Solved: PIX 501 config probs - Newbie Needs help!

furious.trout · ‎03-22-2005

Having a bit of a nightmare trying to configure outside access to one of our servers through the pix. It's currently in it's factory config.

I have tried assiginig a Acl to allow remote desktop on port 4999 from outside but it dosen't seem to work. I have attached the config as it stands - Please help this is driving me insane!

Patrick Iseli · ‎03-22-2005

1.) Basicly the NAT from the Public IP to a private IP is done on the ADSL Router right. Check that !

ADSL Public IP TCP 4999 to PIX Outside TCP 4999

2.) The config on the PIX should be fine as I posted it.

Port redirection from PIX Outside IP TCP 4999 to inside Private IP TCP 4999

3.) Check if your Server really respond to the 4999 TCP port !!

On windows or Unix =

netstat -an

You should see something like that:

TCP 10.0.0.3:4999 0.0.0.0:0 LISTENING

4.)Another way to troubleshhot could be by using the "capture" command on the PIX. This like tcpdump on unix a sniffer that can show the packets comming on an interface. I do not remember at which version this command was introduced but you will need at least a PIX OS 6.3.x to have it.

Example:

access-list 120 permit tcp any any eq 4999

capture 4999 access-list 120 interface outside

show capture 4999 access-list 120 detail

To remove it use:

no capture 4999 access-list 120 interface outside

no capture 4999

Change to the inside interface:

capture 4999 access-list 120 interface inside

show capture 4999 access-list 120 detail

sincerely

Patrick

View solution in original post

jcairns46 · ‎03-22-2005

To go from a low security interface to a high security interface you'll need 2 things. A static entry including associated ports for port forwarding to the inside, and an access-list entry on the outside interface to allow 4499 in.Since you are using DHCP on the outside interface be sure to specify the interface, and not the current public IP address within the static command

Patrick Iseli · ‎03-22-2005

LP2 server is: 10.0.0.3

access-list acl_out permit tcp any interface outside eq 4999

access-group acl_out in interface outside

static (inside,outside) tcp interface 4999 10.0.0.3 4999 netmask 255.255.255.255 0 0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

clear xlate

Hope that helps

sincerely

Patrick

furious.trout · ‎03-22-2005

Patrick,

i've tried your commands and still no joy(although i am quite chuffed that i'd tried the same commands myself before posting :). I'm beginning to wonder if it's the configuation of our ADSL modem that's the problem, not the PIX, i'm just investigating this possibility.

Thanks for your help

Patrick Iseli · ‎03-22-2005

1.) Basicly the NAT from the Public IP to a private IP is done on the ADSL Router right. Check that !

ADSL Public IP TCP 4999 to PIX Outside TCP 4999

2.) The config on the PIX should be fine as I posted it.

Port redirection from PIX Outside IP TCP 4999 to inside Private IP TCP 4999

3.) Check if your Server really respond to the 4999 TCP port !!

On windows or Unix =

netstat -an

You should see something like that:

TCP 10.0.0.3:4999 0.0.0.0:0 LISTENING

4.)Another way to troubleshhot could be by using the "capture" command on the PIX. This like tcpdump on unix a sniffer that can show the packets comming on an interface. I do not remember at which version this command was introduced but you will need at least a PIX OS 6.3.x to have it.

Example:

access-list 120 permit tcp any any eq 4999

capture 4999 access-list 120 interface outside

show capture 4999 access-list 120 detail

To remove it use:

no capture 4999 access-list 120 interface outside

no capture 4999

Change to the inside interface:

capture 4999 access-list 120 interface inside

show capture 4999 access-list 120 detail

sincerely

Patrick

furious.trout · ‎03-22-2005

Thanks Patrick That's been a great help.

I'm currently waiting for some addtional info from our ISP so i can reconfigure the ADSL Modem (we took over the connection from someone else and they helpfully lost the login details, it's been one of those days...) I'll sort out the NAT on the modem then i should ba a happy bunny (i've confirmed the Server is listening on the right port)

Thanks for your help!

Regards

Dave

Patrick Iseli · ‎03-22-2005

Dave,

Do you talk about a ADSL Router or a ADSL Modem ? This are two diffrent devices !!

An ADSL Modem will not do any Network Address Translation but a Router will do.

Check the outside IP on the PIX Firewall is it a private or Public IP? If it is public then it is your PIX that doeas all the NAT stuff.

Check IP:

show ip

show interface

show route

sincerely

Patrick

furious.trout · ‎03-23-2005

Patrick,

Apologies for the confusion - it's a router! not just a modem so i'll need to sort out the NAT before i can move forward.

Cheers for all your help

Dave