Firewall Wizards mailing list archives
Re: Cisco PIX 501 Port Redirection Problem
From: Dave <firewall () dsrtech com>
Date: Fri, 03 Sep 2004 23:39:49 -0400
your config looks find. you may want to nmap your local hosts and ensure the server ports you are attempting to connect to through the pix are actually open. other than that look on Cisco for any bug with the use of names in ACLs and named ACLs. On Fri, 2004-09-03 at 17:05, Robert McIntosh wrote:
My apologies for my newbie-status. Changed passwords (whoops) and followed suggestions. Still no pass through on any of the redirected ports, "connection refused". I'm willing to cough up some change($40) to someone who can solve my dilemma. Simply trying to allow ports 80, 443, 995, 25, and 22 through to their respect private IPs. What am I doing wrong? Thanks everyone, Robert --- : Saved : Written by robert at 06:53:19.745 PDT Fri Sep 3 2004 PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname giggles clock timezone PST -8 clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.0.0.7 europa name 10.0.0.3 ganymede access-list outside_in permit tcp any interface outside eq www access-list outside_in permit tcp any interface outside eq https access-list outside_in permit tcp any interface outside eq ssh access-list outside_in permit tcp any interface outside eq smtp access-list outside_in permit tcp any interface outside eq 995 pager lines 24 logging on logging console informational mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.0.0.6 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 10.0.0.0 255.255.255.255 inside pdm location ganymede 255.255.255.255 inside pdm location europa 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.0.0.0 255.255.255.0 0 0 static (inside,outside) tcp interface https europa https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ssh europa ssh netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp ganymede smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 995 ganymede 995 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www europa www netmask 255.255.255.255 0 0 access-group outside_in in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication enable console LOCAL aaa authentication ssh console LOCAL http server enable http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh 10.0.0.0 255.255.255.0 inside ssh timeout 45 console timeout 0 dhcpd address europa-10.0.0.134 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 banner motd Welcome to giggles. Cryptochecksum:c468c328ce47b4f0df0f96a63683ca11 Mark R. wrote:Robert, Your problem looks to be in the access list that is assigned to the outside interface (access-list outside_access_in). The syntax of the acl allowing www access to europa is incorrect, also, the remaining lines to allow access for https, smtp, and ssh are missing. It should read as follows: access-list outside_access_in permit tcp any interface outside eq www access-list outside_access_in permit tcp any interface outside eq https access-list outside_access_in permit tcp any interface outside eq ssh access-list outside_access_in permit tcp any interface outside eq smtp access-list outside_access_in permit tcp any interface outside eq 995 On a side note, I would suggest that you remove usernames and passwords from configs before you paste them. hth, Mark_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX 501 Port Redirection Problem Robert McIntosh (Sep 03)
- <Possible follow-ups>
- Re: Cisco PIX 501 Port Redirection Problem Robert McIntosh (Sep 03)
- Re: Cisco PIX 501 Port Redirection Problem Kerry Thompson (Sep 04)
- Re: Cisco PIX 501 Port Redirection Problem Robert McIntosh (Sep 07)
- Re: Cisco PIX 501 Port Redirection Problem Dave (Sep 04)
- Re: Cisco PIX 501 Port Redirection Problem Kerry Thompson (Sep 04)
- RE: Cisco PIX 501 Port Redirection Problem Smith, Aaron (Sep 04)