Portforward with PAT

Answered Question
Oct 31st, 2007

I have a 501 at a branch office that I need to port forward www, ftp and rdp to 3 diffrent hosts.

The outside interface is dhcp

and the inside is 10.50.1.3

the network is 10.50.1.0/24

Below is what I thought would work but it is not portforwarding. Can anyone tell me where I have went wrong?

Thanks!

10.50.1.10 is an inside host

63.200.204.45 is a host on the outside that I want to allow to 3389

access-list outside_in permit tcp any host 10.50.1.10 eq 80

access-list outside_in permit tcp any host 10.50.1.10 eq 3389

access-group outside_in in interface outside

static (inside,outside) tcp 63.200.204.45 80 10.50.1.10 443 netmask 255.255.255.255

static (inside,outside) tcp 63.200.204.45 3389 10.50.1.10 443 netmask 255.255.255.255

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 1 month ago

Ok, let's say you are going to use the outside interface of you pix. Then you would do...

access-list outside_in permit tcp any interface outside eq 80

access-list outside_in permit tcp any interface outside eq 3389

access-group outside_in in interface outside

static (inside,outside) tcp interface 80 10.50.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 10.50.1.11 3389 netmask 255.255.255.255

Then you would rdp or www to whatever the outside interface is of the pix.

If you have some other address to use, lets say 1.1.1.1 then it would look like this...

access-list outside_in permit tcp any host 1.1.1.1 eq 80

access-list outside_in permit tcp any host 1.1.1.1 eq 3389

access-group outside_in in interface outside

static (inside,outside) tcp 1.1.1.1 80 10.50.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.1 3389 10.50.1.11 3389 netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Wed, 10/31/2007 - 12:01

You have to use the external ip in the access list.

access-list outside_in permit tcp any host 63.200.204.45 eq 80

access-list outside_in permit tcp any host 63.200.204.45 eq 3389

Also, did you mean to put 443 in your statics?

static (inside,outside) tcp 63.200.204.45 80 10.50.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp 63.200.204.45 3389 10.50.1.10 3389 netmask 255.255.255.255

Also, if 63.200.204.45 is your outside interface address you want to write it this way...

static (inside,outside) tcp interface 80 10.50.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 10.50.1.10 3389 netmask 255.255.255.255

elovelace256 Wed, 10/31/2007 - 12:09

I thought that I had to put in a port for the server on the inside (10.50.1.10) since it was pat on the outside.

63.200.204.45 is not the outside interface address. The outside interface is dhcp.

63.200.204.45 is the address that I only want access to 3389

Let me see if I have this correct. Is this what you are saying I should put?

(I also made another mistake port 80 should go to 10.50.1.11)

access-list outside_in permit tcp any host 63.200.204.45 eq 80

access-list outside_in permit tcp any host 63.200.204.45 eq 3389

access-group outside_in in interface outside

static (inside,outside) tcp 63.200.204.45 80 10.50.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp 63.200.204.45 3389 10.50.1.10 3389 netmask 255.255.255.255

acomiskey Wed, 10/31/2007 - 12:12

"(I also made another mistake port 80 should go to 10.50.1.11)"

-Then it should be...

access-list outside_in permit tcp any host 63.200.204.45 eq 80

access-list outside_in permit tcp any host 63.200.204.45 eq 3389

access-group outside_in in interface outside

static (inside,outside) tcp 63.200.204.45 80 10.50.1.11 80 netmask 255.255.255.255

static (inside,outside) tcp 63.200.204.45 3389 10.50.1.10 3389 netmask 255.255.255.255

This will allow www to 10.50.1.11 and remote desktop to 10.50.1.10.

elovelace256 Wed, 10/31/2007 - 12:21

Thanks for your quick reply, That is what I put and still a no go,

Here is my running config. If you look at the static for port 80 it put https I am assuming since I put port 443. I guess those statics are not right

Ideas?

