No announcement yet.

Cisco PIX 501/Netgear DG834G --- port forwarding problem

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco PIX 501/Netgear DG834G --- port forwarding problem


    I was hoping somone maybe able to help or offer some suggestions to a problem I'm having with a Cisco PIX installation.

    I am trying to enable access to a web-based CCTV system from the Internet. I can reach the web server in question when on the same internal network as the PC hosting the CCTV software. However, when I try accessing the same resource from the outside world, the request fails.

    Below is a basic ASCII diagram of the network:

    | Internet |
    | Netgear |
    | DG834G |
    | Cisco | (assigned by DHCP but address reserved by Netgear DG834)
    | Pix 501 |
    | Host PC |

    I've had some experience with the IOS command set through the Cisco CCNA training I've done, but the PIX CLI seems to differ slightly and I find the various options within the ADSM interface a little confusing.

    Below is the current running-config:

    Building configuration...
    : Saved
    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password dmsjCDl2m42t4fuf encrypted
    passwd 2FKQnbNIdI.2KYOU encrypted
    hostname integrity
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    name camera
    pager lines 24
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpncli
    pdm location inside
    pdm location camera inside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm location outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
    crypto dynamic-map dynomap 10 set transform-set 3dessha
    crypto map integrity 10 ipsec-isakmp dynamic dynomap
    crypto map integrity client configuration address initiate
    crypto map integrity interface outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup 351client address-pool vpncli
    vpngroup 351client idle-time 1800
    vpngroup 351client password ********
    telnet inside
    telnet inside
    telnet timeout 5
    ssh timeout 5
    dhcpd address inside
    dhcpd dns
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    : end

    From the investigation I've done already it seems that it could be a problem with the port forwarding. From looking at the above config, even though there are two seperate private local networks I can't seem to answer whether the PIX is performing NAT for a second time and whether this would cause problems with inbound traffic from the outside world.

    Can anyone advise?

    Any assistance greatly appreciated.



  • #2
    Re: Cisco PIX 501/Netgear DG834G --- port forwarding problem

    You don´t have the NAT rules... The cisco PIX doesn't seems to know what to do with the traffic..

    So, you have to insert the NAT rules. something like this:

    global (outside) 1 netmask
    nat (inside) 0 0 0

    Is just an example.. you have to adapt IP addresses