Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix 501 port forwarding

Hi everyone

first of all I have to say I don't know pratically nothing of Cisco firewalls but I'm in the need to temporarily configure an

old Pix 501, port forwarding the tcp 32976 (I need to test Neorouter software).
This Pix has already set a port forwarding for tcp 3389 to  use remote desktop so I have to be careful not to stop this

service.

I paste a few lines to make understand how the pix is currently configured:

access-list (fromout) permit icmp any any
access-list (fromout) permit tcp any any eq 3389
access-list (inout) permit icmp any any
access-list (inout) permit ip 192.168.0.0 255.255.255.0 any
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0

static (inside,outside) tcp 10.77.2.76 3389 192.168.0.1 3389 netmask 255.255.255.255 0 0

access-group (fromout) in interface outside
access-group (inout) in interface inside

to open port 32976 I've addedd the following lines:

static (inside,outside) tcp 10.77.2.76 32976 192.168.0.1 32976 netmask 255.255.255.255 0 0
access-list (fromout) permit tcp any any eq 32976 

I didn't add an access-group line because the (fromout) group is already active and I did not give the command "write mem"

because i believe that I can test the pix anyway and then, after restarting the Pix, this returns to the normal function

before the changes.

to test if the port is correctly opened i go here:  http://www.neorouter.com/checkport.php? and I see that the port 32976

doesn't pass the test but even the port 3389, that was passing the test before, doesn't pass this test too.

Could you tell me where I'm wrong and how to open correctly the 32976 port?

Thanks to all

Dario

  • Firewalling
9 REPLIES
New Member

Seems to be necessary to open

Seems to be necessary to open port on ACL also:

access-list (fromout) permit tcp any any eq 32976 
New Member

thank you for the answer but

thank you for the answer but I already configured pix with the following lines without any profit.

Am I missing something?

static (inside,outside) tcp 10.77.2.76 32976 192.168.0.1 32976 netmask 255.255.255.255 0 0
access-list (fromout) permit tcp any any eq 32976 

New Member

If possible, could you please

If possible, could you please attach all related configs, ip addresses routes acls static.

The outside address 10.77.2.76 is a private address, you may have a Internet gateway that is configured with NAT port forwarding. HAve you checked the NAT rules here also?

 

New Member

In attachment there is the

In attachment there is the complete configuration of pix that is now runnig with port 3389 opened for remote desktop so i guess the nat rules are right.

New Member

Looks ok for 3389 port. A

Looks ok for 3389 port. A variation could be:

static (inside,outside) tcp interface 3389 192.168.0.1 3389 netmask 255.255.255.255 0 0 
New Member

port 3389 is correctly open,

port 3389 is correctly open, I tried to open the 32976, applying the command tou gave me for the 3389 port, with the following commands but it's still non opened

static (inside,outside) tcp interface 32976 192.168.0.1 32976 netmask 255.255.255.255 0 0

access-list (fromout) permit tcp any any eq 32976

New Member

There is probably a gateway

There is probably a gateway doing NAT on the outside interface of the PIX.

Port forwarding rules might be necessary here,

 

New Member

on the outside interface

on the outside interface there is only the optic fiber adapter that, I believe, has no nat rules.

Aniway I'll try to speak with provider just to be sure and finally I'll post the answer.

Thanks

New Member

Excuse for my late answer but

Excuse for my late answer but at last i found where the iussue was.

I configured Pix with the following lines:

static (inside,outside) tcp 10.77.2.76 32976 192.168.0.1 32976 netmask 255.255.255.255 0 0
access-list (fromout) permit tcp any any eq 32976 

as I did from the beginning but I didn't realize that the port 32976 wasn't correctly listening on the server cause a defective installation of the software and his virtual lan.

Now all is working and I thank you all.

Dario 

104
Views
0
Helpful
9
Replies
This widget could not be displayed.