cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
5
Helpful
10
Replies

Pix 501 port redirection and acl

scramer13
Level 1
Level 1

I have a pix 501 and am needing to do some port forwarding. I have a DVR (being used for security cameras) it has an internal ip of 192.168.1.150. I need to have port forwarding setup for 3000 - 3007 and 8800. I used the following to do this:

static (inside,outside) tcp interface 3000 192.168.1.150 3000 netmask 255.255.255.255

static (inside,outside) tcp interface 3007 192.168.1.150 3007 netmask 255.255.255.255

static (inside,outside) tcp interface 8800 192.168.1.150 8800 netmask 255.255.255.255

I was told I also need to allow in my acl. I have no idea what that means????

10 Replies 10

acomiskey
Level 10
Level 10

1.1.1.1 = pix outside interface address, change as needed.

access-list outside_in permit tcp any host 1.1.1.1 eq 3000

access-list outside_in permit tcp any host 1.1.1.1 eq 3007

access-list outside_in permit tcp any host 1.1.1.1 eq 8800

access-group outside_in in interface outside

OR

access-list outside_in permit tcp any interface outside eq 3000

access-list outside_in permit tcp any interface outside eq 3007

access-list outside_in permit tcp any interface outside eq 8800

access-group outside_in in interface outside

If you would like, you could also limit where the requests can come from like this (allow only from address 2.2.2.2)...

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 3000

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 3007

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 8800

access-group outside_in in interface outside

Please rate helpful posts.

I put in the top group of commands but I am still not able to access by program???? Is there a way to test that these ports are opened correclty?

When you said "3000 - 3007", did you mean 3000 and 3007 or did you want 3000 through 3007?

You can do a "show access-list" and look for hits on the acl.

I meant 3000 3001... etc and I did put them all in. I wil go do the hits and see what it says.

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list outside_in; 9 elements

access-list outside_in line 1 permit tcp any host xxx.xxx.xxx.xxx eq 3000 (hitcnt=0)

access-list outside_in line 2 permit tcp any host xxx.xxx.xxx.xxx eq 3001 (hitcnt=0)

access-list outside_in line 3 permit tcp any host xxx.xxx.xxx.xxx eq 3002 (hitcnt=0)

access-list outside_in line 4 permit tcp any host xxx.xxx.xxx.xxx eq 3003 (hitcnt=0)

access-list outside_in line 5 permit tcp any host xxx.xxx.xxx.xxx eq 3004 (hitcnt=0)

access-list outside_in line 6 permit tcp any host xxx.xxx.xxx.xxx eq 3005 (hitcnt=0)

access-list outside_in line 7 permit tcp any host xxx.xxx.xxx.xxx eq 3006 (hitcnt=0)

access-list outside_in line 8 permit tcp any host xxx.xxx.xxx.xxx eq 3007 (hitcnt=0)

access-list outside_in line 9 permit tcp any host xxx.xxx.xxx.xxx eq 8800 (hitcnt=0) v

To me it looks as if it's not even getting a hit??

That would be correct. You are trying this access from outside the pix right?

Umm no. I am inside but in my DVR program I have the outside address.

That will not work on your pix 501. From the inside you will not be able to hit your outside address of xxx.xxx.xxx.xxx. You will need to use the inside address when you are inside the firewall, 192.168.1.150.

Your pix will not u-turn traffic in and out of the same interface.

It's working perfectly. Thanks for your help.

Glad it worked out.

Please rate helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: