Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
250
Views
0
Helpful
2
Replies

Pix 515 (7.02) and static port translation

Go to solution
johnelliot
Level 1
Level 1

‎04-17-2006 06:09 PM - edited ‎02-21-2020 12:50 AM

Just trying to forward a port from outside Int->device sitting on "inside" Interface, but getting the following in the logs:

%PIX-2-106006: Deny inbound UDP from 66.21.215.238/50507 to client_routable_address/6881 on interface outside

%PIX-2-106006: Deny inbound UDP from 62.141.54.206/6881 to client_routable_address/6881 on interface outside

%PIX-2-106006: Deny inbound UDP from 84.217.31.157/6881 to client_routable_address/6881 on interface outside

Relevant Config:

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit tcp any host client_routable_address eq 6881

access-list 101 extended permit udp any host client_routable_address eq 6881

global (outside) 3 client_routable_address

nat (BCM) 3 0.0.0.0 0.0.0.0

static (BCM,outside) tcp 192.168.20.10 6881 client_routable_address 6881 netmask 255.255.255.255

static (BCM,outside) udp 192.168.20.10 6881 client_routable_address 6881 netmask 255.255.255.255

access-group 101 in interface outside

The static translations are there when issuing "show xlate":

# sh xlate

50 in use, 957 most used

PAT Global 192.168.20.10(6881) Local client_routable_address(6881)

PAT Global 192.168.20.10(6881) Local client_routable_address(6881)

acl 101 "6881" entries are not getting hit though:

# show access-list 101

access-list 101; 7 elements

access-list 101 line 1 extended permit icmp any any echo-reply (hitcnt=0)

access-list 101 line 2 extended permit icmp any any source-quench (hitcnt=10)

access-list 101 line 3 extended permit icmp any any unreachable (hitcnt=10279)

access-list 101 line 4 extended permit icmp any any time-exceeded (hitcnt=265)

access-list 101 line 5 extended permit tcp any host client_routable_address eq 6881 (hitcnt=0)

access-list 101 line 6 extended permit udp any host client_routable_address eq 6881 (hitcnt=0)

Am I missing anything obvious?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scheikhnajib
Level 1
Level 1

‎04-21-2006 02:17 AM

Hi,

I think you have got your STATIC lines reversed, they should be:

static (BCM,outside) tcp client_routable_address 6881 192.168.20.10 6881 netmask 255.255.255.255

Assuming that "client_routable_address" is your public IP and BMC is your "inside" or "DMZ" interface.

Salem.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
scheikhnajib
Level 1
Level 1

‎04-21-2006 02:17 AM

Hi,

I think you have got your STATIC lines reversed, they should be:

static (BCM,outside) tcp client_routable_address 6881 192.168.20.10 6881 netmask 255.255.255.255

Assuming that "client_routable_address" is your public IP and BMC is your "inside" or "DMZ" interface.

Salem.

0 Helpful

Go to solution
johnelliot
Level 1
Level 1
In response to scheikhnajib

‎04-23-2006 02:20 PM

Champion! That was it.

Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card