Pix501 portforwarding with activated EasyVPN

Answered Question
Jun 3rd, 2010

Hi Guys,

I have a small problem.

I try to forward some Ports (i.e. 443, 3389, 81, 82) to differnt IPs

This Pix is a EasyVPN-Server too.

When I try to add the portforwarding like it is shown in many examples, it doesn't work.

I try to add the following lines:

access-list ftpIn permit tcp any host 192.168.0.220 eq 21

static (inside,outside) 192.168.0.220 192.168.128.10 netmask 255.255.255.255 0 0

But this didn't work

Am I doing something wrong or do I have to do something different because of my EasyVPN-Server?

Here is my current config (without my forwarding-tryouts):

kr01icr02(config)# sh run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname kr01icr02

domain-name my.domain

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0

access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.220 255.255.255.0

ip address inside 192.168.128.220 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.128.221-192.168.128.225

pdm location 192.168.128.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.0.250 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.128.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-aes esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup mygroup address-pool ippool

vpngroup mygroup dns-server 192.168.128.60

vpngroup mygroup wins-server 192.168.128.60

vpngroup mygroup default-domain my.domain

vpngroup mygroup split-tunnel 101

vpngroup mygroup idle-time 1800

vpngroup mygroup password ********

vpngroup idle-time idle-time 1800

telnet 192.168.128.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.128.0 255.255.255.0 inside

ssh timeout 5

management-access inside

console timeout 0

terminal width 80

Cryptochecksum:975d44ea08daa7729391a1292ce0df8f

: end

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 6 months ago

Are you connecting from 192.168.0.0/24 network?

If you are, pls remove the following:

access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0  255.255.255.0

Move the system back to 192.168.128.10.

Then "clear xlate" and "clear arp" and test the connection again.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Thu, 06/03/2010 - 10:28

Hi,

If you add this line:

static (inside,outside) 192.168.0.220 192.168.128.10 netmask 255.255.255.255 0 0

The VPN will stop working.

And the reason is that 192.168.0.220 is the outside IP of the ASA, if you create the above statement, the VPN traffic will also be redirected to the internal 192.168.128.10

What you should do to redirect some ports (443, 3389,etc)

static (inside,outside) tcp 192.168.0.220 443 192.168.128.10 443

static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389

And so on....

You need to ACLs as well to allow the traffic in.

Hope it helps.

Federico.

kristian.reukauff Thu, 06/03/2010 - 11:31

okay, so if I understood you correctly I have to run this commands to enable portforwarding for port 3389

kr01icr02(config)# static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389
kr01icr02(config)# access-list rdpin permit tcp any host 192.168.0.220 eq 3389

so this config will be the result (for FTP and RDP) but it doesn't work when I try to connect to the FTP-Server or the RDP-Server.

kr01icr02(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name *****
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list rdpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.128.221-192.168.128.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain *****

vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:975d44ea08daa7729391a1292ce0df8f
: end

Federico Coto F... Thu, 06/03/2010 - 11:37

Yes,

But you don't have the ACL 101 applied.

You're missing this command:

access-group 101 in interface outside

Federico.

Federico Coto F... Thu, 06/03/2010 - 13:25

Ok, do the following test:

On the PIX:

sh access-list 101

Check if you're getting hitcounts on the ACL when you attempt to reach the server from the outside.

In this we will determine if the traffic is reaching the PIX to see where the problem is.

Federico.

kristian.reukauff Thu, 06/03/2010 - 13:35

ok, i checked it and the hitcnt does not increase.

It is still at 0.

How do I try to connect to my "Server" on the inside interface:

I have one machine in the 192.168.0.0/24 net.

From there I try to open a ftp-connection. I do this via try to open ftp://192.168.0.220 - 192.168.0.220 is the outside-interface of the pix that is available by pinging it. Same way with the RDP-Connection

I think there is no failure, or am I wrong?

Federico Coto F... Thu, 06/03/2010 - 14:17

The thing is that when you PING 192.168.0.220 you're PINGing the PIX.

When you send an RDP or FTP request, the PIX will redirect it to the internal server.

You can access the internal RDP and FTP server via those protocols from a computer ''inside'' the PIX correct?

If it does not work, please post the output of:

sh run static

sh run access-group

sh run access-list

Federico.

fabianalfaro Thu, 06/03/2010 - 14:56

I think the problem now is with the ACLs. You have ACL 101 but it is for the VPN and no NAT as I see it configured. The ACLs that you created to allow RDP and FTP traffic are the following:

access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list rdpin permit tcp any host 192.168.0.220 eq 3389

The rules are OK but they should have only one name, and then apply it on the outside interface:

access-list ftp-rdp-in permit tcp any host 192.168.0.220 eq ftp
access-list ftp-rdp-in permit tcp any host 192.168.0.220 eq 3389

access-group ftp-rdp-in in interface outside

You could check the following: http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694


kristian.reukauff Sat, 06/05/2010 - 04:35

OK, I tried the changes you told me. But no change. When I try to connect to the FTP-Server or via RDP, nothing happens.

My settings are this:

access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389

global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1

I checked out the command reference but as a beginner I think that everthing is right.

here the outputs of
sh run static
sh run access-group
sh run access-list:


kr01icr02(config)# sh run static
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name *****
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.128.221-192.168.128.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain *****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:dfbfa204297e35f5a8da6fa77f5c4346
: end

kr01icr02(config)# sh run access-group
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name *****
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.128.221-192.168.128.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain *****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:dfbfa204297e35f5a8da6fa77f5c4346
: end
kr01icr02(config)#


kr01icr02(config)# sh run access-list
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name *****
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.128.221-192.168.128.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain *****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:dfbfa204297e35f5a8da6fa77f5c4346
: end
kr01icr02(config)#

kristian.reukauff Sat, 06/05/2010 - 04:56

I have to add something:

the counter at sh access-list ftpin and sh access-list ftpin are increasing by 3 everytime I try to connect.

kr01icr02(config)# sh access-list ftpin
access-list ftpin; 2 elements
access-list ftpin line 1 permit tcp any host 192.168.0.220 eq ftp (hitcnt=3)
access-list ftpin line 2 permit tcp any host 192.168.0.220 eq 3389 (hitcnt=9)
kr01icr02(config)# sh access-list 101
access-list 101; 2 elements
access-list 101 line 1 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0 (hitcnt=0)
access-list 101 line 2 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=12)
kr01icr02(config)#

Jennifer Halim Sat, 06/05/2010 - 05:16

Please remove the following 2 static configurations:

static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask  255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389  192.168.128.10 3389 netmask 255.255.255.255 0 0

It should be changed to the following:

static (inside,outside) tcp interface ftp 192.168.128.10 ftp netmask  255.255.255.255 0 0
static (inside,outside) tcp interface 3389  192.168.128.10 3389 netmask 255.255.255.255 0 0

Then "clear xlate" after the above changes. It should work after that.

kristian.reukauff Sat, 06/05/2010 - 06:02

it does not work.

The counter still increase but no connection to the system on the inside interface.

I also entered the clear xlate command

When I connect the system on the inside interface direct to my network, I am able to connect so there should not be the problem

kr01icr02# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name ***

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.129.221-192.168.129.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain ***

vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:d9b3a67e97400d326ab47c322cda2eba
: end
kr01icr02#

Jennifer Halim Sat, 06/05/2010 - 06:15

Can you please confirm that your host inside does not have personal firewall that might be blocking inbound connection from the outside? I would suggest that you test disabling the personal firewall if any on the internal host.

kristian.reukauff Sat, 06/05/2010 - 06:55

nothing is enabled.

If I plug the system "192.168.128.10" direct to my network 192.168.0.0/24 and give it an IP in the range, I am able to connect to the FTP-Server and connect via RDP. So no problems with the connection.

No Anti-Virus-Program is installed, Windows Firewall is disabled. System "192.168.128.10" is Win7.

Correct Answer
Jennifer Halim Sat, 06/05/2010 - 07:00

Are you connecting from 192.168.0.0/24 network?

If you are, pls remove the following:

access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0  255.255.255.0

Move the system back to 192.168.128.10.

Then "clear xlate" and "clear arp" and test the connection again.

kristian.reukauff Sat, 06/05/2010 - 07:05

Excellent!

I added this line for future use, didn't recognize that this would cause this problem.

Your brilliant.

Thanks for all. Your are a pretty good member of this community. Thanks for the quick support!

Actions

This Discussion