Cisco PIX 501

Secure Home | Search | About

Lost Password?

Networking Firewalls

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Cisco PIX 501

Shadus

09-14-2005

Walter Roberson

Simon

Simon

Posted by Shadus on September 14, 2005, 11:51 am

If you were Registered and logged in, you could reply and use other advanced thread options

I'm presently trying to setup a cisco pix 501 to forward a range of
ports to a host on the inside.

192.168.100.200 needs to have several ports forwarded along to it.
I've tried a couple different methods but everytime it comes back
to setting a static up for each individual port... for obvious
reasons when dealing with ~120 ports this sucks. When I only needed 10
ports I just setup static (outside, inside) 6881 192.168.100.200 6881
netmask 255.255.255.255 0 0... cant get it to work with a range or
object-group though... but i may be doing something wrong.

Any ideas? Here's the current config (It currently has some remenants of
me trying to get the portrange forwarded.)

The basics are: I need ports 6881-6999, 6112, 3724 forwarded to
192.168.100.200 and I dont want to do ~120 lines of static port mappings

aker# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname aker
domain-name xxxxxxxxxxxxxxxxxx.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service wow tcp-udp
port-object range 6881 6999
port-object eq 6112
port-object eq 3724
access-list inbound permit icmp any any
access-list inbound deny tcp any any eq 135
access-list inbound deny tcp any any eq 137
access-list inbound deny tcp any any eq 138
access-list inbound deny tcp any any eq netbios-ssn
access-list inbound deny udp any any eq netbios-ns
access-list inbound deny udp any any eq netbios-dgm
access-list inbound deny udp any any eq 139
access-list inbound deny tcp any any eq 445
access-list inbound deny udp any any eq 445
access-list inbound permit tcp any any eq ssh
access-list inbound permit udp any any eq 22
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq https
access-list inbound permit tcp any any eq nntp
access-list inbound permit udp any any eq 119
access-list inbound permit tcp any any object-group wow
access-list inbound permit udp any any object-group wow
access-list mortis permit tcp any any object-group wow
access-list mortis permit udp any any object-group wow
access-list nonatinside permit ip host 192.168.100.200 192.168.207.0
255.255.255.0
access-list to-end permit ip host 192.168.100.200 192.168.207.0 255.255.255.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set a-transform esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address to-end
crypto map mymap 10 set peer xxx.xx.xx.xxx
crypto map mymap 10 set transform-set a-transform
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address xxx.xx.xx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.204-192.168.100.210 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain xxxxxxxxxxxxxxxxxx.net
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Ideas? Suggestions?

Posted by Walter Roberson on September 14, 2005, 5:26 pm

If you were Registered and logged in, you could reply and use other advanced thread options

:I'm presently trying to setup a cisco pix 501 to forward a range of
:ports to a host on the inside.

:192.168.100.200 needs to have several ports forwarded along to it.
:I've tried a couple different methods but everytime it comes back
:to setting a static up for each individual port... for obvious
:reasons when dealing with ~120 ports this sucks.

That's the only supported PIX 6.x method for specifying port forwarding.

:The basics are: I need ports 6881-6999, 6112, 3724 forwarded to
:192.168.100.200 and I dont want to do ~120 lines of static port mappings

Then you will need to get a second IP address and map all of that IP to
192.168.100.200 .

:PIX Version 6.3(3)

There is a security problem in 6.3(3), fixed in 6.3(4). The upgrade
is free. The current release is 6.3(5), a bug-fix release (upgrade
to it might not be free.)
--
"This was a Golden Age, a time of high adventure, rich living and
hard dying... but nobody thought so." -- Alfred Bester, TSMD

Posted by Simon on September 14, 2005, 6:53 pm

If you were Registered and logged in, you could reply and use other advanced thread options

>I'm presently trying to setup a cisco pix 501 to forward a range of

>ports to a host on the inside.

>192.168.100.200 needs to have several ports forwarded along to it.

>I've tried a couple different methods but everytime it comes back

>to setting a static up for each individual port... for obvious

>reasons when dealing with ~120 ports this sucks. When I only needed 10

>ports I just setup static (outside, inside) 6881 192.168.100.200 6881

>netmask 255.255.255.255 0 0... cant get it to work with a range or

>object-group though... but i may be doing something wrong.

>Any ideas? Here's the current config (It currently has some remenants of

>me trying to get the portrange forwarded.)

>The basics are: I need ports 6881-6999, 6112, 3724 forwarded to

>192.168.100.200 and I dont want to do ~120 lines of static port mappings

SNIP

>Ideas? Suggestions?

access-list inside_acl permit tcp 192.168.100.200 255.255.255.0 host
xxx.xxx.xxx.xxx range 6881 6999

access-list inside_acl permit tcp 192.168.100.200 255.255.255.0 host
xxx.xxx.xxx.xxx 6112

access-list inside_acl permit tcp 192.168.100.200 255.255.255.0 host
xxx.xxx.xxx.xxx 3724

then set a static route to 192.168.100.200 from whatever public IP
address you have assigned

Is this what your looking for

--
Si

--
Simon

Posted by Simon on September 14, 2005, 6:56 pm