Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
954
Views
0
Helpful
3
Replies

Port fowarding Cisco PIX 506E

Gilgameshan
Level 1
Level 1

‎10-07-2007 03:25 PM - edited ‎03-11-2019 04:22 AM

Hello

I wan't opening up Port: 80, 8000, 8080 to internal 192.168.0.7 on the inside from the outside. It's to a DVR.

It's a Cisco PIX 506E.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ********** encrypted

passwd ********** encrypted

hostname CiscoPIX2

domain-name **********.local

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.0 Hassleholm

name 192.168.0.7 Kamera

object-group service Kamera tcp-udp

port-object range 8000 8000

port-object range 8080 8080

port-object range www www

access-list VPNClients_splitTunnelAcl permit ip any any

access-list inside_outbound_nat0_acl permit ip any 192.168.0.96 255.255.255.224

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 Hassleholm 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.96 255.255.255.224

access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 Hassleholm 255.255.255.0

access-list Kamera permit tcp any interface outside object-group Kamera

pager lines 24

logging on

logging timestamp

logging console warnings

logging monitor warnings

logging buffered warnings

logging trap warnings

logging host inside 192.168.0.5

mtu outside 1500

mtu inside 1500

ip address outside ********** **********ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN 192.168.0.100-192.168.0.119

pdm location 192.168.0.5 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm location Hassleholm 255.255.255.0 inside

pdm location Hassleholm 255.255.255.0 outside

pdm location Kamera 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 inside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www Kamera www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8080 Kamera 8080 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8000 Kamera 8000 netmask 255.255.255.255 0 0

static (inside,outside) udp interface www Kamera www netmask 255.255.255.255 0 0

static (inside,outside) udp interface 8080 Kamera 8080 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 8000 Kamera 8000 netmask 255.255.255.255 0 0

access-group Kamera in interface outside

route outside 0.0.0.0 0.0.0.0 ********** 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http Hassleholm 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

Labels:
0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎10-07-2007 04:42 PM

I would change kamera ACL with:

access-list outside_access_in permit tcp any interface outside object-group kamera

access-group outside_access_in in interface outside

or

access-list outside_access_in permit tcp any interface outside eq 80

access-list outside_access_in permit tcp any interface outside eq 8080

access-list outside_access_in permit tcp any interface outside eq 8000

access-group outside_in in interface outside

Jorge Rodriguez
0 Helpful

Gilgameshan
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎10-08-2007 04:54 AM

Hello, thanks for the post.

I'am tied the first option you gave me. It dosen't work

I run sh access-list.

access-list outside_access_in; 3 elements

access-list outside_access_in line 1 permit tcp any interface outside object-group Kamera

access-list outside_access_in line 1 permit tcp any interface outside range 8000 8000 (hitcnt=0)

access-list outside_access_in line 1 permit tcp any interface outside range 8080 8080 (hitcnt=0)

access-list outside_access_in line 1 permit tcp any interface outside range www www (hitcnt=4)

//Thanks

Henrik

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to Gilgameshan

‎10-08-2007 10:35 AM

Henrik, it should have worked, is the internal server listening to these three tcp ports?

Looking at the port forwarding/redirect example the only thing I can think is using kamera local IP address in the static nat entries.

for sake of test could you use local ip .

static (inside,outside) tcp interface www 192.168.0.7 www netmask 255.255.255.255 0 0

http://www.cisco.com/warp/public/707/28.html#topic10

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card