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password nBnGds5ytQzpX4wz encrypted

passwd nBnGds5ytQzpX4wz encrypted

hostname pix

domain-name gotbalz

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit tcp any host 10.50.1.10 eq www

access-list outside_in permit tcp any host 10.50.1.10 eq 3389

pager lines 24

logging on

icmp permit host 60.210.254.46 outside

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.50.1.3 255.255.255.0

ip audit name test attack action alarm drop

ip audit interface outside test

ip audit info action alarm

ip audit attack action alarm

pdm location 10.50.1.10 255.255.255.255 inside

pdm logging informational 512

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 60.210.254.46 www 10.50.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 60.210.254.46 3389 10.50.1.10 3389 netmask 255.255.255.255 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.50.1.10 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:9303733fb1af120003e81df6e38d92c5

: end

acomiskey Wed, 10/31/2007 - 12:28

Access list still isn't right. See post above.

access-list outside_in permit tcp any host 60.210.254.46 eq www

access-list outside_in permit tcp any host 60.210.254.46 eq 3389

Also, why did you put 443. Are you trying to hit the webserver on port 80?

elovelace256 Wed, 10/31/2007 - 12:30

That is all I want to hit is port 80 on 10.50.1.10 and port 3389 on 10.50.1.11

acomiskey Wed, 10/31/2007 - 12:32

Then you need to make it look like this...(you keep changing it up on me, haha)

access-list outside_in permit tcp any host 63.200.204.46 eq 80

access-list outside_in permit tcp any host 63.200.204.46 eq 3389

access-group outside_in in interface outside

static (inside,outside) tcp 63.200.204.46 80 10.50.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp 63.200.204.46 3389 10.50.1.11 3389 netmask 255.255.255.255

elovelace256 Wed, 10/31/2007 - 12:43

my bad sorry to mix it up, Dealing with two diffrent configs.

I added exactly as above and I don't see it working,

I did a sh access-list and the hit count is 0 on both access lists.

Should the static be on the interface and not 63.200.204.46 since that is the public ip I a comming from and not the public on this pix?

Here is the config again.

pix# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pix

domain-name gotbalz

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit tcp any host 63.200.204.46 eq www

access-list outside_in permit tcp any host 63.200.204.46 eq 3389

pager lines 24

logging on

icmp permit host 63.200.204.46 outside

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.50.1.3 255.255.255.0

ip audit name test attack action alarm drop

ip audit interface outside test

ip audit info action alarm

ip audit attack action alarm

pdm location 10.50.1.10 255.255.255.255 inside

pdm logging informational 512

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 63.200.204.46 www 10.50.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 63.200.204.46 3389 10.50.1.11 3389 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.50.1.10 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

acomiskey Wed, 10/31/2007 - 13:14

Oh, yes the static needs to contain the public ip of either the pix or a public ip which is routed to the pix, NOT the ip you are coming from. Then you must also change the acl as well.

Correct Answer
acomiskey Wed, 10/31/2007 - 13:22

Ok, let's say you are going to use the outside interface of you pix. Then you would do...

access-list outside_in permit tcp any interface outside eq 80

access-list outside_in permit tcp any interface outside eq 3389

access-group outside_in in interface outside

static (inside,outside) tcp interface 80 10.50.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 10.50.1.11 3389 netmask 255.255.255.255

Then you would rdp or www to whatever the outside interface is of the pix.

If you have some other address to use, lets say 1.1.1.1 then it would look like this...

access-list outside_in permit tcp any host 1.1.1.1 eq 80

access-list outside_in permit tcp any host 1.1.1.1 eq 3389

access-group outside_in in interface outside

static (inside,outside) tcp 1.1.1.1 80 10.50.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.1 3389 10.50.1.11 3389 netmask 255.255.255.255

acomiskey Wed, 10/31/2007 - 13:27

Feel free to rate any helpful posts. Thanks, hope it works out!

Actions

This Discussion