PIX 501 - Inbound Connections to multiple servers

jmorris · ‎03-14-2006

I have a PIX 501 thru which I need to forward traffic from the outside to two servers on the inside network. My outside address in this case will be xxx.xxx.xxx.xxx and the inside addressing range is 192.168.125.x and I want to allow remote assistance access to the two different servers using two different ports. One port is 3389 (for one server) and 5405 (for the other server)

So far I have in my PIX config:

access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq 3389

access-list inbound permit udp any host xxx.xxx.xxx.xxx eq 3389

access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq 5405

static (inside,outside) tcp xxx.xxx.xxx.xxx 5405 192.168.125.211 5405 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 192.168.125.201 3389 netmask 255.255.255.255

static (inside,outside) udp xxx.xxx.xxx.xxx 3389 192.168.125.201 3389 netmask 255.255.255.255

access-group inbound in interface outside

This does not appear to work. Is there a better more correct way of doing this?

Thanks

John

jackko · ‎03-14-2006

the codes look fine.

just wondering if you were testing the connection from outside the pix or not, as this would only work outside the pix. further, did you do "clear xlate" after applying the static commands.

verify the xxx.xxx.xxx.xxx is routable to the pix; verify whether the inbound acl has been hit or not by "sh access-l inbound"; and verify the static statement by "sh xlate".

finally, i was just wondering if there is an outbound acl or not, which may block the server response.