×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Howto Forward Ports

Unanswered Question

Hi, im trying to forward ports on the firewall but with my extremely limited knowledge of pix firewalls im stuck.


The firewall (192.168.0.1) is connected to the core switch (192.168.0.2), the core switch routes to the other networks (users VLAN 192.168.2.x).


I would like to forward ports tcp 7111 and udp 55816 to host 192.168.2.200.


I would appreciate any advice or places to look on the net. If you have time i would appreciate it if you could check the config which i have attatched.


Many thanks for your time.


Chris



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
a.kiprawih Wed, 12/06/2006 - 05:57
User Badges:
  • Gold, 750 points or more

Your config looks fine (static, route, etc). But review the access-list entry where I think you need to change the 2nd 'any'

keyword with specific IP, which in this case the 10.0.0.1 (outside interface IP).


Existing:

access-list emule permit tcp any any eq 7111

access-list emule permit udp any any eq 55816

access-group emule in interface outside


New (change to):

access-list emule permit tcp any host 10.0.0.1 eq 7111

access-list emule permit udp any host 10.0.0.1 eq 55816

access-list emule deny ip any any


access-group emule in interface outside



HTH

AK


jgervia_2 Wed, 12/06/2006 - 20:58
User Badges:
  • Bronze, 100 points or more

Hello,


Everything looks ok in this config. What's your source IP address normally going to be be when trying to get to the outside interface and port forwarded?


--Jason

Fernando_Meza Thu, 12/07/2006 - 02:35
User Badges:
  • Gold, 750 points or more

Hi,


Make sure that 192.168.2.200 knows how to route packets back to the host initiating the connection outside the PIX ..


Telneting to the PIX from 192.168.2.200 probes that it knows how to get to the PIX's inside interface but it might not know how to get back to the host initiating the connection .. I think you could be having a routing issue here



I hope it helps .. please rate if it does !!!




john.stephens Thu, 12/07/2006 - 06:01
User Badges:

Chris,


If the routing check that your doing doesn't fix it, then I recommend checking your translations. Yes it looks right in the configuration, however that doesn't mean that it's built correctly right now. Check it with this:


sh xlate detail | grep 192.168.2.200


The based on your nat (inside) 1 config the 192.168.2.200 ip will pick up an IP in the global (outside) 1 range. I've seen plenty of times when you configure a new static, but it doesn't work until you clear out the old translations. If you haven't already done this, do a


clear xlate local 192.168.2.200


After you check the routing and the translations and it's still not working, then get into config mode and setup some logging with:


(config) logg buff 7

then while testing, do

sh logg | grep 192.168.2.200


If you get error messages and aren't sure what to do about them, just post them here.


Hope this helps, if so, please rate.

Hi, the plot thickens. I'm checking the adsl router and (as you've guessed im not expert), but by checking the config it seems it is natting on the dialer interface?


I've attatched the config file. The firewall (10.0.0.1) connects to the router (10.0.0.2), with firewall natting the internal network (192.168.x.x)... is it right for the router to NAT again?? Maybe the packets are stopping when they hit the adsl router as it doesnt know where to send them?


Thanks,


Chris



Attachment: 
jgervia_2 Sun, 12/10/2006 - 13:16
User Badges:
  • Bronze, 100 points or more

Chris,


Basically, you are double natting.


You are hiding the 192.168.x network behind the firewall IP address.


The router is hiding the 10.x network behind the router dialer interface.


If you're going to nat like that, you need to port forward at both places - the router needs to forward the port to the firewall, and the firewall needs to route it to the host.


You appear to have the firewall configuration portion correctly done. On the router, do the following:


ip nat inside source static tcp 10.0.0.1 7111 interface Dialer0 7111

ip nat inside source static tcp 10.0.0.1 55816 interface Dialer0 55816


That should forward the ports correctly. Make sure if you have access lists defined that this traffic is allowed on the router.


Also, you may want to consider taking natting off the firewall - the router appears to know about the internal network and is pointing it back to the firewall anyway.


--Jason


Please rate this message if it solved some or all of your issue.

jgervia_2 Mon, 12/11/2006 - 11:40
User Badges:
  • Bronze, 100 points or more

Hello,


You can't really remove the natting on the router or else your outbound connectivity won't work.


I'd just add the commands I put in above to get it working.

Thanks for the reply. I had a brain wave, couldnt i do a simple address translation, whereby 10.0.0.1 is translated to the public ip address, and any packets arriving at the interface (on any port), are translated back to 10.0.0.1... much like a default host on a DMZ for which all packets are forwaded to incase of not meting any rules.


Would that be possible? If so i think that would work.


Thanks very much for yor time

Actions

This Discussion