06-03-2010 10:24 AM - edited 03-11-2019 10:54 AM
Hi Guys,
I have a small problem.
I try to forward some Ports (i.e. 443, 3389, 81, 82) to differnt IPs
This Pix is a EasyVPN-Server too.
When I try to add the portforwarding like it is shown in many examples, it doesn't work.
I try to add the following lines:
access-list ftpIn permit tcp any host 192.168.0.220 eq 21
static (inside,outside) 192.168.0.220 192.168.128.10 netmask 255.255.255.255 0 0
But this didn't work
Am I doing something wrong or do I have to do something different because of my EasyVPN-Server?
Here is my current config (without my forwarding-tryouts):
kr01icr02(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name my.domain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.128.221-192.168.128.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain my.domain
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:975d44ea08daa7729391a1292ce0df8f
: end
Solved! Go to Solution.
06-05-2010 07:00 AM
Are you connecting from 192.168.0.0/24 network?
If you are, pls remove the following:
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
Move the system back to 192.168.128.10.
Then "clear xlate" and "clear arp" and test the connection again.
06-03-2010 10:28 AM
Hi,
If you add this line:
static (inside,outside) 192.168.0.220 192.168.128.10 netmask 255.255.255.255 0 0
The VPN will stop working.
And the reason is that 192.168.0.220 is the outside IP of the ASA, if you create the above statement, the VPN traffic will also be redirected to the internal 192.168.128.10
What you should do to redirect some ports (443, 3389,etc)
static (inside,outside) tcp 192.168.0.220 443 192.168.128.10 443
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389
And so on....
You need to ACLs as well to allow the traffic in.
Hope it helps.
Federico.
06-03-2010 11:31 AM
okay, so if I understood you correctly I have to run this commands to enable portforwarding for port 3389
kr01icr02(config)# static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389
kr01icr02(config)# access-list rdpin permit tcp any host 192.168.0.220 eq 3389
so this config will be the result (for FTP and RDP) but it doesn't work when I try to connect to the FTP-Server or the RDP-Server.
kr01icr02(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name *****
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list rdpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.128.221-192.168.128.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain *****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:975d44ea08daa7729391a1292ce0df8f
: end
06-03-2010 11:37 AM
Yes,
But you don't have the ACL 101 applied.
You're missing this command:
access-group 101 in interface outside
Federico.
06-03-2010 12:29 PM
Hi Federico,
thanks for your help a lot, but it does not work anyway
06-03-2010 01:25 PM
Ok, do the following test:
On the PIX:
sh access-list 101
Check if you're getting hitcounts on the ACL when you attempt to reach the server from the outside.
In this we will determine if the traffic is reaching the PIX to see where the problem is.
Federico.
06-03-2010 01:35 PM
ok, i checked it and the hitcnt does not increase.
It is still at 0.
How do I try to connect to my "Server" on the inside interface:
I have one machine in the 192.168.0.0/24 net.
From there I try to open a ftp-connection. I do this via try to open ftp://192.168.0.220 - 192.168.0.220 is the outside-interface of the pix that is available by pinging it. Same way with the RDP-Connection
I think there is no failure, or am I wrong?
06-03-2010 02:17 PM
The thing is that when you PING 192.168.0.220 you're PINGing the PIX.
When you send an RDP or FTP request, the PIX will redirect it to the internal server.
You can access the internal RDP and FTP server via those protocols from a computer ''inside'' the PIX correct?
If it does not work, please post the output of:
sh run static
sh run access-group
sh run access-list
Federico.
06-03-2010 02:56 PM
I think the problem now is with the ACLs. You have ACL 101 but it is for the VPN and no NAT as I see it configured. The ACLs that you created to allow RDP and FTP traffic are the following:
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list rdpin permit tcp any host 192.168.0.220 eq 3389
The rules are OK but they should have only one name, and then apply it on the outside interface:
access-list ftp-rdp-in permit tcp any host 192.168.0.220 eq ftp
access-list ftp-rdp-in permit tcp any host 192.168.0.220 eq 3389
access-group ftp-rdp-in in interface outside
You could check the following: http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694
06-05-2010 04:35 AM
OK, I tried the changes you told me. But no change. When I try to connect to the FTP-Server or via RDP, nothing happens.
My settings are this:
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
I checked out the command reference but as a beginner I think that everthing is right.
here the outputs of
sh run static
sh run access-group
sh run access-list:
kr01icr02(config)# sh run static
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name *****
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.128.221-192.168.128.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain *****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:dfbfa204297e35f5a8da6fa77f5c4346
: end
kr01icr02(config)# sh run access-group
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name *****
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.128.221-192.168.128.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain *****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:dfbfa204297e35f5a8da6fa77f5c4346
: end
kr01icr02(config)#
kr01icr02(config)# sh run access-list
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name *****
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.128.221-192.168.128.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain *****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:dfbfa204297e35f5a8da6fa77f5c4346
: end
kr01icr02(config)#
06-05-2010 04:56 AM
I have to add something:
the counter at sh access-list ftpin and sh access-list ftpin are increasing by 3 everytime I try to connect.
kr01icr02(config)# sh access-list ftpin
access-list ftpin; 2 elements
access-list ftpin line 1 permit tcp any host 192.168.0.220 eq ftp (hitcnt=3)
access-list ftpin line 2 permit tcp any host 192.168.0.220 eq 3389 (hitcnt=9)
kr01icr02(config)# sh access-list 101
access-list 101; 2 elements
access-list 101 line 1 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0 (hitcnt=0)
access-list 101 line 2 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=12)
kr01icr02(config)#
06-05-2010 05:16 AM
Please remove the following 2 static configurations:
static (inside,outside) tcp 192.168.0.220 ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.0.220 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
It should be changed to the following:
static (inside,outside) tcp interface ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
Then "clear xlate" after the above changes. It should work after that.
06-05-2010 06:02 AM
it does not work.
The counter still increase but no connection to the system on the inside interface.
I also entered the clear xlate command
When I connect the system on the inside interface direct to my network, I am able to connect so there should not be the problem
kr01icr02# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
domain-name ***
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.129.221-192.168.129.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain ***
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:d9b3a67e97400d326ab47c322cda2eba
: end
kr01icr02#
06-05-2010 06:15 AM
Can you please confirm that your host inside does not have personal firewall that might be blocking inbound connection from the outside? I would suggest that you test disabling the personal firewall if any on the internal host.
06-05-2010 06:55 AM
nothing is enabled.
If I plug the system "192.168.128.10" direct to my network 192.168.0.0/24 and give it an IP in the range, I am able to connect to the FTP-Server and connect via RDP. So no problems with the connection.
No Anti-Virus-Program is installed, Windows Firewall is disabled. System "192.168.128.10" is Win7.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide