topic Portforwarding in Pix 501 in Network Security

Portforwarding in Pix 501

Tmhoang21 — Tue, 12 Mar 2019 01:27:40 GMT

Hello i'm having a problem portforwarding/redirection for the pix 501

I'm trying to open the ports 49003 and 40085 in order to view our dvr remotely and i'm not exactly sure how to it.

Portforwarding in Pix 501

Jouni Forss — Fri, 12 Apr 2013 19:58:40 GMT

Hi,

The format should be something like this

static (inside,outside) tcp interface 49003 49003 netmask 255.255.255.255

static (inside,outside) tcp interface 40085 40085 netmask 255.255.255.255

And allow them on the ACL

access-list OUTSIDE-IN permit tcp any eq 49003

access-list OUTSIDE-IN permit tcp any eq 40085

ACL and interface names are just examples

- Jouni

Portforwarding in Pix 501

Tmhoang21 — Fri, 12 Apr 2013 20:06:54 GMT

the local ip would be the dvr right?

Portforwarding in Pix 501

Jouni Forss — Fri, 12 Apr 2013 20:09:28 GMT

Yeah,

Its the real IP address of the host.

The "interface" before it specifies that the IP address of the "outside" interface would be used as the public IP address towards Internet.

If you had a spare public IP address just for this device then you could simply configure

static (inside,outside) netmask 255.255.255.255

- Jouni

Portforwarding in Pix 501

Tmhoang21 — Fri, 12 Apr 2013 20:15:10 GMT

so the commands should look similar to this.

static (inside,outside) tcp interface 49003 192.168.5.100 49003 netmask 255.255.255.255

static (inside,outside) tcp interface 40085 192.168.5.100 40085 netmask 255.255.255.255

access-list OUTSIDE-IN permit tcp any 76.205.230.51 eq 49003

access-list OUTSIDE-IN permit tcp any 76.205.230.51 eq 40085

Portforwarding in Pix 501

Jouni Forss — Fri, 12 Apr 2013 20:18:18 GMT

Yes if the services needed to be forwarded were TCP/49003 and TCP/40085

Remember that if you already have an ACL attached to the "outside" interface then you can use that ACL in the configurations.

IF you have NO ACL attached to the "outside" interface before this then you will also need this command to attach the ACL

access-group OUTSIDE-IN in interface outside

- Jouni

Portforwarding in Pix 501

Jouni Forss — Fri, 12 Apr 2013 20:31:06 GMT

Hi,

To answer the message you sent.

For UDP the "static" commands follow the same logic.

You dont seem to have an ACL in the "outside" interface at the moment so you should be able to add these with your IP address infromation inserted.

static (inside,outside) tcp interface 49003 49003 netmask 255.255.255.255

static (inside,outside) tcp interface 40085 40085 netmask 255.255.255.255

static (inside,outside) udp interface 49003 49003 netmask 255.255.255.255

static (inside,outside) udp interface 40085 40085 netmask 255.255.255.255

access-list OUTSIDE-IN permit tcp any eq 49003

access-list OUTSIDE-IN permit tcp any eq 40085

access-list OUTSIDE-IN permit udp any eq 49003

access-list OUTSIDE-IN permit udp any eq 40085

access-group OUTSIDE-IN in interface outside

- Jouni

Portforwarding in Pix 501

Tmhoang21 — Fri, 12 Apr 2013 20:57:12 GMT

it gave me

Result of firewall command: "static (inside,outside) tcp interface 49003 192.168.4.161 49003 netmask 255.255.255.255"

ERROR: duplicate of existing static

tcp from inside:192.168.4.161/49003 to outside:76.205.229.61/49003 netmask 255.255.255.255

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

Command failed

Result of firewall command: ""

Result of firewall command: "static (inside,outside) tcp interface 40085 192.168.4.161 40085 netmask 255.255.255.255"

ERROR: duplicate of existing static

tcp from inside:192.168.4.161/40085 to outside:76.205.229.61/40085 netmask 255.255.255.255

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

Command failed

Result of firewall command: ""

Result of firewall command: "static (inside,outside) udp interface 49003 192.168.4.161 49003 netmask 255.255.255.255"

Result of firewall command: ""

Result of firewall command: "static (inside,outside) udp interface 40085 192.168.4.161 40085 netmask 255.255.255.255"

Result of firewall command: ""

Result of firewall command: " "

Result of firewall command: ""

Result of firewall command: "access-list OUTSIDE-IN permit tcp any 76.205.229.61 eq 49003"

ERROR: invalid IP address eq

Usage: [no] access-list compiled

[no] access-list deny-flow-max

[no] access-list alert-interval

[no] access-list object-group-search

[no] access-list compiled

[no] access-list [line ] remark

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

[no] access-list [line ] deny|permit icmp

| interface | object-group

[ | object-group ]

[log [disable|default] | [] [interval ]]

Restricted ACLs for route-map use:

[no] access-list deny|permit {any | | host

}

Command failed

Result of firewall command: ""

Result of firewall command: "access-list OUTSIDE-IN permit tcp any 76.205.229.61 eq 40085"

ERROR: invalid IP address eq

Usage: [no] access-list compiled

[no] access-list deny-flow-max

[no] access-list alert-interval

[no] access-list object-group-search

[no] access-list compiled

[no] access-list [line ] remark

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

[no] access-list [line ] deny|permit icmp

| interface | object-group

[ | object-group ]

[log [disable|default] | [] [interval ]]

Restricted ACLs for route-map use:

[no] access-list deny|permit {any | | host

}

Command failed

Result of firewall command: ""

Result of firewall command: "access-list OUTSIDE-IN permit udp any 76.205.229.61 eq 49003"

ERROR: invalid IP address eq

Usage: [no] access-list compiled

[no] access-list deny-flow-max

[no] access-list alert-interval

[no] access-list object-group-search

[no] access-list compiled

[no] access-list [line ] remark

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

[no] access-list [line ] deny|permit icmp

| interface | object-group

[ | object-group ]

[log [disable|default] | [] [interval ]]

Restricted ACLs for route-map use:

[no] access-list deny|permit {any | | host

}

Command failed

Result of firewall command: ""

Result of firewall command: "access-list OUTSIDE-IN permit udp any 76.205.229.61 eq 40085"

ERROR: invalid IP address eq

Usage: [no] access-list compiled

[no] access-list deny-flow-max

[no] access-list alert-interval

[no] access-list object-group-search

[no] access-list compiled

[no] access-list [line ] remark

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

[no] access-list [line ] deny|permit icmp

| interface | object-group

[ | object-group ]

[log [disable|default] | [] [interval ]]

Restricted ACLs for route-map use:

[no] access-list deny|permit {any | | host

}

Command failed

Result of firewall command: ""

Result of firewall command: " "

Result of firewall command: ""

Result of firewall command: "access-group OUTSIDE-IN in interface outside"

ERROR: access-list does not exist

Usage: [no] access-group in interface [per-user-override]

Command failed

Portforwarding in Pix 501

Jouni Forss — Fri, 12 Apr 2013 20:57:35 GMT

Let us know if it worked out.

If it did please mark the question as answered

Or if needed ask more

- Jouni

Re: Portforwarding in Pix 501

Jouni Forss — Fri, 12 Apr 2013 21:00:37 GMT

Ah sorry my bad.

You are missing the parameter "host" from the ACLs

Insert these again

access-list OUTSIDE-IN permit tcp any host 76.205.229.61 eq 49003

access-list OUTSIDE-IN permit tcp any host 76.205.229.61 eq 40085

access-list OUTSIDE-IN permit udp any host 76.205.229.61 eq 49003

access-list OUTSIDE-IN permit udp any host 76.205.229.61 eq 40085

access-group OUTSIDE-IN in interface outside

Also the error messages with the NAT were shown since you inserted the already existing NAT configurations again.

- Jouni

Portforwarding in Pix 501

Tmhoang21 — Fri, 12 Apr 2013 21:08:30 GMT

i got it thanks!!!!

Re: Portforwarding in Pix 501

Jouni Forss — Fri, 12 Apr 2013 22:53:40 GMT

Hi,

Can you please keep the questions here on the forums.I would prefer everyone see the whole discussion so they might get the help they need also when/if they happen to read the discussion. Naturally if there is some information that is private you can always send that as a message but please keep the questions here on the discussion.

You say that you tested the connections from canyouseeme.org and that you were given the reason that the connection was refused.

This tells us that some device is actively refusing the connection.

Since the firewall now has rules that do the port forward and allow the traffic through with the ACL it might mean that the actual device is refusing the connections. Is there possibly some settings on the actual device in the LAN network that need to be changed to allow connections from remote networks?

To my understanding Cisco firewalls by default let blocked connections timeout rather than refuse/reset them. This would furthermore lead me to believe that the above situation is true. That the actual device in the LAN (or some other device) is blocking the connection and sending a TCP Reset to whoever is trying to connect.

You also asked if this could be applied to other sites. I dont see why not. You fill first have to define the configurations that are needed to make it work. After that I dont see a problem with using the same concept at every site.

Though in your configuration it seemed the other site gets it public IP address through DHCP. Therefore you naturally cant use a public IP address on the ACL as it might change. Unless the ISP has staticly mapped the public IP address to your PIX firewall "outside" interface MAC address.

- Jouni