cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
326
Views
6
Helpful
8
Replies

In a PAT bind

HOSTMASTER
Level 1
Level 1

Hi,

We've been running our PIX for a while and have come across a vendor with a very specific way of connecting to an inside computer.

The vendor wants to use one external address and changing port number to attach to up to 40 internal computers. I've tried several commands but can't seem to get the connection through.

My real problem is that I cannot use the standard static and conduit as that shuts down all of the other traffic into the internal system and to open all of the ports necessary puts the internal system (not allowing several systems on the same address) at risk.

Here's what I have done so far.

global (outside) 1 69.x.x.79

static (outside,inside) tcp 10.x.x.1 10080 69.x.x.79 10080 netmask 255.255.255.255 0 0

static (outside,inside) udp 10.x.x.1 10080 69.x.x.79 10080 netmask 255.255.255.255 0 0

What am I missing?

Thanks

Steve

8 Replies 8

cpembleton
Level 4
Level 4

Static's are just a bit off. Should be (inside, outside)

static (inside,outside) tcp 69.x.x.79 10080 10.x.x.1 10080 netmask 255.255.255.255 0 0

static (inside,outside) udp 69.x.x.79 10080 10.x.x.1 10080 netmask 255.255.255.255 0 0

You could also sub the ip 68.x.x.79 for Interface

Hope this helps.

Chad

Please rate if this helps.

That was my initial config, but the traffic is being initiated on the outside of the firewall...so I changed the flow.

By sub'ing the 69.x.x.79 your referring to ?

I spoke with TAC briefly (not urgent case) and his intructions were to modify to read..

static (inside,outside) tcp interface 10080 10.x.x.1 10080

static (inside,outside) udp interface 10080 10.x.x.1 10080

Which still doesnt seem to help.

This is the correct syntax:

static (inside,outside) tcp interface 10080 10.x.x.1 10080

static (inside,outside) udp interface 10080 10.x.x.1 10080

Did you clear the Xlate table after making the change?

clear xlate

Do you have an ACL applied to inbound traffic on the outside interface allowing this traffic?

access-group ACL_Name in interface outside

If this doesn't help post your config.

Thanks,

Chad

ok....Yes, I always clear xlate...I'm in IS, if your invisible your not appreciated..I clear xlate every once in a while to prove the computers are running and that the whole company depends on my department....bwhahahaha

The cisco page does not refrence acls, but I have tried to add conduit permit for the 10080 and the like...but no go. Thanks for the help Chad and the quick responses.

I've removed all refrence to the pat I need...here is the config (current) before trying to open this port inbound

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100basetx

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 state security80

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

no fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol https 443

no fixup protocol smtp 25

no fixup protocol sqlnet 1521

no fixup protocol tftp 69

no names

pager lines 24

logging on

logging trap notifications

logging facility 18

logging host inside x.x.x.x

no logging message 304001

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu state 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 69.x.x.2 255.255.255.0

ip address inside 10.1.1.254 255.255.255.0

ip address dmz x.x.x.1 255.255.255.0

ip address state x.x.x.1 255.255.255.0

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 5

failover ip address outside

failover ip address inside

failover ip address dmz

failover ip address state

no failover ip address intf4

no failover ip address intf5

failover link state

arp timeout 14400

global (outside) 10 69.x.x.80-69.x.x.249 netmask 255.255.255.0

global (outside) 10 69.x.x.250 netmask 255.255.255.0

global (outside) 1 69.x.x.79 netmask 255.255.255.0

global (dmz) 10 x.x.x.128-x.x.x.192 netmask 255.255.255.0

global (dmz) 10 x.x.x.26

nat (inside) 10 192.168.0.0 255.255.0.0 0 0

nat (inside) 10 10.0.0.0 255.0.0.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 10 x.x.x.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 69.x.x.1 1

route inside 10.0.0.0 255.0.0.0 10.1.1.250 1

timeout xlate 0:30:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-server (inside) vendor websense host 10.x.x.x timeout 5 protocol TCP version 1

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

floodguard enable

sysopt connection permit-ipsec

telnet timeout 15

ssh timeout 5

management-access inside

console timeout 0

url-block url-mempool 1500

url-block url-size 4

url-block block 15

terminal width 511

I've removed a lot of stuff that works fine right now...mostly statics and conduits....better safe than sorry.

Steve

Forgot your were using conduits. ACL's replaced conduits in version 5.0. Conduits are no longer used in ver 7.0 and up. You may want to work on converting.

Here is a guide for converting.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/pixupgrd.htm#wp1030534

Port redirection requires the static statment, and ACL/Conduit permiting the traffic. If you have this then it should work. If you use the interface command in the static instead of the ip make sure you use the ip assigned to the outside interface not the global. Or use the IP from one of the globals.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/pixupgrd.htm#wp1030534

Without seeing all the config it makes it difficult to see what the problem is. You may want to do some logging to determine what is actually causing the traffic from being allowed. It could be another conduit statment.

Thanks for the help. What more of my config do you need to see?

so i add the following to the config,

static (inside,outside) tcp 10.x.x.1 10080 69.x.x.79 10080 netmask 255.255.255.255 0 0

conduit permit tcp any host 69.x.x.79 eq 10080

The server does not see a packet from the pix....so??

Thanks again for the help.

Your IP's were reversed in the static.

try this.

static (inside,outside) tcp 69.x.x.79 10080 10.x.x.1 10080 netmask 255.255.255.255 0 0

conduit permit tcp any host 69.x.x.79 eq 10080

Ok done...

still no luck......and no word from my TAC engineer.

Well at least they aren't getting in......

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: