Re: port redirection

dave.easton · ‎09-03-2003

I am attempting to do a port redirection on the outside interface of the Pix with the new commands that v6.0+ provides.

Any tcp traffic on port 3000 that comes to my outside interface is statically translated with the static(inside,outside)command and redirected to a server (same port, 3000)on the trusted/inside network.

Hey, if it worked I wouldn't be posting here would I?

The only difference I see in cisco's sample config is that they are using a separate PAT address whereas I am using the Pix's outside interface as my PAT address. Is that a problem?

Thanks

scoclayton · ‎09-03-2003

Hi,

Nope, should not be a problem. So, in other words you have something like this:

static (inside, outside) tcp interface 3000 10.1.1.1 3000 netmask 255.255.255.255 0 0

What is happening when you try conencting to port 3000 (or whatever)? Is the server on the inside listening on that port? What does a 'sh conn detail' show you when you try? Any chance you could post your config for review? Should work fine though.

Scott

dave.easton · ‎09-03-2003

Thanks for the reply Scott. Here's the part of the config in question, with some of the addresses changed to protect the innocent. As you can see, the PIX is getting it's outside address from DHCP (cable modem)but it hasn't changed in years, so I guess it's OK. I am also doing some PPTP VPN stuff which works fine with the DHCP address.

access-list 101 permit tcp any host (PIX OUTSIDE) eq 3000

access-list nonat permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.0.4 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool 172.16.1.1-172.16.1.50

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3000 192.168.0.199 3000 netmask 255.25

5.255.255 0 0

access-group 101 in interface outside

SH CONN DETAIL doesn't appear to show any sort of connection or translation to 192.168.0.199. To access this port on the server, I just open a browser and hit http://(PIX outside address):3000, but it fails immediately. It works internally, with 192.168.0.199:3000 but not from outside.

scoclayton · ‎09-03-2003

Config looks fine and it also should be fine using a DHCP interface in the port static. Might be time to take a look at debug level syslogs to see what is going on. Before that, can you paste the output from a 'sh xlate '. The part was added in later code so I don't know if it exists in your version. Obviously, you would want to remove the '<>' in the command before running it. If 'debug' does not exist, 'sh xlate' should be fine.

Scott

michael.dolan · ‎09-23-2003

having a similar problem with 6.2 on a PIX515E

basically i am trying to PAT an internal network to the ip address of the outside interface, at the same time using a static to port redirect a connection to an inside host from the outside.

Same config as mentioned earlier but get error in debug saying "163>%PIX-3-305005: No translation group found for udp src outside:BrentsISDNRtr/56243 dst inside:172.16.0.1/25"

l.mourits · ‎09-23-2003

Hi all,

As a consultant I ran into similar problem. I found out that this customer did enter the command "no sysopt proxy-arp" at their PIX, and this was causing the problem. This customers case was slightly diferent from your case, cause there where two PIX´s connected back-to-back (two companies in one building communicating to eachother), but you could check it at your PIX ;-)

Kind regards,

Leo