pix 501 - two questions

Answered Question
Nov 24th, 2007
User Badges:

Ok I have a pix 501 and I have two questions. one is regarding NAT

I have static ip cable internet with 5 statics. my range is xxx.xxx.xxx.192/29

usables 193-197, the comcast gateway is .198

I have the address xxx.xxx.xxx.195 applied to the outside interface of the pix, and when i try to do a static using that address(port forwarding), it does not seem to work. If I static using 193, 194, 196, or 197, it works fine, but I cannot seem to get a successful inbound NAT on that IP. I am able to get this to work on my 1721 router. Also, are there issues trying to NAT outbound using the IP thats assigned to the outbound interface?


my other question applies to my 501 and 1721. Is there a way on either of these devices to set up a webvpn, like you can on the ASA, ono a 501 or 1721 and if so wheres the best place to start

Correct Answer by JORGE RODRIGUEZ about 9 years 8 months ago

issue this command in global mode , not config mode pix#clear local-host 172.16.0.10 to clear it from any external connections , then try connecting from outside to outside ip address , if still does not work remove static and re-enter new static with keyword interface as bellow. If none are succesful post config.



remove

no static (inside,outside) tcp xxx.xxx.xxx.195 3389 172.16.0.10 3389 netmask 255.255.255.255


re-enter new static

static (inside,outside) tcp interface 3389 172.16.0.10 3389 netmask 255.255.255.255


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Sat, 11/24/2007 - 15:58
User Badges:
  • Green, 3000 points or more

Hi Charles, actually you have three questions.


For your first question: When using outside interface IP for port forwarding this is the format. say you need inbound http on inside address 10.10.10.2,and rdp 3389 on 10.10.10.3


e.g


static (inside,outside) tcp x.x.x.195 80 10.10.10.2 80 log

static (inside,outside) tcp x.x.x.195 3389 10.10.10.3 3389 log

access-list outside_access_in permit tcp any host x.x.x.195 eq 80

access-list outside_access_in permit tcp any host x.x.x.195 eq 3389

access-group ouside_access_in in interface outside


For second question PIX 501 on webvpn, if you were running code 7.x or later it would support webvpn , however, models 501-506-506E-and-520 are not supportted on 7.x code and therefore not upgradeable to these codes.


For third question 1721 Webvpn, not familiar with product, but based on Cisco Software advisory tools 1721 does not support WebVPN.



Pls rate any helpful posts !

HTH

Jorge


ryancolson Sat, 11/24/2007 - 16:04
User Badges:

my access-lists are a lil more open then that, basically allowing any traffic thats bound for certain ports. Do you need to explicitly tell it to allow traffic bound for the ip on the outside interface?


For example, I have a line in my inbound ACL

permit tcp any any eq 3389

if i wanted to accept connections on port 3389 on .195, would i have to add

permit tcp any xxx.xxx.xxx.195 3389?


Also another unrelated question. I have my catatlyst 2924, 1721, and pix 501 authenticating against cisco ACS3.2. On the firewall, once you login and try to enter enable mode, it promps you for a password. On the router ans switch, once you login it puts you automatically into enable mode. Is this normal and is there a way to change it so it still requires a password(even tho its the same, or make the pix automatically enter enable mode once you log in via ssh

JORGE RODRIGUEZ Sat, 11/24/2007 - 16:23
User Badges:
  • Green, 3000 points or more

For authentication check privilage levels is not 15 for it will send you to Ecxec device_Prompt#, it all have to do with

pivilage access levels configurations settings.



for acl any any means your're allowing any from outside to any from inside on port 3389, to wide open for port scanning. Be more granular on acl, but for this particular scenarion I would be more specific as you are redirecting tcp ports, try the script posted.



Pls rate any helpful posts !

HTH

Jorge

ryancolson Sat, 11/24/2007 - 17:43
User Badges:

I tried it and i still got no connection, nothing in the show xlate either. It works with any address except for the one thats assigned to the outside interface.


Also regarding the aaa authorization, its set to max privilage level 15 for pixos and ios, and its still the same behavior. I think I understand why on the router and swtich its jumping right to enable mode, but i dont understand on the pix why its not.

JORGE RODRIGUEZ Sat, 11/24/2007 - 20:12
User Badges:
  • Green, 3000 points or more

Double check my static example , did you you add the netmask as I missed it.. if still does not work can you post config strip public ip info.


e.g


static (inside,outside) tcp x.x.x.195 80 10.10.10.2 80 netmask 255.255.255.255


or


static (inside,outside) tcp interface 80 10.10.10.2 80 netmask 255.255.255.255



ryancolson Sat, 11/24/2007 - 20:15
User Badges:

the exact entry is

static (inside,outside) tcp xxx.xxx.xxx.195 3389 172.16.0.10 3389 netmask 255.255.255.255 0 0


should I not be putting 3389 in the second time?

Correct Answer
JORGE RODRIGUEZ Sat, 11/24/2007 - 20:34
User Badges:
  • Green, 3000 points or more

issue this command in global mode , not config mode pix#clear local-host 172.16.0.10 to clear it from any external connections , then try connecting from outside to outside ip address , if still does not work remove static and re-enter new static with keyword interface as bellow. If none are succesful post config.



remove

no static (inside,outside) tcp xxx.xxx.xxx.195 3389 172.16.0.10 3389 netmask 255.255.255.255


re-enter new static

static (inside,outside) tcp interface 3389 172.16.0.10 3389 netmask 255.255.255.255


ryancolson Sat, 11/24/2007 - 20:46
User Badges:

I will try that. By the wya thanks a lot for your help i do appreciate it

ryancolson Sun, 11/25/2007 - 14:33
User Badges:

hey just wanted to say that worked! I was able to use the outside interface's IP. Just curious why it works like that. I have also had issues with PIX firewalls trying to have a port static inbound on the same address as your outbound internet connection.


Also, regarding the AAA and the pix requesting a password for enable mode and the router and switch not, is this normal or is there something I can do on the pix to make it not ask as well. I have it set on TACACS to grant enable priv. level 15 for pix and IOS.

JORGE RODRIGUEZ Sun, 11/25/2007 - 19:21
User Badges:
  • Green, 3000 points or more

Im glad it worked, and thank you for the rating. That is the way PIX/ASA works for port forwarding using outside interface.


On the AAA have not played much with ACS but as far as internal AAA like ASA does is simply setting the privilige levels 0-15 e.g user name JoeDoe password xxxx privilige X where x if set to 0 will not send user directly to global mode, but not sure on ACS, try setting level 0 in ACS for PIX, I suggest create a separate thread and see if someone that has ACS experince using it with pix can answer it.


Rgds

Jorge

Actions

This Discussion