10-31-2007 11:57 AM - edited 03-09-2019 07:10 PM
I have a 501 at a branch office that I need to port forward www, ftp and rdp to 3 diffrent hosts.
The outside interface is dhcp
and the inside is 10.50.1.3
the network is 10.50.1.0/24
Below is what I thought would work but it is not portforwarding. Can anyone tell me where I have went wrong?
Thanks!
10.50.1.10 is an inside host
63.200.204.45 is a host on the outside that I want to allow to 3389
access-list outside_in permit tcp any host 10.50.1.10 eq 80
access-list outside_in permit tcp any host 10.50.1.10 eq 3389
access-group outside_in in interface outside
static (inside,outside) tcp 63.200.204.45 80 10.50.1.10 443 netmask 255.255.255.255
static (inside,outside) tcp 63.200.204.45 3389 10.50.1.10 443 netmask 255.255.255.255
Solved! Go to Solution.
10-31-2007 01:22 PM
Ok, let's say you are going to use the outside interface of you pix. Then you would do...
access-list outside_in permit tcp any interface outside eq 80
access-list outside_in permit tcp any interface outside eq 3389
access-group outside_in in interface outside
static (inside,outside) tcp interface 80 10.50.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.50.1.11 3389 netmask 255.255.255.255
Then you would rdp or www to whatever the outside interface is of the pix.
If you have some other address to use, lets say 1.1.1.1 then it would look like this...
access-list outside_in permit tcp any host 1.1.1.1 eq 80
access-list outside_in permit tcp any host 1.1.1.1 eq 3389
access-group outside_in in interface outside
static (inside,outside) tcp 1.1.1.1 80 10.50.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 3389 10.50.1.11 3389 netmask 255.255.255.255
10-31-2007 12:01 PM
You have to use the external ip in the access list.
access-list outside_in permit tcp any host 63.200.204.45 eq 80
access-list outside_in permit tcp any host 63.200.204.45 eq 3389
Also, did you mean to put 443 in your statics?
static (inside,outside) tcp 63.200.204.45 80 10.50.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp 63.200.204.45 3389 10.50.1.10 3389 netmask 255.255.255.255
Also, if 63.200.204.45 is your outside interface address you want to write it this way...
static (inside,outside) tcp interface 80 10.50.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.50.1.10 3389 netmask 255.255.255.255
10-31-2007 12:09 PM
I thought that I had to put in a port for the server on the inside (10.50.1.10) since it was pat on the outside.
63.200.204.45 is not the outside interface address. The outside interface is dhcp.
63.200.204.45 is the address that I only want access to 3389
Let me see if I have this correct. Is this what you are saying I should put?
(I also made another mistake port 80 should go to 10.50.1.11)
access-list outside_in permit tcp any host 63.200.204.45 eq 80
access-list outside_in permit tcp any host 63.200.204.45 eq 3389
access-group outside_in in interface outside
static (inside,outside) tcp 63.200.204.45 80 10.50.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp 63.200.204.45 3389 10.50.1.10 3389 netmask 255.255.255.255
10-31-2007 12:12 PM
"(I also made another mistake port 80 should go to 10.50.1.11)"
-Then it should be...
access-list outside_in permit tcp any host 63.200.204.45 eq 80
access-list outside_in permit tcp any host 63.200.204.45 eq 3389
access-group outside_in in interface outside
static (inside,outside) tcp 63.200.204.45 80 10.50.1.11 80 netmask 255.255.255.255
static (inside,outside) tcp 63.200.204.45 3389 10.50.1.10 3389 netmask 255.255.255.255
This will allow www to 10.50.1.11 and remote desktop to 10.50.1.10.
10-31-2007 12:21 PM
Thanks for your quick reply, That is what I put and still a no go,
Here is my running config. If you look at the static for port 80 it put https I am assuming since I put port 443. I guess those statics are not right
Ideas?
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nBnGds5ytQzpX4wz encrypted
passwd nBnGds5ytQzpX4wz encrypted
hostname pix
domain-name gotbalz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 10.50.1.10 eq www
access-list outside_in permit tcp any host 10.50.1.10 eq 3389
pager lines 24
logging on
icmp permit host 60.210.254.46 outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.50.1.3 255.255.255.0
ip audit name test attack action alarm drop
ip audit interface outside test
ip audit info action alarm
ip audit attack action alarm
pdm location 10.50.1.10 255.255.255.255 inside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 60.210.254.46 www 10.50.1.10 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 60.210.254.46 3389 10.50.1.10 3389 netmask 255.255.255.255 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.50.1.10 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9303733fb1af120003e81df6e38d92c5
: end
10-31-2007 12:28 PM
Access list still isn't right. See post above.
access-list outside_in permit tcp any host 60.210.254.46 eq www
access-list outside_in permit tcp any host 60.210.254.46 eq 3389
Also, why did you put 443. Are you trying to hit the webserver on port 80?
10-31-2007 12:30 PM
That is all I want to hit is port 80 on 10.50.1.10 and port 3389 on 10.50.1.11
10-31-2007 12:32 PM
Then you need to make it look like this...(you keep changing it up on me, haha)
access-list outside_in permit tcp any host 63.200.204.46 eq 80
access-list outside_in permit tcp any host 63.200.204.46 eq 3389
access-group outside_in in interface outside
static (inside,outside) tcp 63.200.204.46 80 10.50.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp 63.200.204.46 3389 10.50.1.11 3389 netmask 255.255.255.255
10-31-2007 12:43 PM
my bad sorry to mix it up, Dealing with two diffrent configs.
I added exactly as above and I don't see it working,
I did a sh access-list and the hit count is 0 on both access lists.
Should the static be on the interface and not 63.200.204.46 since that is the public ip I a comming from and not the public on this pix?
Here is the config again.
pix# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname pix
domain-name gotbalz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 63.200.204.46 eq www
access-list outside_in permit tcp any host 63.200.204.46 eq 3389
pager lines 24
logging on
icmp permit host 63.200.204.46 outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.50.1.3 255.255.255.0
ip audit name test attack action alarm drop
ip audit interface outside test
ip audit info action alarm
ip audit attack action alarm
pdm location 10.50.1.10 255.255.255.255 inside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 63.200.204.46 www 10.50.1.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 63.200.204.46 3389 10.50.1.11 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.50.1.10 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxx
: end
10-31-2007 01:14 PM
Oh, yes the static needs to contain the public ip of either the pix or a public ip which is routed to the pix, NOT the ip you are coming from. Then you must also change the acl as well.
10-31-2007 01:20 PM
hmmm, Can you give me an example?
Thanks!@
10-31-2007 01:22 PM
Ok, let's say you are going to use the outside interface of you pix. Then you would do...
access-list outside_in permit tcp any interface outside eq 80
access-list outside_in permit tcp any interface outside eq 3389
access-group outside_in in interface outside
static (inside,outside) tcp interface 80 10.50.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.50.1.11 3389 netmask 255.255.255.255
Then you would rdp or www to whatever the outside interface is of the pix.
If you have some other address to use, lets say 1.1.1.1 then it would look like this...
access-list outside_in permit tcp any host 1.1.1.1 eq 80
access-list outside_in permit tcp any host 1.1.1.1 eq 3389
access-group outside_in in interface outside
static (inside,outside) tcp 1.1.1.1 80 10.50.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.1 3389 10.50.1.11 3389 netmask 255.255.255.255
10-31-2007 01:26 PM
Dude you are awsome, Thanks for your help.
10-31-2007 01:27 PM
Feel free to rate any helpful posts. Thanks, hope it works out!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: