Re: Port forwarding on pix 515 problem

Home Forums Networking Cisco Security – PIX/ASA/VPN Port forwarding on pix 515 problem Re: Port forwarding on pix 515 problem


desoto
Member
#351234

Re: Port forwarding on pix 515 problem

I have a customer that needs access to port 6666 on an encoder. Network layout:

internet—>cisco 1841—>pix515—->cisco4006—->vpn interface—>3550 switch—>wirelessap—>wireless client—->wireless ap—->wireless client—->encoder.

The pix inside network address is 192.168.100.5, the cisco 4006 is 192.168.100.2, the vpn 4006 side 192.168.101.1 otherside is 192.168.101.2, wireless ap ether 192.168.101.11, wireless ap ath0 10.9.0.1 DGW 192.168.100.2, the wireless client ath0 10.9.0.2 DGW 10.9.0.1, wireless ap ath1 10.9.1.1 DGW 10.9.0.1, wireless client ath0 10.9.1.2 DGW 10.9.1.1 ether 10.9.4.1 encoder 10.9.4.5.

The pix can ping the encoder from the inside and from any address on the network. The encoder can ping the pix or any address inside or outside. From the inside I can telnet to port 6666 on the 10.9.4.5 and get the desired results. If you try to telnet to the outside ip it will not connect.

I am including the config from the pix also.

I hope someone can tell me whats I am doing wrong.
TIA
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password xxxxx encrypted
passwd xxxxx encrypted
hostname DSGPIX515
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 102 permit ip any any
access-list 102 permit icmp any any
access-list 102 permit tcp any any
access-list 101 permit icmp any any
access-list 101 permit gre any any
access-list 101 permit tcp any host xxx.xxx.xxx.102 eq 5631
access-list 101 permit tcp any host xxx.xxx.xxx.102 eq 5632
access-list 101 permit tcp any host xxx.xxx.xxx.103 eq 3389
access-list 101 permit tcp any host xxx.xxx.xxx.105 eq 443
access-list 101 permit tcp any host xxx.xxx.xxx.109 eq 5631
access-list 101 permit tcp any host xxx.xxx.xxx.109 eq 5632
access-list 101 permit tcp any host xxx.xxx.xxx.101 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.101 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.108 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.108 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.108 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.108 eq 10000
access-list 101 permit tcp any host xxx.xxx.xxx.115 eq 6666
access-list 101 permit udp any host xxx.xxx.xxx.108 eq isakmp
access-list 101 permit udp any host xxx.xxx.xxx.108 eq 4500
access-list 101 permit udp any host xxx.xxx.xxx.108 eq 10000
pager lines 300
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.98 255.255.255.224
ip address inside 192.168.100.5 255.255.255.0
ip address intf2 172.16.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.99
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.103 192.168.100.23 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.104 192.168.100.52 netmask 255.255.255.255 0 0
static (inside,intf2) 192.168.100.26 192.168.100.26 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.105 192.168.100.26 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.101 192.168.100.106 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.109 192.168.105.10 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.102 192.168.100.29 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.115 10.9.4.5 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 102 in interface intf2
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1
route inside 10.0.0.0 255.255.0.0 192.168.101.10 1
route inside 10.1.0.0 255.255.0.0 192.168.101.10 1
route inside 10.2.0.0 255.255.0.0 192.168.101.10 1
route inside 10.3.0.0 255.255.0.0 192.168.101.10 1
route inside 10.7.0.0 255.255.0.0 192.168.101.11 1
route inside 10.8.0.0 255.255.0.0 192.168.101.11 1
route inside 10.9.0.0 255.255.0.0 192.168.101.11 1
route inside 10.9.4.0 255.255.255.0 192.168.101.11 1
route inside 10.10.0.0 255.255.0.0 192.168.101.11 1
route inside 10.11.0.0 255.255.0.0 192.168.101.10 1
route inside 10.12.0.0 255.255.0.0 192.168.101.10 1
route inside 10.227.254.0 255.255.255.0 192.168.100.20 1
route inside 20.20.0.0 255.255.0.0 192.168.100.12 1
route inside 30.30.0.0 255.255.0.0 192.168.100.20 1
route inside 100.100.100.0 255.255.255.0 192.168.100.20 1
route inside 192.168.0.0 255.255.255.0 192.168.0.2 1
route inside 192.168.1.0 255.255.255.0 192.168.100.5 1
route inside 192.168.2.0 255.255.255.0 192.168.100.12 1
route inside 192.168.3.0 255.255.255.0 192.168.100.12 1
route inside 192.168.4.0 255.255.255.0 192.168.100.12 1
route inside 192.168.5.0 255.255.255.0 192.168.100.20 1
route inside 192.168.6.0 255.255.255.0 192.168.100.20 1
route inside 192.168.7.0 255.255.255.0 192.168.100.20 1
route inside 192.168.8.0 255.255.255.0 192.168.100.12 1
route inside 192.168.9.0 255.255.255.0 192.168.100.12 1
route inside 192.168.10.0 255.255.255.0 192.168.100.12 1
route inside 192.168.11.0 255.255.255.0 192.168.100.12 1
route inside 192.168.12.0 255.255.255.0 192.168.100.20 1
route inside 192.168.13.0 255.255.255.0 192.168.100.20 1
route inside 192.168.14.0 255.255.255.0 192.168.100.10 1
route inside 192.168.15.0 255.255.255.0 192.168.100.12 1
route inside 192.168.16.0 255.255.255.0 192.168.100.12 1
route inside 192.168.17.0 255.255.255.0 192.168.100.20 1
route inside 192.168.18.0 255.255.255.0 192.168.101.11 1
route inside 192.168.19.0 255.255.255.0 192.168.100.20 1
route inside 192.168.20.0 255.255.255.0 192.168.100.12 1
route inside 192.168.21.0 255.255.255.0 192.168.101.11 1
route inside 192.168.22.0 255.255.255.0 192.168.100.12 1
route inside 192.168.60.0 255.255.255.0 192.168.100.3 1
route inside 192.168.101.0 255.255.255.0 192.168.100.2 0
route inside 192.168.102.0 255.255.255.0 192.168.102.2 1
route inside 192.168.103.0 255.255.255.0 192.168.103.2 1
route inside 192.168.105.0 255.255.255.0 192.168.100.2 1
route inside 192.168.106.0 255.255.255.0 192.168.100.2 1
route inside 192.168.110.0 255.255.255.0 192.168.100.2 1
route inside 192.168.254.0 255.255.255.0 192.168.100.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt ipsec pl-compatible
no sysopt route dnat
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:
: end