Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1384
Views
0
Helpful
12
Replies

Static Port Forwarding

akalender
Level 1
Level 1

‎02-19-2007 08:28 AM - edited ‎03-11-2019 02:35 AM

I am trying to set up static single (1) and range (2) port forwarding on PIX 506E device using the following commands; however it is not working. What am I missing?

Single Port Forwarding

1. static (inside,outside) tcp 24.172.x.x 5631 192.168.1.215 5631 netmask 255.255.255.255

access-list PCA permit tcp any host 24.172.x.x eq 5631

access-group PCA in interface outside

Port Range Forwarding

2. object-group service pearl_echo_tcp tcp

port-object range 57345 57370

access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp

Labels:
0 Helpful
12 Replies 12

kaachary
Cisco Employee
Cisco Employee

‎02-19-2007 10:03 AM

Looks good to me..can you make sure yu do not have any inbound ACL on Inside Interface.

Also, try doing a telnet to the 24.x.x.x ip on port 5631 from outside. Does that work ?

-Kanishka

0 Helpful

akalender
Level 1
Level 1
In response to kaachary

‎02-20-2007 08:34 AM

How can I see if I have any inbound ACL on inside interface?

0 Helpful

vitripat
Level 7
Level 7

‎02-19-2007 06:06 PM

static (inside,outside) tcp 24.172.x.x 5631 192.168.1.215 5631 netmask 255.255.255.255

The static command above looks fine. However, looking at port no. 5631, are you trying to pass PCAnywhere through PIX? If so, you also need to open port 5632 (UDP).

static (inside,outside) udp 24.172.x.x 5632 192.168.1.215 5632 netmask 255.255.255.255

On the access-list applied to outside interface in inbound direction, you need to have following lines in-

access-list PE permit tcp any host 24.172.x.x eq 5631

access-list PE permit udp any host 24.172.x.x eq 5632

----

object-group service pearl_echo_tcp tcp

port-object range 57345 57370

access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp

----

What is the requirement of above commands? If you need to allow inbound access to 24.172.x.x on ports from 57345-57370, we will need to add individual static command for each port.

I hope this helps.

Regards,

Vibhor

0 Helpful

akalender
Level 1
Level 1
In response to vitripat

‎02-20-2007 08:34 AM

Yes, I am trying to pass PC Anywhere traffic through PIX and I have ports 5631, 5632 open for both TCP and UDP.

0 Helpful

vitripat
Level 7
Level 7
In response to akalender

‎02-20-2007 09:08 AM

You can check if there is any access-list applied on the inside interface using following command-

show access-group

If you see any access-group on inside interface, that access-list is applied on inside interface of PIX.

To allow pc-anywhere through PIX, as I mentioned earlier, you only need to redirect following ports from public IP to the internal IP-

5631(tcp) & 5632(udp)

Assuming that public IP is -- public

and private IP is -- private

Following commands are required-

static (inside,outside) tcp public 5631 private 5631

static (inside,outside) udp public 5632 private 5632

access-list 101 permit tcp any host public eq 5631

access-list 101 permit udp any host public eq 5632

access-group 101 in interface outside

let me know if this helps.

Regards,

Vibhor.

0 Helpful

akalender
Level 1
Level 1
In response to vitripat

‎02-20-2007 10:09 AM

This is the only listing

access-group outside_access_in in interface outside.

It is still not working even after I recreated the commands. It is telling me that a duplicate entry exist.

Can I configure it through PIX device manager by using access rules and translation rules? GUI makes it a little easier.

Thanks,

0 Helpful

vitripat
Level 7
Level 7
In response to akalender

‎02-20-2007 02:49 PM

Could you provide the output of following commands-

show static

show access-list

show access-group

0 Helpful

akalender
Level 1
Level 1
In response to vitripat

‎02-21-2007 08:52 AM

Interestingly enough show static and show access-group did not show any entries. I got all my access list displayed when using show access-list command.

I ended up creating all static entries throgh PIX device manager and now all statics are displayed and working properly; however show access-group displays only the list access-group I created. Any reason why?

0 Helpful

kaachary
Cisco Employee
Cisco Employee
In response to akalender

‎02-21-2007 09:08 AM

Hi,

"sh access-group" will only show you the access-group and the interfacce its applied to.

If you want to check the entries the int haccess-list, you to do a "sh access-list "

Sh static should show all the statics, if there's any. I'm not sure, why its not displaying that.

-Kanishka

0 Helpful

acomiskey
Level 10
Level 10
In response to kaachary

‎02-21-2007 09:36 AM

Its

show run access-group

show run static

0 Helpful

kaachary
Cisco Employee
Cisco Employee
In response to acomiskey

‎02-21-2007 09:43 AM

That is the command for 7.X code..

Its PIX 506E.

-Kanishka

0 Helpful

leowong
Level 1
Level 1
In response to kaachary

‎02-26-2007 03:01 AM

Possible to do port forward on PPTP tunnel? As it only accept TCP or UDP, if i have a server that behind the firewall, that need to terminate PPTP sessions, and i only have one public IP..... what should i do?

thanks in advance.

Leo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card