topic Re: Static Port Forwarding in Network Security

Static Port Forwarding

akalender — Mon, 11 Mar 2019 09:35:33 GMT

I am trying to set up static single (1) and range (2) port forwarding on PIX 506E device using the following commands; however it is not working. What am I missing?

Single Port Forwarding

1. static (inside,outside) tcp 24.172.x.x 5631 192.168.1.215 5631 netmask 255.255.255.255

access-list PCA permit tcp any host 24.172.x.x eq 5631

access-group PCA in interface outside

Port Range Forwarding

2. object-group service pearl_echo_tcp tcp

port-object range 57345 57370

access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp

Re: Static Port Forwarding

kaachary — Mon, 19 Feb 2007 18:03:10 GMT

Looks good to me..can you make sure yu do not have any inbound ACL on Inside Interface.

Also, try doing a telnet to the 24.x.x.x ip on port 5631 from outside. Does that work ?

-Kanishka

Re: Static Port Forwarding

vitripat — Tue, 20 Feb 2007 02:06:42 GMT

static (inside,outside) tcp 24.172.x.x 5631 192.168.1.215 5631 netmask 255.255.255.255

The static command above looks fine. However, looking at port no. 5631, are you trying to pass PCAnywhere through PIX? If so, you also need to open port 5632 (UDP).

static (inside,outside) udp 24.172.x.x 5632 192.168.1.215 5632 netmask 255.255.255.255

On the access-list applied to outside interface in inbound direction, you need to have following lines in-

access-list PE permit tcp any host 24.172.x.x eq 5631

access-list PE permit udp any host 24.172.x.x eq 5632

----

object-group service pearl_echo_tcp tcp

port-object range 57345 57370

access-list PE permit tcp any host 24.172.x.x object-group pearl_echo_tcp

----

What is the requirement of above commands? If you need to allow inbound access to 24.172.x.x on ports from 57345-57370, we will need to add individual static command for each port.

I hope this helps.

Regards,

Vibhor

Re: Static Port Forwarding

akalender — Tue, 20 Feb 2007 16:34:13 GMT

Yes, I am trying to pass PC Anywhere traffic through PIX and I have ports 5631, 5632 open for both TCP and UDP.

Re: Static Port Forwarding

akalender — Tue, 20 Feb 2007 16:34:54 GMT

How can I see if I have any inbound ACL on inside interface?

Re: Static Port Forwarding

vitripat — Tue, 20 Feb 2007 17:08:28 GMT

You can check if there is any access-list applied on the inside interface using following command-

show access-group

If you see any access-group on inside interface, that access-list is applied on inside interface of PIX.

To allow pc-anywhere through PIX, as I mentioned earlier, you only need to redirect following ports from public IP to the internal IP-

5631(tcp) & 5632(udp)

Assuming that public IP is -- public

and private IP is -- private

Following commands are required-

static (inside,outside) tcp public 5631 private 5631

static (inside,outside) udp public 5632 private 5632

access-list 101 permit tcp any host public eq 5631

access-list 101 permit udp any host public eq 5632

access-group 101 in interface outside

let me know if this helps.

Regards,

Vibhor.

Re: Static Port Forwarding

akalender — Tue, 20 Feb 2007 18:09:38 GMT

This is the only listing

access-group outside_access_in in interface outside.

It is still not working even after I recreated the commands. It is telling me that a duplicate entry exist.

Can I configure it through PIX device manager by using access rules and translation rules? GUI makes it a little easier.

Thanks,

Re: Static Port Forwarding

vitripat — Tue, 20 Feb 2007 22:49:32 GMT

Could you provide the output of following commands-

show static

show access-list

show access-group

Re: Static Port Forwarding

akalender — Wed, 21 Feb 2007 16:52:46 GMT

Interestingly enough show static and show access-group did not show any entries. I got all my access list displayed when using show access-list command.

I ended up creating all static entries throgh PIX device manager and now all statics are displayed and working properly; however show access-group displays only the list access-group I created. Any reason why?

Re: Static Port Forwarding

kaachary — Wed, 21 Feb 2007 17:08:45 GMT

Hi,

"sh access-group" will only show you the access-group and the interfacce its applied to.

If you want to check the entries the int haccess-list, you to do a "sh access-list "

Sh static should show all the statics, if there's any. I'm not sure, why its not displaying that.

-Kanishka

Re: Static Port Forwarding

acomiskey — Wed, 21 Feb 2007 17:36:52 GMT

Its

show run access-group

show run static

Re: Static Port Forwarding

kaachary — Wed, 21 Feb 2007 17:43:35 GMT

That is the command for 7.X code..

Its PIX 506E.

-Kanishka

Re: Static Port Forwarding

leowong — Mon, 26 Feb 2007 11:01:37 GMT

Possible to do port forward on PPTP tunnel? As it only accept TCP or UDP, if i have a server that behind the firewall, that need to terminate PPTP sessions, and i only have one public IP..... what should i do?

thanks in advance.

Leo