topic Need Help with port forwarding on pix 501 in Network Security

Need Help with port forwarding on pix 501

shanetapper — Fri, 21 Feb 2020 11:58:14 GMT

Just testing RDP right now and it goes no where. Not sure which it is either nat or acl that are messed up

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname cisco

domain-name cisco.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 4.3.2.1 server1

name 4.3.2.2 server2

name 4.3.2.3 server3

name 1.2.3.5 server4

name 4.3.2.5 server5

object-group network servers

network-object server1 255.255.255.255

network-object server2 255.255.255.255

network-object server3 255.255.255.255

access-list outside_access_in permit tcp host server1 eq 3389 interface outside eq 3389

access-list outside_access_in permit tcp host server2 eq 1433 interface outside eq 1433

access-list outside_access_in permit tcp host server3 eq 1433 interface outside eq 1433

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 6.7.8.9 255.255.255.192

ip address inside 1.2.3.4 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location server1 255.255.255.255 outside

pdm location server2 255.255.255.255 outside

pdm location server3 255.255.255.255 outside
pdm location server4 255.255.255.255 inside

pdm location server5 255.255.255.255 outside

pdm group servers outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface outside 1433 server4 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface outside 3389 server4 3389 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.2.4.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local
http server enable

http 1.2.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 1.2.3.10-1.2.3.20 inside

dhcpd dns 1.2.4.2 1.2.4.3

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Re: Need Help with port forwarding on pix 501

pciaccio — Sun, 23 May 2010 23:11:15 GMT

This is just an assumption, however shouldn't your default route point to 1.2.3.1 instead of 1.2.4.1 ?? If your default route is setup wrong you will not get out the door to talk to any external address...

Re: Need Help with port forwarding on pix 501

shanetapper — Sun, 23 May 2010 23:16:49 GMT

thanks for the follow up i appreciate it. that may have been my mistyping when trying to change ip addresses. it has something to do with rdp needing to use something other than 3389. Graninting access to the all ports to the specific ip address and it works fine. Now I just need to determine exactly what ports need to be opened up but things are working ok now just not good.

Re: Need Help with port forwarding on pix 501

pciaccio — Mon, 24 May 2010 01:02:31 GMT

The RDP port number is correct. I would try restructuring your access-list.

You have:

access-list outside_access_in permit tcp host server1 eq 3389 interface outside eq 3389

Try it

access-list outside_access_in permit any host server1 eq 3389

I suggest this because your access-list is applied to the traffic inbound. This new line will allow anyone to communicate to Server1 only through TCP port 3389...

Re: Need Help with port forwarding on pix 501

shanetapper — Mon, 24 May 2010 11:53:48 GMT

you are correct that would open up to the entire world but that does not resolve the issue. if i can open up all the ports yet keep it limited to the same handful of ips it is a port issue that is preventing things from getting across....or possibly just one of the random pix nuances

Re: Need Help with port forwarding on pix 501

pciaccio — Mon, 24 May 2010 12:31:58 GMT

You need to be more descriptive in what is happening..

1) Who is initiating the RDP session. Inside svr to outside or outside to inside? Is the remote svr allowing RDP sessions from your subnet?

2) Are all the svrs seeing the same symptom or just one of them?

3) Did you try chscking the access-lists to see if they are getting any hits on them?

4) Did you try debugging for specific packets and verify that you are natting correctly?

5) Is the RDP session giving you an error? Did you check the logs off the ASA, Are they providing information about your session?

Re: Need Help with port forwarding on pix 501

shanetapper — Mon, 24 May 2010 12:40:10 GMT

1) Who is initiating the RDP session. Inside svr to outside or outside to inside? Is the remote svr allowing RDP sessions from your subnet?

All outside, yes as stated things are working when opening all ports to the specific ip address

2) Are all the svrs seeing the same symptom or just one of them?

Only testing on a single server I have control of

3) Did you try chscking the access-lists to see if they are getting any hits on them?

i can look into this

4) Did you try debugging for specific packets and verify that you are natting correctly?

i did not but believe natting to be correct, do you believe its incorrect based on the above config

5) Is the RDP session giving you an error? Did you check the logs off the ASA, Are they providing information about your session?

no errors on rdp session just does not connect

Leaving the config as is except for allowing all ports instead of just 3389. Everything works wonderfully can pull up rdp and connect.

Leaving the config as is with just 3389 rdp does not connect at all.

Re: Need Help with port forwarding on pix 501

pciaccio — Mon, 24 May 2010 12:54:31 GMT

I would then get the global natted outside address of your remote svrs that are

initiating the RDP session. Place them into your access-list

And change the ACL like I suggested earlier but this time place the global outside address on the ACL to be more specific instead of ANY... This will allow just the specific host(s) that you want in and using only the RDP port...

Re: Need Help with port forwarding on pix 501

shanetapper — Mon, 24 May 2010 13:06:31 GMT

you are confusing me so essentially you are asking me to enter statements like i had on the first go at things

access-list outside_access_in permit tcp host server1 eq 3389 interface outside eq 3389

access-list outside_access_in permit tcp host server2 eq 1433 interface outside eq 1433

access-list outside_access_in permit tcp host server3 eq 1433 interface outside eq 1433

when testing things i had added a second line of

access-list outside_access_in permit tcp host testserver eq 3389 interface outside eq 3389

sorry i am a little lost

Re: Need Help with port forwarding on pix 501

pciaccio — Mon, 24 May 2010 14:35:49 GMT

What did the logs and acl hits tell you??

One thing I would do is change your acl from

access-list outside_access_in permit tcp host server1 eq 3389 interface outside eq 3389

access-list outside_access_in permit tcp host server2 eq 1433 interface outside eq 1433

access-list outside_access_in permit tcp host server3 eq 1433 interface outside eq 1433

access-list outside_access_in permit tcp host server1 interface outside eq 3389

access-list outside_access_in permit tcp host server2 interface outside eq 1433

access-list outside_access_in permit tcp host server3 interface outside eq 1433

If that does not work, then I would do a debug ip packet (make sure no other traffic is going through the firewall). then look over all the debugs to see what is happening. Are these remote servers being natted? Are you possibly seeing a TCP fragmentation issue where the RDP session never completes? How do you fail on the RDP session. Does the program open the remote window or are you being prompted with an error immediately? does the session allow you to log onto it or does it stop you there??

Either way I would stick with the Debugs. thats the best way to determine what and where your issue lies....

Re: Need Help with port forwarding on pix 501

cofiguar1 — Mon, 24 May 2010 22:29:07 GMT

Assuming that you outside IP address is

ip address outside 6.7.8.9 255.255.255.192

access-list outside_access_in permit tcp any host 6.7.8.9 eq 3389

static (inside,outside) tcp 6.7.8.9 3389 server4 3389 netmask 255.255.255.255

access-group outside_access_in in interface outside

clear xlate