Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix 501 6.3(5) ICMP and Port forwarding (Help!)

I don't what's going over here.

I just bought this device and spent two days trying to configure the firewall but still don't get success. I can't block icmp traffic using access-list command but can using icmp command.

All redirections don't work on this device. By the way we have Linksys which works fine at our network.

This is simple configuration which doesn't work:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname ssfirewall

domain-name ssoft.lan

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list out2in deny icmp any any

access-list out2in permit tcp any interface outside eq www

access-list out2in permit tcp any interface outside eq https

access-list out2in permit tcp any interface outside eq smtp

access-list out2in permit tcp any interface outside eq 8080

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 216.*.*.85 255.255.255.248

ip address inside 192.168.150.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.150.12 255.255.255.255 inside

pdm location 192.168.150.148 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.150.148 www netmask 255.255.25

5.255 0 0

static (inside,outside) tcp interface https 192.168.150.148 https netmask 255.25

5.255.255 0 0

static (inside,outside) tcp interface 8080 192.168.150.12 https netmask 255.255.

255.255 0 0

static (inside,outside) tcp interface smtp 192.168.150.12 smtp netmask 255.255.2

55.255 0 0

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 216.*.*.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.150.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.150.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.150.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

[OK]

I played with outbound traffic and did see any problem (aceess-list command has been used)

I can ping 216.*.*.85 interface from anywhere and redirection doesn't work (i can see packets on outside interface when capturing traffic).

I even erased the configuration from the memory and created new from scratch...

Can you explain me what's wrong? I appreciate any help! Thanks

5 REPLIES

Re: Pix 501 6.3(5) ICMP and Port forwarding (Help!)

Have you try (test for ACL line 1 only):

access-list out2in permit tcp any host 216.*.*.85 eq www

Use IP instead of name 'interface'.

Cheers!

AK

New Member

Re: Pix 501 6.3(5) ICMP and Port forwarding (Help!)

Thanks for the reply.

I started this process using IP address ang got the same result then i changed it to interface outside. The configuration process doesn't look difficult for me at all but i don't understand why it's not working.

Do you know why can i ping 216.*.*.85 from the internet?

I'm just curious if it's possible that i bought a lemon.

Gold

Re: Pix 501 6.3(5) ICMP and Port forwarding (Help!)

Try the following....

access-list out2in permit tcp any 216.*.*.85 eq www

access-list out2in permit tcp any 216.*.*.85 eq https

access-list out2in permit tcp any 216.*.*.85 eq smtp

access-list out2in permit tcp any 216.*.*.85 eq 8080

access-group out2in in interface outside

ip address outside 216.*.*.85 255.255.255.248

ip address inside 192.168.150.2 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.150.148 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.150.148 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8080 192.168.150.12 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.150.12 smtp netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 216.*.*.81

For your SMTP feed, make sure that you MX record for mail also points to IP 216.*.*.85

Also issue: clear xlate after modification and save with: write mem

To stop ICMP probes on your PIX issue:

icmp deny any outside

Hope this helps and if you need any further help let me know - please rate posts if it helps!!

PS. Do you only have the one public IP?

New Member

Re: Pix 501 6.3(5) ICMP and Port forwarding (Help!)

Thanks for the reply.

I tried icmp command day ago and it worked.

It doesn't work via ACL.

I have only 1 public ip on this specific device. I used to have such configuration before without any luck.

New Member

Re: Pix 501 6.3(5) ICMP and Port forwarding (Help!)

That's it. It's fixed. The stupid mistake was made inside test environment. We had two internet gateway, The first one is our current gateway the second one used for test purpose. Redirected packets coming in from the test gateway to the servers but servers were set up using another one. Now redirection works (requests and responses should use the same gateway)

215
Views
0
Helpful
5
Replies