Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

501 port forwarding

I have a cisco 501 at one of our remote offices. I have read some of the posts from others, but I still can't get into our remote security system that uses ports 554 through 557, tcp udp. I have pasted some of the config below, hoping that someone can tell me what I am missing, or have done wrong. The inside IP of our security system is 192.168.1.150

PIX Version 6.3(5)

names

object-group service OfficeSecurity tcp-udp

port-object range 554 557

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 110 permit tcp any interface outside eq https

access-list 110 permit tcp any object-group OfficeSecurity interface outside object-group OfficeSecurity

access-list 110 permit udp any object-group OfficeSecurity interface outside object-group OfficeSecurity

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.xxx.xxx.xxx 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 554 192.168.1.150 554 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 555 192.168.1.150 555 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 556 192.168.1.150 556 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 557 192.168.1.150 557 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 554 192.168.1.150 554 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 555 192.168.1.150 555 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 556 192.168.1.150 556 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 557 192.168.1.150 557 netmask 255.255.255.255 0 0

access-group 110 in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 68.248.119.129 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

1 REPLY

Re: 501 port forwarding

Your acl 110 is too restrictive. You want to allow access to the specified ports but it is unlikely that the source port will equal the destination port.

ACL 110 should be:

access-list 110 permit tcp any interface outside eq https

access-list 110 permit tcp any interface outside object-group OfficeSecurity

access-list 110 permit udp any interface outside object-group OfficeSecurity

Hope this solves your problem, I did not find any other likelly issues so this might as well be it.

Regards,

Leo

234
Views
0
Helpful
1
Replies
CreatePlease to create content