Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

tcp port forwarding on pix 501

can you tell me how to forward or open tcp ports 21 and 1024-2774 for the user end of a remote backup system through pix manager or regular here is a copy of my config thanks my apology if its a bit vague Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list allow-out permit tcp any any eq www

access-list allow-out permit tcp any any eq https

access-list allow-out permit udp any any eq isakmp

access-list allow-out permit udp any any eq domain

access-list allow-out permit tcp any any eq telnet

access-list allow-out permit tcp any any eq ftp

access-list allow-out permit icmp any any

access-list allow-out permit esp any any

access-list allow-out permit tcp any any eq ssh

access-list allow-out permit tcp any any eq citrix-ica

access-list allow-out permit tcp any any eq pop3

access-list allow-out permit tcp any any eq smtp

access-list allow-out permit tcp any any eq aol

access-list allow-in permit esp any any

access-list allow-in permit udp any any eq isakmp

access-list allow-in permit icmp any any

access-list allow-in permit tcp any any eq ssh

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.226 255.255.255.240

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.3 255.255.255.255 inside

pdm location 192.168.1.5 255.255.255.255 inside

pdm location 192.168.1.6 255.255.255.255 inside

pdm location 192.168.1.7 255.255.255.255 inside

pdm location 192.168.1.8 255.255.255.255 inside

pdm location 192.168.1.9 255.255.255.255 inside

pdm location x.x.x.88 255.255.255.255 outside

pdm location 192.168.1.10 255.255.255.255 inside

pdm location 192.168.1.11 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.227 192.168.1.9 netmask

255.255.255.255 0 0

static (inside,outside) x.x.x.228 192.168.1.8 netmask

255.255.255.255 0 0

static (inside,outside) x.x.x.229 192.168.1.3 netmask

255.255.255.255 0 0

static (inside,outside) x.x.x.230 192.168.1.5 netmask

255.255.255.255 0 0

static (inside,outside) x.x.x.231 192.168.1.7 netmask

255.255.255.255 0 0

static (inside,outside) x.x.x.232 192.168.1.6 netmask

255.255.255.255 0 0

access-group allow-in in interface outside

access-group allow-out in interface inside

route outside 0.0.0.0 0.0.0.0 216.215.244.225 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 64.89.70.2 64.89.74.2

dhcpd lease 2000000

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: tcp port forwarding on pix 501

Hi,

Port forwarding is different than allowing ports through the firewall. I guess you meant to allow tcp/21 and port 21 1024-2774 , right?

You need the following lines

access-list allow-in permit tcp any any eq ftp

access-list allow-in permit tcp any any range 1024 2774

YOu can be more specific and can replace "any" with the actual IP addresses

Thanks

Nadeem

4 REPLIES
Silver

Re: tcp port forwarding on pix 501

Hi,

Port forwarding is different than allowing ports through the firewall. I guess you meant to allow tcp/21 and port 21 1024-2774 , right?

You need the following lines

access-list allow-in permit tcp any any eq ftp

access-list allow-in permit tcp any any range 1024 2774

YOu can be more specific and can replace "any" with the actual IP addresses

Thanks

Nadeem

Community Member

Re: tcp port forwarding on pix 501

thank you very much

Community Member

Re: tcp port forwarding on pix 501

Hi Nadeem,

Just to confirm,if ftp access is needed from the outside network to the inside network, ports 21 and 20 and ports 1024 to 2774 need to be allowed on the outside port???

Thanks

Shervan

Community Member

Re: tcp port forwarding on pix 501

No, you do not need to manually open all of the ports you mentioned. That is the purpose of the "fixup protocol" commands.

If you need to allow someone to FTP from outside to inside, you need only open ftp.

Example One:

Allows external network 12.13.2.0 to access any internal machine that is running FTP server:

access-list ALLOW-FTP permit tcp 12.13.2.0 255.255.255.0 any eq ftp

access-group ALLOW-FTP in interface outside

Example 2:

Allows a single external host to access any internal machine running FTP server:

access-list ALLOW-FTP permit tcp host 12.13.2.4 any eq ftp

access-group ALLOW-FTP in interface outside

fixup protocol ftp 21 will handle the way ftp communications work.... so add the above access rule and as long as the default fixup protocols are in place, you'll be fine.

289
Views
5
Helpful
4
Replies
CreatePlease to create content