging host inside 192.168.4.11 mtu outside 1500 mtu inside 1500 ip address outside 99.99.99.227 255.255.255.224 ip address inside 192.168.4.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.4.11 255.255.255.255 inside pdm location 192.168.4.12 255.255.255.255 inside pdm location 192.168.4.13 255.255.255.255 inside pdm location 192.168.4.14 255.255.255.255 inside pdm location 192.168.4.15 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 99.99.99.254 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 99.99.99.228 192.168.4.11 netmask 255.255.255.255 0 0 static (inside,outside) 99.99.99.229 192.168.4.14 netmask 255.255.255.255 0 0 static (inside,outside) 99.99.99.230 192.168.4.12 netmask 255.255.255.255 0 0 static (inside,outside) 99.99.99.231 192.168.4.13 netmask 255.255.255.255 0 0 static (inside,outside) 99.99.99.232 192.168.4.15 netmask 255.255.255.255 0 0 static (inside,outside) 99.99.99.233 192.168.4.16 netmask 255.255.255.255 0 0 access-group outside in interface outside route outside 0.0.0.0 0.0.0.0 99.99.99.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.4.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 192.168.4.0 255.255.255.0 inside telnet timeout 10 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:856fa28ba29f09d458fecf67c2328d80 : end hostpix#
Reply to
stephenarbour
Loading thread data ...

Reply to
NETADMIN

I'm not very skilled. Port forwarding seemed the right tool for the job. I would be more than happy to implemet "Static NAT if it would suit the need better.

I believe I need (and have) an extra address for this. If you think this would be a better solution? Can you elaborate some? Thanks

Reply to
stephenarbour

#include "upgrade_to_6.3(5)_for_free.txt"

Don't do that unless you want people to be able to steal your outgoing connections. Only permit the icmp that you need.

Add: access-list outside permit tcp any host 99.99.99.228 eq 4953

You already have all ports forwarded for 99.99.99.228 so there is no point in handling this by port forwarding. If you REALLY want to use port forwarding, then you will have to remove the above static and put in port forwarding for isakmp, 1701, netbios-ns, netbios-dgm

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.