Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Pix 501 port redirection and acl

I have a pix 501 and am needing to do some port forwarding. I have a DVR (being used for security cameras) it has an internal ip of 192.168.1.150. I need to have port forwarding setup for 3000 - 3007 and 8800. I used the following to do this:

static (inside,outside) tcp interface 3000 192.168.1.150 3000 netmask 255.255.255.255

static (inside,outside) tcp interface 3007 192.168.1.150 3007 netmask 255.255.255.255

static (inside,outside) tcp interface 8800 192.168.1.150 8800 netmask 255.255.255.255

I was told I also need to allow in my acl. I have no idea what that means????

10 REPLIES
Green

Re: Pix 501 port redirection and acl

1.1.1.1 = pix outside interface address, change as needed.

access-list outside_in permit tcp any host 1.1.1.1 eq 3000

access-list outside_in permit tcp any host 1.1.1.1 eq 3007

access-list outside_in permit tcp any host 1.1.1.1 eq 8800

access-group outside_in in interface outside

OR

access-list outside_in permit tcp any interface outside eq 3000

access-list outside_in permit tcp any interface outside eq 3007

access-list outside_in permit tcp any interface outside eq 8800

access-group outside_in in interface outside

If you would like, you could also limit where the requests can come from like this (allow only from address 2.2.2.2)...

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 3000

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 3007

access-list outside_in permit tcp host 2.2.2.2 host 1.1.1.1 eq 8800

access-group outside_in in interface outside

Please rate helpful posts.

Community Member

Re: Pix 501 port redirection and acl

I put in the top group of commands but I am still not able to access by program???? Is there a way to test that these ports are opened correclty?

Green

Re: Pix 501 port redirection and acl

When you said "3000 - 3007", did you mean 3000 and 3007 or did you want 3000 through 3007?

You can do a "show access-list" and look for hits on the acl.

Community Member

Re: Pix 501 port redirection and acl

I meant 3000 3001... etc and I did put them all in. I wil go do the hits and see what it says.

Community Member

Re: Pix 501 port redirection and acl

Result of firewall command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list outside_in; 9 elements

access-list outside_in line 1 permit tcp any host xxx.xxx.xxx.xxx eq 3000 (hitcnt=0)

access-list outside_in line 2 permit tcp any host xxx.xxx.xxx.xxx eq 3001 (hitcnt=0)

access-list outside_in line 3 permit tcp any host xxx.xxx.xxx.xxx eq 3002 (hitcnt=0)

access-list outside_in line 4 permit tcp any host xxx.xxx.xxx.xxx eq 3003 (hitcnt=0)

access-list outside_in line 5 permit tcp any host xxx.xxx.xxx.xxx eq 3004 (hitcnt=0)

access-list outside_in line 6 permit tcp any host xxx.xxx.xxx.xxx eq 3005 (hitcnt=0)

access-list outside_in line 7 permit tcp any host xxx.xxx.xxx.xxx eq 3006 (hitcnt=0)

access-list outside_in line 8 permit tcp any host xxx.xxx.xxx.xxx eq 3007 (hitcnt=0)

access-list outside_in line 9 permit tcp any host xxx.xxx.xxx.xxx eq 8800 (hitcnt=0) v

To me it looks as if it's not even getting a hit??

Green

Re: Pix 501 port redirection and acl

That would be correct. You are trying this access from outside the pix right?

Community Member

Re: Pix 501 port redirection and acl

Umm no. I am inside but in my DVR program I have the outside address.

Green

Re: Pix 501 port redirection and acl

That will not work on your pix 501. From the inside you will not be able to hit your outside address of xxx.xxx.xxx.xxx. You will need to use the inside address when you are inside the firewall, 192.168.1.150.

Your pix will not u-turn traffic in and out of the same interface.

Community Member

Re: Pix 501 port redirection and acl

It's working perfectly. Thanks for your help.

Green

Re: Pix 501 port redirection and acl

Glad it worked out.

Please rate helpful posts.

356
Views
5
Helpful
10
Replies
CreatePlease to create content