Re: Noob Forwarding Ports on a PIX 501 (6.3)

admin_2 · ‎03-29-2004

Hi all,

I've been trying to get internet access to two devices behind the PIX at the main office. The device have static addresses of 192.168.0.20 and 192.168.0.5. These devices have built-in web interfaces that can be configured to use whichever port we like. I chose ports 8500 and 8510 respectively.

Here's what I have in the PIX for port 8500 (I'm doing one at a time):

access-list 102 permit tcp host 192.168.0.5 any eq 8500

static (inside,outside) tcp interface 8500 192.168.0.5 8500 netmask 255.255.255

.255 0 0

access-group 102 in interface outside

Is this correct? Is this too much? Any holes here? Thanks in advance the help

-Nick

lajohnso · ‎03-29-2004

You need to setup static translations and matching conduit statements to allow traffic through a pix.

i.e.

Port specific static translation statement:

static (inside,outside) tcp 8500 192.168.0.5 8500 netmask 255.255.255.255 0 0

All protocol static translation statement:

static (instide,outside) netmask 255.255.255.255 0 0

Regardless they both need a corresponding conduit command to permit traffic.

conduit permit tcp host eq 8500 any

Hope that helps.

-Lance

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html

ejgonzalesiii · ‎03-29-2004

Looks like you may have a problem with your access-list. The way I keep track of what address should be the source and which should be the destination is to imagine yourself inside the router. From that vantage point what is the source and destination of the packet coming towards your interface. Your access-list should be as follows:

access-list 102 permit tcp any inteface outside eq 8500

By the looks of your commands, your outside interface is being assigned via DHCP by your ISP. If this is not correct then I would recommend using the actual IP address rather than using the command.

Report Inappropriate Content · ‎03-29-2004

Thanks guys I will give that a try. I thought that the conduit command was deprecated. I am concerned about "tcp any". Can that be exploited?

-nick

Report Inappropriate Content · ‎03-30-2004

Well, it didn't work. I removed the old bits from the configuration and started anew. Again, please excuse me if I seem ignorant. I have read the manuals and searched the net. I feel that this should work, but it doesn't. I know I'm missing something:

access-list 102 permit tcp any interface outside eq 8500

static (inside,outside) tcp 64.8.234.247 8500 192.168.0.5 8500 netmask 255.255.

255.255 0 0

access-group 102 in interface outside

We have a static IP that is being nat'd. Please let me know if this is correct. If it is, then some thing is up with the device itself, but at least I can rule out the firewall.

lajohnso · ‎03-30-2004

Your right conduit command is deprecated but not until 6.4 so it should work.

You have not mentioned anything about your nat configuration. Try adding the following:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

This will configure the pix to translate any inside address to a global address depending on the best match. Which in your case should be the static command.

Check out:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1032129

Hope that helps

-Lance

ejgonzalesiii · ‎03-30-2004

Is your outside interface address 64.8.234.247. If it is not then the access-list is incorrect. Your access-list should read as follows:

access-list 102 permit tcp any 64.8.234.247 255.255.255.255 eq 8500

Now as far as the any command, this basically letting anyone on the internet have access to that port. If you only want specific users to access this port and you know their public ip addresses then instead of using the any command you could provide those addresses. This should tighten down your security.