Pix 501 port redirection and acl

Unanswered Question
Jun 27th, 2007

I have a pix 501 and am needing to do some port forwarding. I have a DVR (being used for security cameras) it has an internal ip of 192.168.1.150. I need to have port forwarding setup for 3000 - 3007 and 8800. I used the following to do this:

static (inside,outside) tcp interface 3000 192.168.1.150 3000 netmask 255.255.255.255

static (inside,outside) tcp interface 3007 192.168.1.150 3007 netmask 255.255.255.255

static (inside,outside) tcp interface 8800 192.168.1.150 8800 netmask 255.255.255.255

I was told I also need to allow in my acl. I have no idea what that means????

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Wed, 06/27/2007 - 05:41

1.1.1.1 = pix outside interface address, change as needed.

access-list outside_in permit tcp any host 1.1.1.1 eq 3000

access-list outside_in permit tcp any host 1.1.1.1 eq 3007

access-list outside_in permit tcp any host 1.1.1.1 eq 8800

access-group outside_in in interface outside

OR

access-list outside_in permit tcp any interface outside eq 3000

access-list outside_in permit tcp any interface outside eq 3007

access-list outside_in permit tcp any interface outside eq 8800

access-group outside_in in interface outside

If you would like, you could also limit where the requests can come from like this (allow only from address 2.2.2.2)...

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 3000

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 3007

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 8800

access-group outside_in in interface outside

Please rate helpful posts.

scramer13 Wed, 06/27/2007 - 06:03

I put in the top group of commands but I am still not able to access by program???? Is there a way to test that these ports are opened correclty?

acomiskey Wed, 06/27/2007 - 06:05

When you said "3000 - 3007", did you mean 3000 and 3007 or did you want 3000 through 3007?

You can do a "show access-list" and look for hits on the acl.

scramer13 Wed, 06/27/2007 - 06:12

I meant 3000 3001... etc and I did put them all in. I wil go do the hits and see what it says.

scramer13 Wed, 06/27/2007 - 06:55

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list outside_in; 9 elements

access-list outside_in line 1 permit tcp any host xxx.xxx.xxx.xxx eq 3000 (hitcnt=0)

access-list outside_in line 2 permit tcp any host xxx.xxx.xxx.xxx eq 3001 (hitcnt=0)

access-list outside_in line 3 permit tcp any host xxx.xxx.xxx.xxx eq 3002 (hitcnt=0)

access-list outside_in line 4 permit tcp any host xxx.xxx.xxx.xxx eq 3003 (hitcnt=0)

access-list outside_in line 5 permit tcp any host xxx.xxx.xxx.xxx eq 3004 (hitcnt=0)

access-list outside_in line 6 permit tcp any host xxx.xxx.xxx.xxx eq 3005 (hitcnt=0)

access-list outside_in line 7 permit tcp any host xxx.xxx.xxx.xxx eq 3006 (hitcnt=0)

access-list outside_in line 8 permit tcp any host xxx.xxx.xxx.xxx eq 3007 (hitcnt=0)

access-list outside_in line 9 permit tcp any host xxx.xxx.xxx.xxx eq 8800 (hitcnt=0) v

To me it looks as if it's not even getting a hit??

acomiskey Wed, 06/27/2007 - 06:59

That would be correct. You are trying this access from outside the pix right?

scramer13 Wed, 06/27/2007 - 07:15

Umm no. I am inside but in my DVR program I have the outside address.

acomiskey Wed, 06/27/2007 - 07:17

That will not work on your pix 501. From the inside you will not be able to hit your outside address of xxx.xxx.xxx.xxx. You will need to use the inside address when you are inside the firewall, 192.168.1.150.

Your pix will not u-turn traffic in and out of the same interface.

Actions

This Discussion