Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static Port Forwarding

I am trying to set up static single (1) and range (2) port forwarding on PIX 506E device using the following commands; however it is not working. What am I missing?

Single Port Forwarding

1. static (inside,outside) tcp 24.172.x.x 5631 192.168.1.215 5631 netmask 255.255.255.255

access-list PCA permit tcp any host 24.172.x.x eq 5631

access-group PCA in interface outside

Port Range Forwarding

2. object-group service pearl_echo_tcp tcp

port-object range 57345 57370

access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp

12 REPLIES
Cisco Employee

Re: Static Port Forwarding

Looks good to me..can you make sure yu do not have any inbound ACL on Inside Interface.

Also, try doing a telnet to the 24.x.x.x ip on port 5631 from outside. Does that work ?

-Kanishka

New Member

Re: Static Port Forwarding

How can I see if I have any inbound ACL on inside interface?

Silver

Re: Static Port Forwarding

static (inside,outside) tcp 24.172.x.x 5631 192.168.1.215 5631 netmask 255.255.255.255

The static command above looks fine. However, looking at port no. 5631, are you trying to pass PCAnywhere through PIX? If so, you also need to open port 5632 (UDP).

static (inside,outside) udp 24.172.x.x 5632 192.168.1.215 5632 netmask 255.255.255.255

On the access-list applied to outside interface in inbound direction, you need to have following lines in-

access-list PE permit tcp any host 24.172.x.x eq 5631

access-list PE permit udp any host 24.172.x.x eq 5632

----

object-group service pearl_echo_tcp tcp

port-object range 57345 57370

access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp

----

What is the requirement of above commands? If you need to allow inbound access to 24.172.x.x on ports from 57345-57370, we will need to add individual static command for each port.

I hope this helps.

Regards,

Vibhor

New Member

Re: Static Port Forwarding

Yes, I am trying to pass PC Anywhere traffic through PIX and I have ports 5631, 5632 open for both TCP and UDP.

Silver

Re: Static Port Forwarding

You can check if there is any access-list applied on the inside interface using following command-

show access-group

If you see any access-group on inside interface, that access-list is applied on inside interface of PIX.

To allow pc-anywhere through PIX, as I mentioned earlier, you only need to redirect following ports from public IP to the internal IP-

5631(tcp) & 5632(udp)

Assuming that public IP is -- public

and private IP is -- private

Following commands are required-

static (inside,outside) tcp public 5631 private 5631

static (inside,outside) udp public 5632 private 5632

access-list 101 permit tcp any host public eq 5631

access-list 101 permit udp any host public eq 5632

access-group 101 in interface outside

let me know if this helps.

Regards,

Vibhor.

New Member

Re: Static Port Forwarding

This is the only listing

access-group outside_access_in in interface outside.

It is still not working even after I recreated the commands. It is telling me that a duplicate entry exist.

Can I configure it through PIX device manager by using access rules and translation rules? GUI makes it a little easier.

Thanks,

Silver

Re: Static Port Forwarding

Could you provide the output of following commands-

show static

show access-list

show access-group

New Member

Re: Static Port Forwarding

Interestingly enough show static and show access-group did not show any entries. I got all my access list displayed when using show access-list command.

I ended up creating all static entries throgh PIX device manager and now all statics are displayed and working properly; however show access-group displays only the list access-group I created. Any reason why?

Cisco Employee

Re: Static Port Forwarding

Hi,

"sh access-group" will only show you the access-group and the interfacce its applied to.

If you want to check the entries the int haccess-list, you to do a "sh access-list "

Sh static should show all the statics, if there's any. I'm not sure, why its not displaying that.

-Kanishka

Green

Re: Static Port Forwarding

Its

show run access-group

show run static

Cisco Employee

Re: Static Port Forwarding

That is the command for 7.X code..

Its PIX 506E.

-Kanishka

New Member

Re: Static Port Forwarding

Possible to do port forward on PPTP tunnel? As it only accept TCP or UDP, if i have a server that behind the firewall, that need to terminate PPTP sessions, and i only have one public IP..... what should i do?

thanks in advance.

Leo

410
Views
0
Helpful
12
Replies
CreatePlease login to create content