Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

port forwarding

I've got a Pix 506e V6.3. I've got a customer that needs port 3389 opened so that he can remote desktop his server. He wants to be able to type in the static outside IP address and it automaticlly point to the inside IP of the server which is 192.168.1.200 on port 3389. I use the PDM software quit abit but I'm not to familiar with using the command line. Could you please let me know what entries in the order that I would need to enter them to get this working?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol smtp 1025

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip any any

access-list inside_access_in permit tcp any eq smtp any eq smtp

access-list outside_access_in permit tcp any eq smtp any eq smtp

access-list outside_access_in permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.0 inside

pdm location 192.168.1.200 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.199 inside

dhcpd dns 192.168.1.200 64.193.208.81

dhcpd wins 192.168.1.200

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain familyabusecenter.org

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

pixfirewall#

1 ACCEPTED SOLUTION

Accepted Solutions

Re: port forwarding

I do not use the PDM but you can drag and drop the configlines in your CLI (command line interface).

Using the blue Cisco Cable with a Terminal Emulation as Hyperterminal or minicom using VT100 8/N/1 9600:

Note that lines with # in the beginnig are config remarks not commands.

Example for RDP - Teminal Services Microsoft to inside:

access-list outside_access_in line 1 permit tcp any interface outside eq 3389

# This will allow any host on the Internet to use RDP into RDPServer

static (inside,outside) tcp interface 3389 192.168.1.200 3389 netmask 255.255.255.255 0 0

#Port Redirect tcp port 3389 RDP to 192.168.1.200

----------------------------------------

Note: You could also use a DynDNS or No-IP Dynamic DNS Update Tool to use a dyn DNS with your Cisco PIX.

You need just to install the software on an internal PC. http://www.no-ip.com/downloads.php

sincerely

Patrick

4 REPLIES
New Member

Re: port forwarding

Here is my show run

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password IyEh5BPRQrzMfRR2 encrypted

passwd IyEh5BPRQrzMfRR2 encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol smtp 1025

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip any any

access-list inside_access_in permit tcp any eq smtp any eq smtp

access-list outside_access_in permit tcp any eq smtp any eq smtp

access-list outside_access_in permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.0 inside

pdm location 192.168.1.200 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.199 inside

dhcpd dns 192.168.1.200 64.193.208.81

dhcpd wins 192.168.1.200

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain familyabusecenter.org

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:92d16b941048bafc7386258455a1b852

pixfirewall#

Re: port forwarding

I do not use the PDM but you can drag and drop the configlines in your CLI (command line interface).

Using the blue Cisco Cable with a Terminal Emulation as Hyperterminal or minicom using VT100 8/N/1 9600:

Note that lines with # in the beginnig are config remarks not commands.

Example for RDP - Teminal Services Microsoft to inside:

access-list outside_access_in line 1 permit tcp any interface outside eq 3389

# This will allow any host on the Internet to use RDP into RDPServer

static (inside,outside) tcp interface 3389 192.168.1.200 3389 netmask 255.255.255.255 0 0

#Port Redirect tcp port 3389 RDP to 192.168.1.200

----------------------------------------

Note: You could also use a DynDNS or No-IP Dynamic DNS Update Tool to use a dyn DNS with your Cisco PIX.

You need just to install the software on an internal PC. http://www.no-ip.com/downloads.php

sincerely

Patrick

Re: port forwarding

You might need to reset the Address Translation Table to activate the Port Redirection for RDP.

enable

conf t

clear xlate

Note that this will reset all connections !!!

sincerely

Patrick

New Member

Re: port forwarding

access-list acl_out permit tcp any host (outside) eq 3389

static (inside,outside) tcp (outside IP) 3389 (inside IP) 3389 netmask 255.25

5.255.255 0 0

261
Views
0
Helpful
4
Replies
CreatePlease login to create content