06-27-2007 05:31 AM - edited 03-11-2019 03:36 AM
I have a pix 501 and am needing to do some port forwarding. I have a DVR (being used for security cameras) it has an internal ip of 192.168.1.150. I need to have port forwarding setup for 3000 - 3007 and 8800. I used the following to do this:
static (inside,outside) tcp interface 3000 192.168.1.150 3000 netmask 255.255.255.255
static (inside,outside) tcp interface 3007 192.168.1.150 3007 netmask 255.255.255.255
static (inside,outside) tcp interface 8800 192.168.1.150 8800 netmask 255.255.255.255
I was told I also need to allow in my acl. I have no idea what that means????
06-27-2007 05:41 AM
1.1.1.1 = pix outside interface address, change as needed.
access-list outside_in permit tcp any host 1.1.1.1 eq 3000
access-list outside_in permit tcp any host 1.1.1.1 eq 3007
access-list outside_in permit tcp any host 1.1.1.1 eq 8800
access-group outside_in in interface outside
OR
access-list outside_in permit tcp any interface outside eq 3000
access-list outside_in permit tcp any interface outside eq 3007
access-list outside_in permit tcp any interface outside eq 8800
access-group outside_in in interface outside
If you would like, you could also limit where the requests can come from like this (allow only from address 2.2.2.2)...
access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 3000
access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 3007
access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 8800
access-group outside_in in interface outside
Please rate helpful posts.
06-27-2007 06:03 AM
I put in the top group of commands but I am still not able to access by program???? Is there a way to test that these ports are opened correclty?
06-27-2007 06:05 AM
When you said "3000 - 3007", did you mean 3000 and 3007 or did you want 3000 through 3007?
You can do a "show access-list" and look for hits on the acl.
06-27-2007 06:12 AM
I meant 3000 3001... etc and I did put them all in. I wil go do the hits and see what it says.
06-27-2007 06:55 AM
Result of firewall command: "show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list outside_in; 9 elements
access-list outside_in line 1 permit tcp any host xxx.xxx.xxx.xxx eq 3000 (hitcnt=0)
access-list outside_in line 2 permit tcp any host xxx.xxx.xxx.xxx eq 3001 (hitcnt=0)
access-list outside_in line 3 permit tcp any host xxx.xxx.xxx.xxx eq 3002 (hitcnt=0)
access-list outside_in line 4 permit tcp any host xxx.xxx.xxx.xxx eq 3003 (hitcnt=0)
access-list outside_in line 5 permit tcp any host xxx.xxx.xxx.xxx eq 3004 (hitcnt=0)
access-list outside_in line 6 permit tcp any host xxx.xxx.xxx.xxx eq 3005 (hitcnt=0)
access-list outside_in line 7 permit tcp any host xxx.xxx.xxx.xxx eq 3006 (hitcnt=0)
access-list outside_in line 8 permit tcp any host xxx.xxx.xxx.xxx eq 3007 (hitcnt=0)
access-list outside_in line 9 permit tcp any host xxx.xxx.xxx.xxx eq 8800 (hitcnt=0) v
To me it looks as if it's not even getting a hit??
06-27-2007 06:59 AM
That would be correct. You are trying this access from outside the pix right?
06-27-2007 07:15 AM
Umm no. I am inside but in my DVR program I have the outside address.
06-27-2007 07:17 AM
That will not work on your pix 501. From the inside you will not be able to hit your outside address of xxx.xxx.xxx.xxx. You will need to use the inside address when you are inside the firewall, 192.168.1.150.
Your pix will not u-turn traffic in and out of the same interface.
06-27-2007 07:59 AM
It's working perfectly. Thanks for your help.
06-27-2007 08:03 AM
Glad it worked out.
Please rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: