Announcement

Collapse
No announcement yet.

Port forwarding on pix 515 problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Port forwarding on pix 515 problem

    I have a customer that needs access to port 6666 on an encoder. Network layout:

    internet--->cisco 1841--->pix515---->cisco4006---->vpn interface--->3550 switch--->wirelessap--->wireless client---->wireless ap---->wireless client---->encoder.

    The pix inside network address is 192.168.100.5, the cisco 4006 is 192.168.100.2, the vpn 4006 side 192.168.101.1 otherside is 192.168.101.2, wireless ap ether 192.168.101.11, wireless ap ath0 10.9.0.1 DGW 192.168.100.2, the wireless client ath0 10.9.0.2 DGW 10.9.0.1, wireless ap ath1 10.9.1.1 DGW 10.9.0.1, wireless client ath0 10.9.1.2 DGW 10.9.1.1 ether 10.9.4.1 encoder 10.9.4.5.

    The pix can ping the encoder from the inside and from any address on the network. The encoder can ping the pix or any address inside or outside. From the inside I can telnet to port 6666 on the 10.9.4.5 and get the desired results. If you try to telnet to the outside ip it will not connect.

    I am including the config from the pix also.


  • #2
    Re: Port forwarding on pix 515 problem

    I have a customer that needs access to port 6666 on an encoder. Network layout:

    internet--->cisco 1841--->pix515---->cisco4006---->vpn interface--->3550 switch--->wirelessap--->wireless client---->wireless ap---->wireless client---->encoder.

    The pix inside network address is 192.168.100.5, the cisco 4006 is 192.168.100.2, the vpn 4006 side 192.168.101.1 otherside is 192.168.101.2, wireless ap ether 192.168.101.11, wireless ap ath0 10.9.0.1 DGW 192.168.100.2, the wireless client ath0 10.9.0.2 DGW 10.9.0.1, wireless ap ath1 10.9.1.1 DGW 10.9.0.1, wireless client ath0 10.9.1.2 DGW 10.9.1.1 ether 10.9.4.1 encoder 10.9.4.5.

    The pix can ping the encoder from the inside and from any address on the network. The encoder can ping the pix or any address inside or outside. From the inside I can telnet to port 6666 on the 10.9.4.5 and get the desired results. If you try to telnet to the outside ip it will not connect.

    I am including the config from the pix also.

    I hope someone can tell me whats I am doing wrong.
    TIA
    : Saved
    :
    PIX Version 6.1(4)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security10
    enable password xxxxx encrypted
    passwd xxxxx encrypted
    hostname DSGPIX515
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list 102 permit ip any any
    access-list 102 permit icmp any any
    access-list 102 permit tcp any any
    access-list 101 permit icmp any any
    access-list 101 permit gre any any
    access-list 101 permit tcp any host xxx.xxx.xxx.102 eq 5631
    access-list 101 permit tcp any host xxx.xxx.xxx.102 eq 5632
    access-list 101 permit tcp any host xxx.xxx.xxx.103 eq 3389
    access-list 101 permit tcp any host xxx.xxx.xxx.105 eq 443
    access-list 101 permit tcp any host xxx.xxx.xxx.109 eq 5631
    access-list 101 permit tcp any host xxx.xxx.xxx.109 eq 5632
    access-list 101 permit tcp any host xxx.xxx.xxx.101 eq pop3
    access-list 101 permit tcp any host xxx.xxx.xxx.101 eq smtp
    access-list 101 permit tcp any host xxx.xxx.xxx.108 eq www
    access-list 101 permit tcp any host xxx.xxx.xxx.108 eq smtp
    access-list 101 permit tcp any host xxx.xxx.xxx.108 eq pop3
    access-list 101 permit tcp any host xxx.xxx.xxx.108 eq 10000
    access-list 101 permit tcp any host xxx.xxx.xxx.115 eq 6666
    access-list 101 permit udp any host xxx.xxx.xxx.108 eq isakmp
    access-list 101 permit udp any host xxx.xxx.xxx.108 eq 4500
    access-list 101 permit udp any host xxx.xxx.xxx.108 eq 10000
    pager lines 300
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside xxx.xxx.xxx.98 255.255.255.224
    ip address inside 192.168.100.5 255.255.255.0
    ip address intf2 172.16.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 xxx.xxx.xxx.99
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) xxx.xxx.xxx.103 192.168.100.23 netmask 255.255.255.255 0 0
    static (inside,outside) xxx.xxx.xxx.104 192.168.100.52 netmask 255.255.255.255 0 0
    static (inside,intf2) 192.168.100.26 192.168.100.26 netmask 255.255.255.255 0 0
    static (inside,outside) xxx.xxx.xxx.105 192.168.100.26 netmask 255.255.255.255 0 0
    static (inside,outside) xxx.xxx.xxx.101 192.168.100.106 netmask 255.255.255.255 0 0
    static (inside,outside) xxx.xxx.xxx.109 192.168.105.10 netmask 255.255.255.255 0 0
    static (inside,outside) xxx.xxx.xxx.102 192.168.100.29 netmask 255.255.255.255 0 0
    static (inside,outside) xxx.xxx.xxx.115 10.9.4.5 netmask 255.255.255.255 0 0
    access-group 101 in interface outside
    access-group 102 in interface intf2
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1
    route inside 10.0.0.0 255.255.0.0 192.168.101.10 1
    route inside 10.1.0.0 255.255.0.0 192.168.101.10 1
    route inside 10.2.0.0 255.255.0.0 192.168.101.10 1
    route inside 10.3.0.0 255.255.0.0 192.168.101.10 1
    route inside 10.7.0.0 255.255.0.0 192.168.101.11 1
    route inside 10.8.0.0 255.255.0.0 192.168.101.11 1
    route inside 10.9.0.0 255.255.0.0 192.168.101.11 1
    route inside 10.9.4.0 255.255.255.0 192.168.101.11 1
    route inside 10.10.0.0 255.255.0.0 192.168.101.11 1
    route inside 10.11.0.0 255.255.0.0 192.168.101.10 1
    route inside 10.12.0.0 255.255.0.0 192.168.101.10 1
    route inside 10.227.254.0 255.255.255.0 192.168.100.20 1
    route inside 20.20.0.0 255.255.0.0 192.168.100.12 1
    route inside 30.30.0.0 255.255.0.0 192.168.100.20 1
    route inside 100.100.100.0 255.255.255.0 192.168.100.20 1
    route inside 192.168.0.0 255.255.255.0 192.168.0.2 1
    route inside 192.168.1.0 255.255.255.0 192.168.100.5 1
    route inside 192.168.2.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.3.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.4.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.5.0 255.255.255.0 192.168.100.20 1
    route inside 192.168.6.0 255.255.255.0 192.168.100.20 1
    route inside 192.168.7.0 255.255.255.0 192.168.100.20 1
    route inside 192.168.8.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.9.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.10.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.11.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.12.0 255.255.255.0 192.168.100.20 1
    route inside 192.168.13.0 255.255.255.0 192.168.100.20 1
    route inside 192.168.14.0 255.255.255.0 192.168.100.10 1
    route inside 192.168.15.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.16.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.17.0 255.255.255.0 192.168.100.20 1
    route inside 192.168.18.0 255.255.255.0 192.168.101.11 1
    route inside 192.168.19.0 255.255.255.0 192.168.100.20 1
    route inside 192.168.20.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.21.0 255.255.255.0 192.168.101.11 1
    route inside 192.168.22.0 255.255.255.0 192.168.100.12 1
    route inside 192.168.60.0 255.255.255.0 192.168.100.3 1
    route inside 192.168.101.0 255.255.255.0 192.168.100.2 0
    route inside 192.168.102.0 255.255.255.0 192.168.102.2 1
    route inside 192.168.103.0 255.255.255.0 192.168.103.2 1
    route inside 192.168.105.0 255.255.255.0 192.168.100.2 1
    route inside 192.168.106.0 255.255.255.0 192.168.100.2 1
    route inside 192.168.110.0 255.255.255.0 192.168.100.2 1
    route inside 192.168.254.0 255.255.255.0 192.168.100.3 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    sysopt ipsec pl-compatible
    no sysopt route dnat
    telnet 192.168.100.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    Cryptochecksum:
    : end




    Comment


    • #3
      Re: Port forwarding on pix 515 problem

      Here is what the pix logs show.


      2009-01-10 17:48:03 Local4.Info 192.168.100.5 %PIX-6-609001: Built local-host inside:192.168.15.100
      2009-01-10 17:48:03 Local4.Info 192.168.100.5 %PIX-6-305001: Portmapped translation built for gaddr xxx.xxx.xxx.99/16091 laddr 192.168.15.100/1197
      2009-01-10 17:48:03 Local4.Info 192.168.100.5 %PIX-6-302001: Built outbound TCP connection 1103294 for faddr xxx.xxx.xxx.115/6666 gaddr xxx.xxx.xxx.99/16091 laddr 192.168.15.100/1197
      2009-01-10 17:48:03 Local4.Info 192.168.100.5 %PIX-6-302002: Teardown TCP connection 1103294 faddr xxx.xxx.xxx.115/6666 gaddr xxx.xxx.xxx.99/16091 laddr 192.168.15.100/1197 duration 0:00:00 bytes 0 (TCP Reset-O)
      xxx.xxx.xxx.101/1892 laddr 192.168.100.106/1892
      2009-01-10 17:48:03 Local4.Info 192.168.100.5 %PIX-6-302001: Built outbound TCP connection 1103304 for faddr xxx.xxx.xxx.115/6666 gaddr xxx.xxx.xxx.99/16091 laddr 192.168.15.100/1197
      2009-01-10 17:48:03 Local4.Info 192.168.100.5 %PIX-6-302002: Teardown TCP connection 1103304 faddr xxx.xxx.xxx.115/6666 gaddr xxx.xxx.xxx.99/16091 laddr 192.168.15.100/1197 duration 0:00:00 bytes 0 (TCP Reset-O)
      2009-01-10 17:48:04 Local4.Info 192.168.100.5 %PIX-6-302001: Built outbound TCP connection 1103307 for faddr 98.126.125.2/25 gaddr xxx.xxx.xxx.101/1892 laddr 192.168.100.106/1892
      2009-01-10 17:48:04 Local4.Info 192.168.100.5 %PIX-6-302001: Built outbound TCP connection 1103308 for faddr xxx.xxx.xxx.115/6666 gaddr xxx.xxx.xxx.99/16091 laddr 192.168.15.100/1197
      2009-01-10 17:48:04 Local4.Info 192.168.100.5 %PIX-6-302002: Teardown TCP connection 1103308 faddr xxx.xxx.xxx.115/6666 gaddr xxx.xxx.xxx.99/16091 laddr 192.168.15.100/1197 duration 0:00:00 bytes 0 (TCP Reset-O)
      2009-01-10 17:48:04 Local4.Info 192.168.100.5 %PIX-6-302001: Built outbound TCP connection 1103314 for faddr xxx.xxx.xxx.115/6666 gaddr xxx.xxx.xxx.99/16091 laddr 192.168.15.100/1197
      2009-01-10 17:48:04 Local4.Info 192.168.100.5 %PIX-6-302002: Teardown TCP connection 1103314 faddr xxx.xxx.xxx.115/6666 gaddr xxx.xxx.xxx.99/16091 laddr 192.168.15.100/1197 duration 0:00:00 bytes 0 (TCP Reset-O)

      Comment


      • #4
        Re: Port forwarding on pix 515 problem

        Not sure on the answer but reset-o is a reset on the outside
        http://www.cisco.com/en/US/docs/secu...e/pixemsgs.htm
        6.1.4 is quite an old software too.

        If you run a wireshark inside the network does the packet get through.
        Has it been bounced?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment

        Working...
        X