Howto Forward Ports

cmorley · ‎12-06-2006

Hi, im trying to forward ports on the firewall but with my extremely limited knowledge of pix firewalls im stuck.

The firewall (192.168.0.1) is connected to the core switch (192.168.0.2), the core switch routes to the other networks (users VLAN 192.168.2.x).

I would like to forward ports tcp 7111 and udp 55816 to host 192.168.2.200.

I would appreciate any advice or places to look on the net. If you have time i would appreciate it if you could check the config which i have attatched.

Many thanks for your time.

Chris

a.kiprawih · ‎12-06-2006

Your config looks fine (static, route, etc). But review the access-list entry where I think you need to change the 2nd 'any'

keyword with specific IP, which in this case the 10.0.0.1 (outside interface IP).

Existing:

access-list emule permit tcp any any eq 7111

access-list emule permit udp any any eq 55816

access-group emule in interface outside

New (change to):

access-list emule permit tcp any host 10.0.0.1 eq 7111

access-list emule permit udp any host 10.0.0.1 eq 55816

access-list emule deny ip any any

access-group emule in interface outside

HTH

AK

cmorley · ‎12-06-2006

Hi, thanks for the reply. Sorry but the above didnt work. I am telneting into the firewall from the client machine (192.168.2.200) and its fine so i know its not a routing issue.

Any ideas?

Thanks,

Chris

jgervia_2 · ‎12-06-2006

Hello,

Everything looks ok in this config. What's your source IP address normally going to be be when trying to get to the outside interface and port forwarded?

--Jason

cmorley · ‎12-06-2006

Hi, ok i appreciate ppl saying the config is fine but it doesnt work!!

The machine ip address i want the packets forwarded to is 192.168.2.200.

Sorry im really confused!

TIA

Chris

Fernando_Meza · ‎12-07-2006

Hi,

Make sure that 192.168.2.200 knows how to route packets back to the host initiating the connection outside the PIX ..

Telneting to the PIX from 192.168.2.200 probes that it knows how to get to the PIX's inside interface but it might not know how to get back to the host initiating the connection .. I think you could be having a routing issue here

I hope it helps .. please rate if it does !!!

cmorley · ‎12-07-2006

Thanks for the reply. The core switch to which the pix is connected (on VLAN 1), i am on the users VLAN (VLAN 3). i can connect to machines internally no problem. I'll try and check it out.

john.stephens · ‎12-07-2006

Chris,

If the routing check that your doing doesn't fix it, then I recommend checking your translations. Yes it looks right in the configuration, however that doesn't mean that it's built correctly right now. Check it with this:

sh xlate detail | grep 192.168.2.200

The based on your nat (inside) 1 config the 192.168.2.200 ip will pick up an IP in the global (outside) 1 range. I've seen plenty of times when you configure a new static, but it doesn't work until you clear out the old translations. If you haven't already done this, do a

clear xlate local 192.168.2.200

After you check the routing and the translations and it's still not working, then get into config mode and setup some logging with:

(config) logg buff 7

then while testing, do

sh logg | grep 192.168.2.200

If you get error messages and aren't sure what to do about them, just post them here.

Hope this helps, if so, please rate.

cmorley · ‎12-10-2006

Hi, the plot thickens. I'm checking the adsl router and (as you've guessed im not expert), but by checking the config it seems it is natting on the dialer interface?

I've attatched the config file. The firewall (10.0.0.1) connects to the router (10.0.0.2), with firewall natting the internal network (192.168.x.x)... is it right for the router to NAT again?? Maybe the packets are stopping when they hit the adsl router as it doesnt know where to send them?

Thanks,

Chris

jgervia_2 · ‎12-10-2006

Chris,

Basically, you are double natting.

You are hiding the 192.168.x network behind the firewall IP address.

The router is hiding the 10.x network behind the router dialer interface.

If you're going to nat like that, you need to port forward at both places - the router needs to forward the port to the firewall, and the firewall needs to route it to the host.

You appear to have the firewall configuration portion correctly done. On the router, do the following:

ip nat inside source static tcp 10.0.0.1 7111 interface Dialer0 7111

ip nat inside source static tcp 10.0.0.1 55816 interface Dialer0 55816

That should forward the ports correctly. Make sure if you have access lists defined that this traffic is allowed on the router.

Also, you may want to consider taking natting off the firewall - the router appears to know about the internal network and is pointing it back to the firewall anyway.

--Jason

Please rate this message if it solved some or all of your issue.

cmorley · ‎12-10-2006

Ok thanks, would you be kind enough given my 877 router config from my previous posts to recommend any commands to remove the natting and make it work with the firewal? Sorry for my lack of knowledge.

TIA,

Chris

jgervia_2 · ‎12-11-2006

Hello,

You can't really remove the natting on the router or else your outbound connectivity won't work.

I'd just add the commands I put in above to get it working.

cmorley · ‎12-11-2006

Thanks for the reply. I had a brain wave, couldnt i do a simple address translation, whereby 10.0.0.1 is translated to the public ip address, and any packets arriving at the interface (on any port), are translated back to 10.0.0.1... much like a default host on a DMZ for which all packets are forwaded to incase of not meting any rules.

Would that be possible? If so i think that would work.

Thanks very much for yor time