02-19-2007 08:28 AM - edited 03-11-2019 02:35 AM
I am trying to set up static single (1) and range (2) port forwarding on PIX 506E device using the following commands; however it is not working. What am I missing?
Single Port Forwarding
1. static (inside,outside) tcp 24.172.x.x 5631 192.168.1.215 5631 netmask 255.255.255.255
access-list PCA permit tcp any host 24.172.x.x eq 5631
access-group PCA in interface outside
Port Range Forwarding
2. object-group service pearl_echo_tcp tcp
port-object range 57345 57370
access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp
02-19-2007 10:03 AM
Looks good to me..can you make sure yu do not have any inbound ACL on Inside Interface.
Also, try doing a telnet to the 24.x.x.x ip on port 5631 from outside. Does that work ?
-Kanishka
02-20-2007 08:34 AM
How can I see if I have any inbound ACL on inside interface?
02-19-2007 06:06 PM
static (inside,outside) tcp 24.172.x.x 5631 192.168.1.215 5631 netmask 255.255.255.255
The static command above looks fine. However, looking at port no. 5631, are you trying to pass PCAnywhere through PIX? If so, you also need to open port 5632 (UDP).
static (inside,outside) udp 24.172.x.x 5632 192.168.1.215 5632 netmask 255.255.255.255
On the access-list applied to outside interface in inbound direction, you need to have following lines in-
access-list PE permit tcp any host 24.172.x.x eq 5631
access-list PE permit udp any host 24.172.x.x eq 5632
----
object-group service pearl_echo_tcp tcp
port-object range 57345 57370
access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp
----
What is the requirement of above commands? If you need to allow inbound access to 24.172.x.x on ports from 57345-57370, we will need to add individual static command for each port.
I hope this helps.
Regards,
Vibhor
02-20-2007 08:34 AM
Yes, I am trying to pass PC Anywhere traffic through PIX and I have ports 5631, 5632 open for both TCP and UDP.
02-20-2007 09:08 AM
You can check if there is any access-list applied on the inside interface using following command-
show access-group
If you see any access-group on inside interface, that access-list is applied on inside interface of PIX.
To allow pc-anywhere through PIX, as I mentioned earlier, you only need to redirect following ports from public IP to the internal IP-
5631(tcp) & 5632(udp)
Assuming that public IP is -- public
and private IP is -- private
Following commands are required-
static (inside,outside) tcp public 5631 private 5631
static (inside,outside) udp public 5632 private 5632
access-list 101 permit tcp any host public eq 5631
access-list 101 permit udp any host public eq 5632
access-group 101 in interface outside
let me know if this helps.
Regards,
Vibhor.
02-20-2007 10:09 AM
This is the only listing
access-group outside_access_in in interface outside.
It is still not working even after I recreated the commands. It is telling me that a duplicate entry exist.
Can I configure it through PIX device manager by using access rules and translation rules? GUI makes it a little easier.
Thanks,
02-20-2007 02:49 PM
Could you provide the output of following commands-
show static
show access-list
show access-group
02-21-2007 08:52 AM
Interestingly enough show static and show access-group did not show any entries. I got all my access list displayed when using show access-list command.
I ended up creating all static entries throgh PIX device manager and now all statics are displayed and working properly; however show access-group displays only the list access-group I created. Any reason why?
02-21-2007 09:08 AM
Hi,
"sh access-group" will only show you the access-group and the interfacce its applied to.
If you want to check the entries the int haccess-list, you to do a "sh access-list
Sh static should show all the statics, if there's any. I'm not sure, why its not displaying that.
-Kanishka
02-21-2007 09:36 AM
Its
show run access-group
show run static
02-21-2007 09:43 AM
That is the command for 7.X code..
Its PIX 506E.
-Kanishka
02-26-2007 03:01 AM
Possible to do port forward on PPTP tunnel? As it only accept TCP or UDP, if i have a server that behind the firewall, that need to terminate PPTP sessions, and i only have one public IP..... what should i do?
thanks in advance.
Leo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: