06-08-2006 05:42 AM - edited 03-09-2019 03:10 PM
Hi,
We've been running our PIX for a while and have come across a vendor with a very specific way of connecting to an inside computer.
The vendor wants to use one external address and changing port number to attach to up to 40 internal computers. I've tried several commands but can't seem to get the connection through.
My real problem is that I cannot use the standard static and conduit as that shuts down all of the other traffic into the internal system and to open all of the ports necessary puts the internal system (not allowing several systems on the same address) at risk.
Here's what I have done so far.
global (outside) 1 69.x.x.79
static (outside,inside) tcp 10.x.x.1 10080 69.x.x.79 10080 netmask 255.255.255.255 0 0
static (outside,inside) udp 10.x.x.1 10080 69.x.x.79 10080 netmask 255.255.255.255 0 0
What am I missing?
Thanks
Steve
06-08-2006 06:20 AM
Static's are just a bit off. Should be (inside, outside)
static (inside,outside) tcp 69.x.x.79 10080 10.x.x.1 10080 netmask 255.255.255.255 0 0
static (inside,outside) udp 69.x.x.79 10080 10.x.x.1 10080 netmask 255.255.255.255 0 0
You could also sub the ip 68.x.x.79 for Interface
Hope this helps.
Chad
Please rate if this helps.
06-08-2006 01:01 PM
That was my initial config, but the traffic is being initiated on the outside of the firewall...so I changed the flow.
By sub'ing the 69.x.x.79 your referring to ?
I spoke with TAC briefly (not urgent case) and his intructions were to modify to read..
static (inside,outside) tcp interface 10080 10.x.x.1 10080
static (inside,outside) udp interface 10080 10.x.x.1 10080
Which still doesnt seem to help.
06-08-2006 01:22 PM
This is the correct syntax:
static (inside,outside) tcp interface 10080 10.x.x.1 10080
static (inside,outside) udp interface 10080 10.x.x.1 10080
Did you clear the Xlate table after making the change?
clear xlate
Do you have an ACL applied to inbound traffic on the outside interface allowing this traffic?
access-group ACL_Name in interface outside
If this doesn't help post your config.
Thanks,
Chad
06-08-2006 04:19 PM
ok....Yes, I always clear xlate...I'm in IS, if your invisible your not appreciated..I clear xlate every once in a while to prove the computers are running and that the whole company depends on my department....bwhahahaha
The cisco page does not refrence acls, but I have tried to add conduit permit for the 10080 and the like...but no go. Thanks for the help Chad and the quick responses.
I've removed all refrence to the pat I need...here is the config (current) before trying to open this port inbound
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100basetx
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 state security80
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol https 443
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
no names
pager lines 24
logging on
logging trap notifications
logging facility 18
logging host inside x.x.x.x
no logging message 304001
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu state 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 69.x.x.2 255.255.255.0
ip address inside 10.1.1.254 255.255.255.0
ip address dmz x.x.x.1 255.255.255.0
ip address state x.x.x.1 255.255.255.0
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 5
failover ip address outside
failover ip address inside
failover ip address dmz
failover ip address state
no failover ip address intf4
no failover ip address intf5
failover link state
arp timeout 14400
global (outside) 10 69.x.x.80-69.x.x.249 netmask 255.255.255.0
global (outside) 10 69.x.x.250 netmask 255.255.255.0
global (outside) 1 69.x.x.79 netmask 255.255.255.0
global (dmz) 10 x.x.x.128-x.x.x.192 netmask 255.255.255.0
global (dmz) 10 x.x.x.26
nat (inside) 10 192.168.0.0 255.255.0.0 0 0
nat (inside) 10 10.0.0.0 255.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 10 x.x.x.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 69.x.x.1 1
route inside 10.0.0.0 255.0.0.0 10.1.1.250 1
timeout xlate 0:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.x.x.x timeout 5 protocol TCP version 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
floodguard enable
sysopt connection permit-ipsec
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
url-block url-mempool 1500
url-block url-size 4
url-block block 15
terminal width 511
I've removed a lot of stuff that works fine right now...mostly statics and conduits....better safe than sorry.
Steve
06-09-2006 01:59 AM
Forgot your were using conduits. ACL's replaced conduits in version 5.0. Conduits are no longer used in ver 7.0 and up. You may want to work on converting.
Here is a guide for converting.
Port redirection requires the static statment, and ACL/Conduit permiting the traffic. If you have this then it should work. If you use the interface command in the static instead of the ip make sure you use the ip assigned to the outside interface not the global. Or use the IP from one of the globals.
Without seeing all the config it makes it difficult to see what the problem is. You may want to do some logging to determine what is actually causing the traffic from being allowed. It could be another conduit statment.
06-09-2006 09:54 AM
Thanks for the help. What more of my config do you need to see?
so i add the following to the config,
static (inside,outside) tcp 10.x.x.1 10080 69.x.x.79 10080 netmask 255.255.255.255 0 0
conduit permit tcp any host 69.x.x.79 eq 10080
The server does not see a packet from the pix....so??
Thanks again for the help.
06-09-2006 10:28 AM
Your IP's were reversed in the static.
try this.
static (inside,outside) tcp 69.x.x.79 10080 10.x.x.1 10080 netmask 255.255.255.255 0 0
conduit permit tcp any host 69.x.x.79 eq 10080
06-09-2006 03:02 PM
Ok done...
still no luck......and no word from my TAC engineer.
Well at least they aren't getting in......
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: